HADOOP-12682. Fix TestKMS#testKMSRestart* failure. Contributed by Wei-Chiu Chuang.
This commit is contained in:
parent
223ce323bb
commit
ab725cff66
@ -1535,6 +1535,9 @@ Release 2.8.0 - UNRELEASED
|
|||||||
HADOOP-12559. KMS connection failures should trigger TGT renewal.
|
HADOOP-12559. KMS connection failures should trigger TGT renewal.
|
||||||
(Zhe Zhang via xyao)
|
(Zhe Zhang via xyao)
|
||||||
|
|
||||||
|
HADOOP-12682. Fix TestKMS#testKMSRestart* failure.
|
||||||
|
(Wei-Chiu Chuang via xyao)
|
||||||
|
|
||||||
Release 2.7.3 - UNRELEASED
|
Release 2.7.3 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
@ -976,6 +976,42 @@ static void loginUserFromKeytab(String user,
|
|||||||
+ " using keytab file " + keytabFile);
|
+ " using keytab file " + keytabFile);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Log the current user out who previously logged in using keytab.
|
||||||
|
* This method assumes that the user logged in by calling
|
||||||
|
* {@link #loginUserFromKeytab(String, String)}.
|
||||||
|
*
|
||||||
|
* @throws IOException if a failure occurred in logout, or if the user did
|
||||||
|
* not log in by invoking loginUserFromKeyTab() before.
|
||||||
|
*/
|
||||||
|
@InterfaceAudience.Public
|
||||||
|
@InterfaceStability.Evolving
|
||||||
|
public void logoutUserFromKeytab() throws IOException {
|
||||||
|
if (!isSecurityEnabled() ||
|
||||||
|
user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
LoginContext login = getLogin();
|
||||||
|
if (login == null || keytabFile == null) {
|
||||||
|
throw new IOException("loginUserFromKeytab must be done first");
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (LOG.isDebugEnabled()) {
|
||||||
|
LOG.debug("Initiating logout for " + getUserName());
|
||||||
|
}
|
||||||
|
synchronized (UserGroupInformation.class) {
|
||||||
|
login.logout();
|
||||||
|
}
|
||||||
|
} catch (LoginException le) {
|
||||||
|
throw new IOException("Logout failure for " + user + " from keytab " +
|
||||||
|
keytabFile, le);
|
||||||
|
}
|
||||||
|
|
||||||
|
LOG.info("Logout successful for user " + keytabPrincipal
|
||||||
|
+ " using keytab file " + keytabFile);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Re-login a user from keytab if TGT is expired or is close to expiry.
|
* Re-login a user from keytab if TGT is expired or is close to expiry.
|
||||||
*
|
*
|
||||||
|
@ -44,10 +44,8 @@
|
|||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
import javax.security.auth.Subject;
|
|
||||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.LoginContext;
|
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.FileWriter;
|
import java.io.FileWriter;
|
||||||
@ -59,16 +57,13 @@
|
|||||||
import java.net.SocketTimeoutException;
|
import java.net.SocketTimeoutException;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.net.URL;
|
import java.net.URL;
|
||||||
import java.security.Principal;
|
|
||||||
import java.security.PrivilegedExceptionAction;
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.HashSet;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Properties;
|
import java.util.Properties;
|
||||||
import java.util.Set;
|
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
import java.util.concurrent.Callable;
|
import java.util.concurrent.Callable;
|
||||||
|
|
||||||
@ -250,22 +245,12 @@ public static void tearDownMiniKdc() throws Exception {
|
|||||||
|
|
||||||
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
|
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
Set<Principal> principals = new HashSet<Principal>();
|
UserGroupInformation.loginUserFromKeytab(user, keytab.getAbsolutePath());
|
||||||
principals.add(new KerberosPrincipal(user));
|
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
|
||||||
|
|
||||||
//client login
|
|
||||||
Subject subject = new Subject(false, principals,
|
|
||||||
new HashSet<Object>(), new HashSet<Object>());
|
|
||||||
LoginContext loginContext = new LoginContext("", subject, null,
|
|
||||||
KerberosConfiguration.createClientConfig(user, keytab));
|
|
||||||
try {
|
try {
|
||||||
loginContext.login();
|
|
||||||
subject = loginContext.getSubject();
|
|
||||||
UserGroupInformation ugi =
|
|
||||||
UserGroupInformation.getUGIFromSubject(subject);
|
|
||||||
return ugi.doAs(action);
|
return ugi.doAs(action);
|
||||||
} finally {
|
} finally {
|
||||||
loginContext.logout();
|
ugi.logoutUserFromKeytab();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user