YARN-7942. Add check for JAAS configuration for Yarn Service.
Contributed by Billie Rinaldi
This commit is contained in:
parent
190969006d
commit
95904f6b3c
@ -736,8 +736,10 @@ public static AppConfigurationEntry[] validateContext(String context) {
|
|||||||
* Apply the security environment to this curator instance. This
|
* Apply the security environment to this curator instance. This
|
||||||
* may include setting up the ZK system properties for SASL
|
* may include setting up the ZK system properties for SASL
|
||||||
* @param builder curator builder
|
* @param builder curator builder
|
||||||
|
* @throws IOException if jaas configuration can't be generated or found
|
||||||
*/
|
*/
|
||||||
public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) {
|
public void applySecurityEnvironment(CuratorFrameworkFactory.Builder
|
||||||
|
builder) throws IOException {
|
||||||
|
|
||||||
if (isSecureRegistry()) {
|
if (isSecureRegistry()) {
|
||||||
switch (access) {
|
switch (access) {
|
||||||
@ -752,16 +754,36 @@ public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) {
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case sasl:
|
case sasl:
|
||||||
JaasConfiguration jconf =
|
String existingJaasConf = System.getProperty(
|
||||||
new JaasConfiguration(jaasClientEntry, principal, keytab);
|
"java.security.auth.login.config");
|
||||||
javax.security.auth.login.Configuration.setConfiguration(jconf);
|
if (existingJaasConf == null || existingJaasConf.isEmpty()) {
|
||||||
setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
|
if (principal == null || keytab == null) {
|
||||||
"true");
|
throw new IOException("SASL is configured for registry, " +
|
||||||
setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
|
"but neither keytab/principal nor java.security.auth.login" +
|
||||||
jaasClientEntry);
|
".config system property are specified");
|
||||||
LOG.info(
|
}
|
||||||
"Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry
|
// in this case, keytab and principal are specified and no jaas
|
||||||
+ ", principal = " + principal + ", keytab = " + keytab);
|
// config is specified, so we will create one
|
||||||
|
LOG.info(
|
||||||
|
"Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry
|
||||||
|
+ ", principal = " + principal + ", keytab = " + keytab);
|
||||||
|
JaasConfiguration jconf =
|
||||||
|
new JaasConfiguration(jaasClientEntry, principal, keytab);
|
||||||
|
javax.security.auth.login.Configuration.setConfiguration(jconf);
|
||||||
|
setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
|
||||||
|
"true");
|
||||||
|
setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
|
||||||
|
jaasClientEntry);
|
||||||
|
} else {
|
||||||
|
// in this case, jaas config is specified so we will not change it
|
||||||
|
LOG.info("Using existing ZK sasl configuration: " +
|
||||||
|
"jaasClientEntry = " + System.getProperty(
|
||||||
|
ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
|
||||||
|
", sasl client = " + System.getProperty(
|
||||||
|
ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
|
||||||
|
ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT) +
|
||||||
|
", jaas = " + existingJaasConf);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
|
Loading…
Reference in New Issue
Block a user