big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-14351. Azure: RemoteWasbAuthorizerImpl and RemoteSASKeyGeneratorImpl should not use Kerberos interactive user cache. Contributed by Santhosh G Nayak

Browse Source
This commit is contained in:
Mingliang Liu 2017-04-26 13:46:59 -07:00
parent 4f3ca0396a
commit 8b5f2c372e
4 changed files with 14 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java
View File

@ -2987,9 +2987,6 @@ public Token<?> getDelegationToken(final String renewer) throws IOException {
if (connectUgi == null) {
connectUgi = ugi;
}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
@Override

26
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java
View File

@ -97,7 +97,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
private static final String RELATIVE_PATH_QUERY_PARAM_NAME =
"relative_path";
private String delegationToken = "";
private String delegationToken;
private String credServiceUrl = "";
private WasbRemoteCallHelper remoteCallHelper = null;
private boolean isSecurityEnabled;
@ -110,14 +110,7 @@ public RemoteSASKeyGeneratorImpl(Configuration conf) {
public void initialize(Configuration conf) throws IOException {
LOG.debug("Initializing RemoteSASKeyGeneratorImpl instance");
try {
delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
} catch (IOException e) {
final String msg = "Error in fetching the WASB delegation token";
LOG.error(msg, e);
throw new IOException(msg, e);
}
setDelegationToken();
try {
credServiceUrl = SecurityUtils.getCredServiceUrls(conf);
} catch (UnknownHostException e) {
@ -146,6 +139,7 @@ public URI getContainerSASUri(String storageAccount, String container)
try {
LOG.debug("Generating Container SAS Key for Container {} "
+ "inside Storage Account {} ", container, storageAccount);
setDelegationToken();
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
uriBuilder.setPath("/" + CONTAINER_SAS_OP);
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
@ -166,10 +160,6 @@ public URI getContainerSASUri(String storageAccount, String container)
} else {
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
}
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
return getSASKey(uriBuilder.build(), connectUgi);
} catch (URISyntaxException uriSyntaxEx) {
throw new SASKeyGenerationException("Encountered URISyntaxException "
@ -188,6 +178,7 @@ public URI getRelativeBlobSASUri(String storageAccount, String container,
LOG.debug("Generating RelativePath SAS Key for relativePath {} inside"
+ " Container {} inside Storage Account {} ",
relativePath, container, storageAccount);
setDelegationToken();
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
uriBuilder.setPath("/" + BLOB_SAS_OP);
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
@ -212,10 +203,6 @@ public URI getRelativeBlobSASUri(String storageAccount, String container,
} else {
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
}
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
return getSASKey(uriBuilder.build(), connectUgi);
} catch (URISyntaxException uriSyntaxEx) {
throw new SASKeyGenerationException("Encountered URISyntaxException"
@ -231,7 +218,6 @@ private URI getSASKey(final URI uri, UserGroupInformation connectUgi)
throws URISyntaxException, SASKeyGenerationException {
final RemoteSASKeyGenerationResponse sasKeyResponse;
try {
connectUgi.checkTGTAndReloginFromKeytab();
sasKeyResponse = connectUgi.doAs(
new PrivilegedExceptionAction<RemoteSASKeyGenerationResponse>() {
@Override
@ -311,6 +297,10 @@ private RemoteSASKeyGenerationResponse makeRemoteRequest(URI uri,
+ "accessing remote service to retrieve SAS Key", ioEx);
}
}
private void setDelegationToken() throws IOException {
this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
}
}
/**

22
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java
View File

@ -31,8 +31,6 @@
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.Authenticator;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
@ -42,7 +40,6 @@
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import static org.apache.hadoop.fs.azure.WasbRemoteCallHelper.REMOTE_CALL_SUCCESS_CODE;
@ -104,15 +101,7 @@ public void updateWasbRemoteCallHelper(WasbRemoteCallHelper helper) {
public void init(Configuration conf)
throws WasbAuthorizationException, IOException {
LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
Iterator<Token<? extends TokenIdentifier>> tokenIterator = null;
try {
delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
} catch (IOException e) {
final String msg = "Error in fetching the WASB delegation token";
LOG.error(msg, e);
throw new IOException(msg, e);
}
setDelegationToken();
remoteAuthorizerServiceUrl = SecurityUtils
.getRemoteAuthServiceUrls(conf);
@ -140,6 +129,7 @@ public boolean authorize(String wasbAbsolutePath, String accessType)
return true;
}
setDelegationToken();
URIBuilder uriBuilder = new URIBuilder(remoteAuthorizerServiceUrl);
uriBuilder.setPath("/" + CHECK_AUTHORIZATION_OP);
uriBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME,
@ -159,10 +149,6 @@ public boolean authorize(String wasbAbsolutePath, String accessType)
} else {
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
}
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
try {
responseBody = connectUgi
@ -218,6 +204,10 @@ public String run() throws Exception {
throw new WasbAuthorizationException(ex);
}
}
private void setDelegationToken() throws IOException {
this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
}
}
/**

6
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java
View File

@ -81,9 +81,6 @@ public long renew(final Token<?> token, Configuration conf)
if (connectUgi == null) {
connectUgi = ugi;
}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
authToken
@ -123,9 +120,6 @@ public void cancel(final Token<?> token, Configuration conf)
if (connectUgi == null) {
connectUgi = ugi;
}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
authToken