YARN-8474. Fixed ApiServiceClient kerberos negotiation.
Contributed by Billie Rinaldi
This commit is contained in:
parent
cb21eaa026
commit
8990eaf592
@ -91,10 +91,18 @@
|
|||||||
<groupId>org.apache.hadoop</groupId>
|
<groupId>org.apache.hadoop</groupId>
|
||||||
<artifactId>hadoop-yarn-api</artifactId>
|
<artifactId>hadoop-yarn-api</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.hadoop</groupId>
|
||||||
|
<artifactId>hadoop-yarn-client</artifactId>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.apache.hadoop</groupId>
|
<groupId>org.apache.hadoop</groupId>
|
||||||
<artifactId>hadoop-yarn-common</artifactId>
|
<artifactId>hadoop-yarn-common</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.hadoop</groupId>
|
||||||
|
<artifactId>hadoop-yarn-registry</artifactId>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.apache.hadoop</groupId>
|
<groupId>org.apache.hadoop</groupId>
|
||||||
<artifactId>hadoop-yarn-server-common</artifactId>
|
<artifactId>hadoop-yarn-server-common</artifactId>
|
||||||
@ -103,6 +111,14 @@
|
|||||||
<groupId>org.apache.hadoop</groupId>
|
<groupId>org.apache.hadoop</groupId>
|
||||||
<artifactId>hadoop-common</artifactId>
|
<artifactId>hadoop-common</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.hadoop</groupId>
|
||||||
|
<artifactId>hadoop-annotations</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.hadoop</groupId>
|
||||||
|
<artifactId>hadoop-auth</artifactId>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.slf4j</groupId>
|
<groupId>org.slf4j</groupId>
|
||||||
<artifactId>slf4j-api</artifactId>
|
<artifactId>slf4j-api</artifactId>
|
||||||
@ -119,6 +135,42 @@
|
|||||||
<groupId>javax.ws.rs</groupId>
|
<groupId>javax.ws.rs</groupId>
|
||||||
<artifactId>jsr311-api</artifactId>
|
<artifactId>jsr311-api</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>javax.servlet</groupId>
|
||||||
|
<artifactId>javax.servlet-api</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>commons-codec</groupId>
|
||||||
|
<artifactId>commons-codec</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>commons-io</groupId>
|
||||||
|
<artifactId>commons-io</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.commons</groupId>
|
||||||
|
<artifactId>commons-lang3</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>com.google.guava</groupId>
|
||||||
|
<artifactId>guava</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>com.sun.jersey</groupId>
|
||||||
|
<artifactId>jersey-client</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-server</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-util</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-servlet</artifactId>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.mockito</groupId>
|
<groupId>org.mockito</groupId>
|
||||||
<artifactId>mockito-all</artifactId>
|
<artifactId>mockito-all</artifactId>
|
||||||
@ -155,6 +207,11 @@
|
|||||||
<artifactId>curator-test</artifactId>
|
<artifactId>curator-test</artifactId>
|
||||||
<scope>test</scope>
|
<scope>test</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.hadoop</groupId>
|
||||||
|
<artifactId>hadoop-minikdc</artifactId>
|
||||||
|
<scope>test</scope>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</project>
|
</project>
|
||||||
|
@ -20,21 +20,28 @@
|
|||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.nio.charset.StandardCharsets;
|
||||||
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.text.MessageFormat;
|
import java.text.MessageFormat;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.ws.rs.core.HttpHeaders;
|
||||||
import javax.ws.rs.core.MediaType;
|
import javax.ws.rs.core.MediaType;
|
||||||
import javax.ws.rs.core.UriBuilder;
|
import javax.ws.rs.core.UriBuilder;
|
||||||
|
|
||||||
import com.google.common.base.Preconditions;
|
import com.google.common.base.Preconditions;
|
||||||
|
|
||||||
|
import org.apache.commons.codec.binary.Base64;
|
||||||
import com.google.common.base.Strings;
|
import com.google.common.base.Strings;
|
||||||
import org.apache.commons.lang3.StringUtils;
|
import org.apache.commons.lang3.StringUtils;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.fs.FileSystem;
|
import org.apache.hadoop.fs.FileSystem;
|
||||||
import org.apache.hadoop.fs.Path;
|
import org.apache.hadoop.fs.Path;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
|
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||||
|
import org.apache.hadoop.security.authentication.util.KerberosUtil;
|
||||||
import org.apache.hadoop.yarn.api.ApplicationConstants;
|
import org.apache.hadoop.yarn.api.ApplicationConstants;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationReport;
|
import org.apache.hadoop.yarn.api.records.ApplicationReport;
|
||||||
@ -53,6 +60,11 @@
|
|||||||
import org.apache.hadoop.yarn.service.utils.ServiceApiUtil;
|
import org.apache.hadoop.yarn.service.utils.ServiceApiUtil;
|
||||||
import org.apache.hadoop.yarn.util.RMHAUtils;
|
import org.apache.hadoop.yarn.util.RMHAUtils;
|
||||||
import org.eclipse.jetty.util.UrlEncoded;
|
import org.eclipse.jetty.util.UrlEncoded;
|
||||||
|
import org.ietf.jgss.GSSContext;
|
||||||
|
import org.ietf.jgss.GSSException;
|
||||||
|
import org.ietf.jgss.GSSManager;
|
||||||
|
import org.ietf.jgss.GSSName;
|
||||||
|
import org.ietf.jgss.Oid;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
@ -71,6 +83,7 @@
|
|||||||
public class ApiServiceClient extends AppAdminClient {
|
public class ApiServiceClient extends AppAdminClient {
|
||||||
private static final Logger LOG =
|
private static final Logger LOG =
|
||||||
LoggerFactory.getLogger(ApiServiceClient.class);
|
LoggerFactory.getLogger(ApiServiceClient.class);
|
||||||
|
private static final Base64 BASE_64_CODEC = new Base64(0);
|
||||||
protected YarnClient yarnClient;
|
protected YarnClient yarnClient;
|
||||||
|
|
||||||
@Override protected void serviceInit(Configuration configuration)
|
@Override protected void serviceInit(Configuration configuration)
|
||||||
@ -80,6 +93,54 @@ public class ApiServiceClient extends AppAdminClient {
|
|||||||
super.serviceInit(configuration);
|
super.serviceInit(configuration);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate SPNEGO challenge request token.
|
||||||
|
*
|
||||||
|
* @param server - hostname to contact
|
||||||
|
* @throws IOException
|
||||||
|
* @throws InterruptedException
|
||||||
|
*/
|
||||||
|
String generateToken(String server) throws IOException, InterruptedException {
|
||||||
|
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
|
||||||
|
LOG.debug("The user credential is {}", currentUser);
|
||||||
|
String challenge = currentUser
|
||||||
|
.doAs(new PrivilegedExceptionAction<String>() {
|
||||||
|
@Override
|
||||||
|
public String run() throws Exception {
|
||||||
|
try {
|
||||||
|
// This Oid for Kerberos GSS-API mechanism.
|
||||||
|
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
|
||||||
|
GSSManager manager = GSSManager.getInstance();
|
||||||
|
// GSS name for server
|
||||||
|
GSSName serverName = manager.createName("HTTP@" + server,
|
||||||
|
GSSName.NT_HOSTBASED_SERVICE);
|
||||||
|
// Create a GSSContext for authentication with the service.
|
||||||
|
// We're passing client credentials as null since we want them to
|
||||||
|
// be read from the Subject.
|
||||||
|
GSSContext gssContext = manager.createContext(
|
||||||
|
serverName.canonicalize(mechOid), mechOid, null,
|
||||||
|
GSSContext.DEFAULT_LIFETIME);
|
||||||
|
gssContext.requestMutualAuth(true);
|
||||||
|
gssContext.requestCredDeleg(true);
|
||||||
|
// Establish context
|
||||||
|
byte[] inToken = new byte[0];
|
||||||
|
byte[] outToken = gssContext.initSecContext(inToken, 0,
|
||||||
|
inToken.length);
|
||||||
|
gssContext.dispose();
|
||||||
|
// Base64 encoded and stringified token for server
|
||||||
|
LOG.debug("Got valid challenge for host {}", serverName);
|
||||||
|
return new String(BASE_64_CODEC.encode(outToken),
|
||||||
|
StandardCharsets.US_ASCII);
|
||||||
|
} catch (GSSException | IllegalAccessException
|
||||||
|
| NoSuchFieldException | ClassNotFoundException e) {
|
||||||
|
LOG.error("Error: {}", e);
|
||||||
|
throw new AuthenticationException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
return challenge;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Calculate Resource Manager address base on working REST API.
|
* Calculate Resource Manager address base on working REST API.
|
||||||
*/
|
*/
|
||||||
@ -100,6 +161,7 @@ private String getRMWebAddress() {
|
|||||||
for (String host : rmServers) {
|
for (String host : rmServers) {
|
||||||
try {
|
try {
|
||||||
Client client = Client.create();
|
Client client = Client.create();
|
||||||
|
client.setFollowRedirects(false);
|
||||||
StringBuilder sb = new StringBuilder();
|
StringBuilder sb = new StringBuilder();
|
||||||
sb.append(scheme);
|
sb.append(scheme);
|
||||||
sb.append(host);
|
sb.append(host);
|
||||||
@ -116,8 +178,11 @@ private String getRMWebAddress() {
|
|||||||
WebResource webResource = client
|
WebResource webResource = client
|
||||||
.resource(sb.toString());
|
.resource(sb.toString());
|
||||||
if (useKerberos) {
|
if (useKerberos) {
|
||||||
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
|
String[] server = host.split(":");
|
||||||
webResource.header("WWW-Authenticate", token);
|
String challenge = generateToken(server[0]);
|
||||||
|
webResource.header(HttpHeaders.AUTHORIZATION, "Negotiate " +
|
||||||
|
challenge);
|
||||||
|
LOG.debug("Authorization: Negotiate {}", challenge);
|
||||||
}
|
}
|
||||||
ClientResponse test = webResource.get(ClientResponse.class);
|
ClientResponse test = webResource.get(ClientResponse.class);
|
||||||
if (test.getStatus() == 200) {
|
if (test.getStatus() == 200) {
|
||||||
@ -125,7 +190,8 @@ private String getRMWebAddress() {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
LOG.debug("Fail to connect to: "+host, e);
|
LOG.info("Fail to connect to: "+host);
|
||||||
|
LOG.debug("Root cause: {}", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return scheme+rmAddress;
|
return scheme+rmAddress;
|
||||||
@ -218,8 +284,13 @@ private Builder getApiClient(String requestPath)
|
|||||||
Builder builder = client
|
Builder builder = client
|
||||||
.resource(requestPath).type(MediaType.APPLICATION_JSON);
|
.resource(requestPath).type(MediaType.APPLICATION_JSON);
|
||||||
if (conf.get("hadoop.http.authentication.type").equals("kerberos")) {
|
if (conf.get("hadoop.http.authentication.type").equals("kerberos")) {
|
||||||
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
|
try {
|
||||||
builder.header("WWW-Authenticate", token);
|
URI url = new URI(requestPath);
|
||||||
|
String challenge = generateToken(url.getHost());
|
||||||
|
builder.header(HttpHeaders.AUTHORIZATION, "Negotiate " + challenge);
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new IOException(e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return builder
|
return builder
|
||||||
.accept("application/json;charset=utf-8");
|
.accept("application/json;charset=utf-8");
|
||||||
|
@ -0,0 +1,83 @@
|
|||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.service.client;
|
||||||
|
|
||||||
|
import static org.junit.Assert.*;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
|
||||||
|
import javax.security.sasl.Sasl;
|
||||||
|
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.HashMap;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
|
||||||
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.SaslRpcServer.QualityOfProtection;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test Spnego Client Login.
|
||||||
|
*/
|
||||||
|
public class TestSecureApiServiceClient extends KerberosSecurityTestcase {
|
||||||
|
|
||||||
|
private String clientPrincipal = "client";
|
||||||
|
|
||||||
|
private String server1Protocol = "HTTP";
|
||||||
|
|
||||||
|
private String server2Protocol = "server2";
|
||||||
|
|
||||||
|
private String host = "localhost";
|
||||||
|
|
||||||
|
private String server1Principal = server1Protocol + "/" + host;
|
||||||
|
|
||||||
|
private String server2Principal = server2Protocol + "/" + host;
|
||||||
|
|
||||||
|
private File keytabFile;
|
||||||
|
|
||||||
|
private Configuration conf = new Configuration();
|
||||||
|
|
||||||
|
private Map<String, String> props;
|
||||||
|
|
||||||
|
@Before
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
keytabFile = new File(getWorkDir(), "keytab");
|
||||||
|
getKdc().createPrincipal(keytabFile, clientPrincipal, server1Principal,
|
||||||
|
server2Principal);
|
||||||
|
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
UserGroupInformation.setShouldRenewImmediatelyForTests(true);
|
||||||
|
props = new HashMap<String, String>();
|
||||||
|
props.put(Sasl.QOP, QualityOfProtection.AUTHENTICATION.saslQop);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHttpSpnegoChallenge() throws Exception {
|
||||||
|
UserGroupInformation.loginUserFromKeytab(clientPrincipal, keytabFile
|
||||||
|
.getCanonicalPath());
|
||||||
|
ApiServiceClient asc = new ApiServiceClient();
|
||||||
|
String challenge = asc.generateToken("localhost");
|
||||||
|
assertNotNull(challenge);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user