YARN-2689 TestSecureRMRegistryOperations failing on windows: secure ZK won't start
This commit is contained in:
parent
2894433332
commit
6f43491c03
@ -639,6 +639,11 @@ Release 2.6.0 - UNRELEASED
|
||||
YARN-2652 Add hadoop-yarn-registry package under hadoop-yarn. (stevel)
|
||||
|
||||
YARN-2668 yarn-registry JAR won't link against ZK 3.4.5. (stevel)
|
||||
|
||||
YARN-2689 TestSecureRMRegistryOperations failing on windows:
|
||||
secure ZK won't start (stevel)
|
||||
|
||||
---
|
||||
|
||||
YARN-2598 GHS should show N/A instead of null for the inaccessible information
|
||||
(Zhijie Shen via mayank)
|
||||
|
@ -249,9 +249,6 @@ private CuratorFramework createCurator() throws IOException {
|
||||
synchronized (CuratorService.class) {
|
||||
// set the security options
|
||||
|
||||
//log them
|
||||
securityConnectionDiagnostics = buildSecurityDiagnostics();
|
||||
|
||||
// build up the curator itself
|
||||
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder();
|
||||
builder.ensembleProvider(ensembleProvider)
|
||||
@ -264,7 +261,8 @@ private CuratorFramework createCurator() throws IOException {
|
||||
|
||||
// set up the builder AND any JVM context
|
||||
registrySecurity.applySecurityEnvironment(builder);
|
||||
|
||||
//log them
|
||||
securityConnectionDiagnostics = buildSecurityDiagnostics();
|
||||
framework = builder.build();
|
||||
framework.start();
|
||||
}
|
||||
@ -275,7 +273,7 @@ private CuratorFramework createCurator() throws IOException {
|
||||
@Override
|
||||
public String toString() {
|
||||
return super.toString()
|
||||
+ bindingDiagnosticDetails();
|
||||
+ " " + bindingDiagnosticDetails();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -386,7 +384,9 @@ protected IOException operationFailure(String path,
|
||||
ioe = new PathIsNotEmptyDirectoryException(path);
|
||||
} else if (exception instanceof KeeperException.AuthFailedException) {
|
||||
ioe = new AuthenticationFailedException(path,
|
||||
"Authentication Failed: " + exception, exception);
|
||||
"Authentication Failed: " + exception
|
||||
+ "; " + securityConnectionDiagnostics,
|
||||
exception);
|
||||
} else if (exception instanceof KeeperException.NoChildrenForEphemeralsException) {
|
||||
ioe = new NoChildrenForEphemeralsException(path,
|
||||
"Cannot create a path under an ephemeral node: " + exception,
|
||||
|
@ -596,6 +596,7 @@ public static String getKerberosAuthModuleForJVM() {
|
||||
+ " %s required\n"
|
||||
// kerberos module
|
||||
+ " keyTab=\"%s\"\n"
|
||||
+ " debug=true\n"
|
||||
+ " principal=\"%s\"\n"
|
||||
+ " useKeyTab=true\n"
|
||||
+ " useTicketCache=false\n"
|
||||
@ -621,12 +622,15 @@ public String createJAASEntry(
|
||||
"invalid context");
|
||||
Preconditions.checkArgument(keytab != null && keytab.isFile(),
|
||||
"Keytab null or missing: ");
|
||||
String keytabpath = keytab.getAbsolutePath();
|
||||
// fix up for windows; no-op on unix
|
||||
keytabpath = keytabpath.replace('\\', '/');
|
||||
return String.format(
|
||||
Locale.ENGLISH,
|
||||
JAAS_ENTRY,
|
||||
context,
|
||||
getKerberosAuthModuleForJVM(),
|
||||
keytab.getAbsolutePath(),
|
||||
keytabpath,
|
||||
principal);
|
||||
}
|
||||
|
||||
@ -846,11 +850,11 @@ public String buildSecurityDiagnostics() {
|
||||
StringBuilder builder = new StringBuilder();
|
||||
builder.append(secureRegistry ? "secure registry; "
|
||||
: "insecure registry; ");
|
||||
builder.append("Access policy: ").append(access);
|
||||
builder.append("Curator service access policy: ").append(access);
|
||||
|
||||
builder.append(", System ACLs: ").append(aclsToString(systemACLs));
|
||||
builder.append(UgiInfo.fromCurrentUser());
|
||||
builder.append(" Kerberos Realm: ").append(kerberosRealm).append(" ; ");
|
||||
builder.append("; System ACLs: ").append(aclsToString(systemACLs));
|
||||
builder.append("User: ").append(UgiInfo.fromCurrentUser());
|
||||
builder.append("; Kerberos Realm: ").append(kerberosRealm);
|
||||
builder.append(describeProperty(Environment.JAAS_CONF_KEY));
|
||||
String sasl =
|
||||
System.getProperty(PROP_ZK_ENABLE_SASL_CLIENT,
|
||||
@ -859,7 +863,7 @@ public String buildSecurityDiagnostics() {
|
||||
builder.append(describeProperty(PROP_ZK_ENABLE_SASL_CLIENT,
|
||||
DEFAULT_ZK_ENABLE_SASL_CLIENT));
|
||||
if (saslEnabled) {
|
||||
builder.append("JAAS Client Identity")
|
||||
builder.append("; JAAS Client Identity")
|
||||
.append("=")
|
||||
.append(jaasClientIdentity)
|
||||
.append("; ");
|
||||
|
@ -46,6 +46,7 @@
|
||||
import javax.security.auth.login.LoginContext;
|
||||
import javax.security.auth.login.LoginException;
|
||||
import java.io.File;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.security.Principal;
|
||||
import java.util.HashSet;
|
||||
@ -319,11 +320,16 @@ protected static String getRealm() {
|
||||
* @param keytab keytab
|
||||
* @return the logged in context
|
||||
* @throws LoginException failure to log in
|
||||
* @throws FileNotFoundException no keytab
|
||||
*/
|
||||
protected LoginContext login(String principal,
|
||||
String context, File keytab) throws LoginException {
|
||||
String context, File keytab) throws LoginException,
|
||||
FileNotFoundException {
|
||||
LOG.info("Logging in as {} in context {} with keytab {}",
|
||||
principal, context, keytab);
|
||||
if (!keytab.exists()) {
|
||||
throw new FileNotFoundException(keytab.getAbsolutePath());
|
||||
}
|
||||
Set<Principal> principals = new HashSet<Principal>();
|
||||
principals.add(new KerberosPrincipal(principal));
|
||||
Subject subject = new Subject(false, principals, new HashSet<Object>(),
|
||||
|
@ -99,12 +99,25 @@ public void testClientLogin() throws Throwable {
|
||||
ALICE_CLIENT_CONTEXT,
|
||||
keytab_alice);
|
||||
|
||||
logLoginDetails(ALICE_LOCALHOST, client);
|
||||
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
|
||||
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
|
||||
String config = FileUtils.readFileToString(new File(confFilename));
|
||||
LOG.info("{}=\n{}", confFilename, config);
|
||||
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
|
||||
try {
|
||||
logLoginDetails(ALICE_LOCALHOST, client);
|
||||
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
|
||||
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
|
||||
String config = FileUtils.readFileToString(new File(confFilename));
|
||||
LOG.info("{}=\n{}", confFilename, config);
|
||||
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
|
||||
} finally {
|
||||
client.logout();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testZKServerContextLogin() throws Throwable {
|
||||
LoginContext client = login(ZOOKEEPER_LOCALHOST,
|
||||
ZOOKEEPER_SERVER_CONTEXT,
|
||||
keytab_zk);
|
||||
logLoginDetails(ZOOKEEPER_LOCALHOST, client);
|
||||
|
||||
client.logout();
|
||||
}
|
||||
|
||||
|
@ -24,12 +24,16 @@
|
||||
import org.apache.hadoop.registry.client.impl.zk.CuratorService;
|
||||
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
|
||||
import org.apache.zookeeper.CreateMode;
|
||||
import org.apache.zookeeper.Login;
|
||||
import org.apache.zookeeper.server.ZooKeeperSaslServer;
|
||||
import org.apache.zookeeper.server.auth.SaslServerCallbackHandler;
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
|
||||
import static org.apache.hadoop.registry.client.api.RegistryConstants.*;
|
||||
@ -52,6 +56,36 @@ public void afterTestSecureZKService() throws Throwable {
|
||||
RegistrySecurity.clearZKSaslClientProperties();
|
||||
}
|
||||
|
||||
/**
|
||||
* this is a cut and paste of some of the ZK internal code that was
|
||||
* failing on windows and swallowing its exceptions
|
||||
*/
|
||||
@Test
|
||||
public void testLowlevelZKSaslLogin() throws Throwable {
|
||||
RegistrySecurity.bindZKToServerJAASContext(ZOOKEEPER_SERVER_CONTEXT);
|
||||
String serverSection =
|
||||
System.getProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY,
|
||||
ZooKeeperSaslServer.DEFAULT_LOGIN_CONTEXT_NAME);
|
||||
assertEquals(ZOOKEEPER_SERVER_CONTEXT, serverSection);
|
||||
|
||||
AppConfigurationEntry entries[];
|
||||
entries = javax.security.auth.login.Configuration.getConfiguration()
|
||||
.getAppConfigurationEntry(
|
||||
serverSection);
|
||||
|
||||
assertNotNull("null entries", entries);
|
||||
|
||||
SaslServerCallbackHandler saslServerCallbackHandler =
|
||||
new SaslServerCallbackHandler(
|
||||
javax.security.auth.login.Configuration.getConfiguration());
|
||||
Login login = new Login(serverSection, saslServerCallbackHandler);
|
||||
try {
|
||||
login.startThreadIfNeeded();
|
||||
} finally {
|
||||
login.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCreateSecureZK() throws Throwable {
|
||||
startSecureZK();
|
||||
|
Loading…
Reference in New Issue
Block a user