HADOOP-10905. LdapGroupsMapping Should use configuration.getPassword for SSL and LDAP Passwords. Contributed by Larry McCay

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616054 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Brandon Li 2014-08-05 23:55:30 +00:00
parent 4869fa2cfa
commit a4f1292a53
3 changed files with 83 additions and 4 deletions

View File

@ -540,6 +540,9 @@ Release 2.6.0 - UNRELEASED
HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
HADOOP-10905. LdapGroupsMapping Should use configuration.getPassword for SSL
and LDAP Passwords. (lmccay via brandonli)
Release 2.5.0 - UNRELEASED
INCOMPATIBLE CHANGES

View File

@ -312,15 +312,15 @@ public synchronized void setConf(Configuration conf) {
useSsl = conf.getBoolean(LDAP_USE_SSL_KEY, LDAP_USE_SSL_DEFAULT);
keystore = conf.get(LDAP_KEYSTORE_KEY, LDAP_KEYSTORE_DEFAULT);
keystorePass =
conf.get(LDAP_KEYSTORE_PASSWORD_KEY, LDAP_KEYSTORE_PASSWORD_DEFAULT);
keystorePass = getPassword(conf, LDAP_KEYSTORE_PASSWORD_KEY,
LDAP_KEYSTORE_PASSWORD_DEFAULT);
if (keystorePass.isEmpty()) {
keystorePass = extractPassword(conf.get(LDAP_KEYSTORE_PASSWORD_FILE_KEY,
LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT));
}
bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
bindPassword = conf.get(BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
bindPassword = getPassword(conf, BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
if (bindPassword.isEmpty()) {
bindPassword = extractPassword(
conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
@ -342,6 +342,24 @@ public synchronized void setConf(Configuration conf) {
this.conf = conf;
}
String getPassword(Configuration conf, String alias, String defaultPass) {
String password = null;
try {
char[] passchars = conf.getPassword(alias);
if (passchars != null) {
password = new String(passchars);
}
else {
password = defaultPass;
}
}
catch (IOException ioe) {
LOG.warn("Exception while trying to password for alias " + alias + ": "
+ ioe.getMessage());
}
return password;
}
String extractPassword(String pwFile) {
if (pwFile.isEmpty()) {
// If there is no password file defined, we'll assume that we should do

View File

@ -17,6 +17,8 @@
*/
package org.apache.hadoop.security;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.*;
import java.io.File;
@ -38,6 +40,9 @@
import javax.naming.directory.SearchResult;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
@ -154,4 +159,57 @@ public void testExtractPassword() throws IOException {
Assert.assertEquals("hadoop",
mapping.extractPassword(secretFile.getPath()));
}
@Test
public void testConfGetPassword() throws Exception {
File testDir = new File(System.getProperty("test.build.data",
"target/test-dir"));
Configuration conf = new Configuration();
final String ourUrl =
JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
File file = new File(testDir, "test.jks");
file.delete();
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
CredentialProvider provider =
CredentialProviderFactory.getProviders(conf).get(0);
char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
// ensure that we get nulls when the key isn't there
assertEquals(null, provider.getCredentialEntry(
LdapGroupsMapping.BIND_PASSWORD_KEY));
assertEquals(null, provider.getCredentialEntry
(LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));
// create new aliases
try {
provider.createCredentialEntry(
LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);
provider.createCredentialEntry(
LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
provider.flush();
} catch (Exception e) {
e.printStackTrace();
throw e;
}
// make sure we get back the right key
assertArrayEquals(bindpass, provider.getCredentialEntry(
LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
assertArrayEquals(storepass, provider.getCredentialEntry(
LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());
LdapGroupsMapping mapping = new LdapGroupsMapping();
Assert.assertEquals("bindpass",
mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
Assert.assertEquals("storepass",
mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
""));
// let's make sure that a password that doesn't exist returns an
// empty string as currently expected and used to trigger a call to
// extract password
Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
}
}