diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java index bb829d888b..5c6c983f5b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java @@ -736,8 +736,10 @@ public static AppConfigurationEntry[] validateContext(String context) { * Apply the security environment to this curator instance. This * may include setting up the ZK system properties for SASL * @param builder curator builder + * @throws IOException if jaas configuration can't be generated or found */ - public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) { + public void applySecurityEnvironment(CuratorFrameworkFactory.Builder + builder) throws IOException { if (isSecureRegistry()) { switch (access) { @@ -752,16 +754,36 @@ public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) { break; case sasl: - JaasConfiguration jconf = - new JaasConfiguration(jaasClientEntry, principal, keytab); - javax.security.auth.login.Configuration.setConfiguration(jconf); - setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY, - "true"); - setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, - jaasClientEntry); - LOG.info( - "Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry - + ", principal = " + principal + ", keytab = " + keytab); + String existingJaasConf = System.getProperty( + "java.security.auth.login.config"); + if (existingJaasConf == null || existingJaasConf.isEmpty()) { + if (principal == null || keytab == null) { + throw new IOException("SASL is configured for registry, " + + "but neither keytab/principal nor java.security.auth.login" + + ".config system property are specified"); + } + // in this case, keytab and principal are specified and no jaas + // config is specified, so we will create one + LOG.info( + "Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry + + ", principal = " + principal + ", keytab = " + keytab); + JaasConfiguration jconf = + new JaasConfiguration(jaasClientEntry, principal, keytab); + javax.security.auth.login.Configuration.setConfiguration(jconf); + setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY, + "true"); + setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, + jaasClientEntry); + } else { + // in this case, jaas config is specified so we will not change it + LOG.info("Using existing ZK sasl configuration: " + + "jaasClientEntry = " + System.getProperty( + ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") + + ", sasl client = " + System.getProperty( + ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY, + ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT) + + ", jaas = " + existingJaasConf); + } break; default: