HDFS-17138 RBF: We changed the hadoop.security.auth_to_local configur… (#5921)

This commit is contained in:
章锡平 2023-09-19 00:40:22 +08:00 committed by GitHub
parent 18f9989ff2
commit 60f3a2b101
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 1 deletions

View File

@ -81,7 +81,12 @@ class AbstractDelegationTokenSecretManager<TokenIdent
= DelegationTokenSecretManagerMetrics.create(); = DelegationTokenSecretManagerMetrics.create();
private String formatTokenId(TokenIdent id) { private String formatTokenId(TokenIdent id) {
try {
return "(" + id + ")"; return "(" + id + ")";
} catch (Exception e) {
LOG.warn("Exception in formatTokenId", e);
}
return "( SequenceNumber=" + id.getSequenceNumber() + " )";
} }
/** /**

View File

@ -20,6 +20,7 @@
import static org.apache.hadoop.security.authentication.util.KerberosName.setRules;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
@ -29,6 +30,10 @@
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.security.PrivilegedExceptionAction; import java.security.PrivilegedExceptionAction;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
@ -54,6 +59,7 @@
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager.InvalidToken; import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.test.GenericTestUtils; import org.apache.hadoop.test.GenericTestUtils;
import org.slf4j.event.Level; import org.slf4j.event.Level;
import org.junit.After; import org.junit.After;
@ -376,4 +382,30 @@ public void testDelegationTokenIdentifierToString() throws Exception {
" for SomeUser with renewer JobTracker", " for SomeUser with renewer JobTracker",
dtId.toStringStable()); dtId.toStringStable());
} }
@Test
public void testLogExpireTokensWhenChangeRules() throws IOException {
setRules("RULE:[2:$1@$0](SomeUser.*)s/.*/SomeUser/");
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(
new Text("SomeUser/HOST@EXAMPLE.COM"),
new Text("SomeUser/HOST@EXAMPLE.COM"),
new Text("SomeUser/HOST@EXAMPLE.COM"));
Set<DelegationTokenIdentifier> expiredTokens = new HashSet();
expiredTokens.add(dtId);
setRules("RULE:[2:$1@$0](OtherUser.*)s/.*/OtherUser/");
//rules was modified, causing the existing tokens
//(May be loaded from other storage systems like zookeeper) to fail to match the kerberos rules,
//return an exception that cannot be handled
new AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>(10 * 1000, 10 * 1000,
10 * 1000, 10 * 1000) {
@Override
public DelegationTokenIdentifier createIdentifier() {
return null;
}
public void logExpireTokens(Collection<DelegationTokenIdentifier> expiredTokens)
throws IOException {
super.logExpireTokens(expiredTokens);
}
}.logExpireTokens(expiredTokens);
}
} }