HADOOP-12682. Fix TestKMS#testKMSRestart* failure. Contributed by Wei-Chiu Chuang.

This commit is contained in:
Xiaoyu Yao 2015-12-30 10:29:26 -08:00
parent 223ce323bb
commit ab725cff66
3 changed files with 42 additions and 18 deletions

View File

@ -1535,6 +1535,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-12559. KMS connection failures should trigger TGT renewal. HADOOP-12559. KMS connection failures should trigger TGT renewal.
(Zhe Zhang via xyao) (Zhe Zhang via xyao)
HADOOP-12682. Fix TestKMS#testKMSRestart* failure.
(Wei-Chiu Chuang via xyao)
Release 2.7.3 - UNRELEASED Release 2.7.3 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -976,6 +976,42 @@ static void loginUserFromKeytab(String user,
+ " using keytab file " + keytabFile); + " using keytab file " + keytabFile);
} }
/**
* Log the current user out who previously logged in using keytab.
* This method assumes that the user logged in by calling
* {@link #loginUserFromKeytab(String, String)}.
*
* @throws IOException if a failure occurred in logout, or if the user did
* not log in by invoking loginUserFromKeyTab() before.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public void logoutUserFromKeytab() throws IOException {
if (!isSecurityEnabled() ||
user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS) {
return;
}
LoginContext login = getLogin();
if (login == null || keytabFile == null) {
throw new IOException("loginUserFromKeytab must be done first");
}
try {
if (LOG.isDebugEnabled()) {
LOG.debug("Initiating logout for " + getUserName());
}
synchronized (UserGroupInformation.class) {
login.logout();
}
} catch (LoginException le) {
throw new IOException("Logout failure for " + user + " from keytab " +
keytabFile, le);
}
LOG.info("Logout successful for user " + keytabPrincipal
+ " using keytab file " + keytabFile);
}
/** /**
* Re-login a user from keytab if TGT is expired or is close to expiry. * Re-login a user from keytab if TGT is expired or is close to expiry.
* *

View File

@ -44,10 +44,8 @@
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import java.io.File; import java.io.File;
import java.io.FileWriter; import java.io.FileWriter;
@ -59,16 +57,13 @@
import java.net.SocketTimeoutException; import java.net.SocketTimeoutException;
import java.net.URI; import java.net.URI;
import java.net.URL; import java.net.URL;
import java.security.Principal;
import java.security.PrivilegedExceptionAction; import java.security.PrivilegedExceptionAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Properties; import java.util.Properties;
import java.util.Set;
import java.util.UUID; import java.util.UUID;
import java.util.concurrent.Callable; import java.util.concurrent.Callable;
@ -250,22 +245,12 @@ public static void tearDownMiniKdc() throws Exception {
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action) private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
throws Exception { throws Exception {
Set<Principal> principals = new HashSet<Principal>(); UserGroupInformation.loginUserFromKeytab(user, keytab.getAbsolutePath());
principals.add(new KerberosPrincipal(user)); UserGroupInformation ugi = UserGroupInformation.getLoginUser();
//client login
Subject subject = new Subject(false, principals,
new HashSet<Object>(), new HashSet<Object>());
LoginContext loginContext = new LoginContext("", subject, null,
KerberosConfiguration.createClientConfig(user, keytab));
try { try {
loginContext.login();
subject = loginContext.getSubject();
UserGroupInformation ugi =
UserGroupInformation.getUGIFromSubject(subject);
return ugi.doAs(action); return ugi.doAs(action);
} finally { } finally {
loginContext.logout(); ugi.logoutUserFromKeytab();
} }
} }