YARN-7942. Add check for JAAS configuration for Yarn Service.

Contributed by Billie Rinaldi
This commit is contained in:
Eric Yang 2018-02-22 16:12:40 -05:00
parent 190969006d
commit 95904f6b3c

View File

@ -736,8 +736,10 @@ public static AppConfigurationEntry[] validateContext(String context) {
* Apply the security environment to this curator instance. This * Apply the security environment to this curator instance. This
* may include setting up the ZK system properties for SASL * may include setting up the ZK system properties for SASL
* @param builder curator builder * @param builder curator builder
* @throws IOException if jaas configuration can't be generated or found
*/ */
public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) { public void applySecurityEnvironment(CuratorFrameworkFactory.Builder
builder) throws IOException {
if (isSecureRegistry()) { if (isSecureRegistry()) {
switch (access) { switch (access) {
@ -752,16 +754,36 @@ public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) {
break; break;
case sasl: case sasl:
JaasConfiguration jconf = String existingJaasConf = System.getProperty(
new JaasConfiguration(jaasClientEntry, principal, keytab); "java.security.auth.login.config");
javax.security.auth.login.Configuration.setConfiguration(jconf); if (existingJaasConf == null || existingJaasConf.isEmpty()) {
setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY, if (principal == null || keytab == null) {
"true"); throw new IOException("SASL is configured for registry, " +
setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "but neither keytab/principal nor java.security.auth.login" +
jaasClientEntry); ".config system property are specified");
LOG.info( }
"Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry // in this case, keytab and principal are specified and no jaas
+ ", principal = " + principal + ", keytab = " + keytab); // config is specified, so we will create one
LOG.info(
"Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry
+ ", principal = " + principal + ", keytab = " + keytab);
JaasConfiguration jconf =
new JaasConfiguration(jaasClientEntry, principal, keytab);
javax.security.auth.login.Configuration.setConfiguration(jconf);
setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
"true");
setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
jaasClientEntry);
} else {
// in this case, jaas config is specified so we will not change it
LOG.info("Using existing ZK sasl configuration: " +
"jaasClientEntry = " + System.getProperty(
ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
", sasl client = " + System.getProperty(
ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT) +
", jaas = " + existingJaasConf);
}
break; break;
default: default: