HADOOP-12682. Fix TestKMS#testKMSRestart* failure. Contributed by Wei-Chiu Chuang.
This commit is contained in:
parent
223ce323bb
commit
ab725cff66
@ -1535,6 +1535,9 @@ Release 2.8.0 - UNRELEASED
|
||||
HADOOP-12559. KMS connection failures should trigger TGT renewal.
|
||||
(Zhe Zhang via xyao)
|
||||
|
||||
HADOOP-12682. Fix TestKMS#testKMSRestart* failure.
|
||||
(Wei-Chiu Chuang via xyao)
|
||||
|
||||
Release 2.7.3 - UNRELEASED
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -976,6 +976,42 @@ static void loginUserFromKeytab(String user,
|
||||
+ " using keytab file " + keytabFile);
|
||||
}
|
||||
|
||||
/**
|
||||
* Log the current user out who previously logged in using keytab.
|
||||
* This method assumes that the user logged in by calling
|
||||
* {@link #loginUserFromKeytab(String, String)}.
|
||||
*
|
||||
* @throws IOException if a failure occurred in logout, or if the user did
|
||||
* not log in by invoking loginUserFromKeyTab() before.
|
||||
*/
|
||||
@InterfaceAudience.Public
|
||||
@InterfaceStability.Evolving
|
||||
public void logoutUserFromKeytab() throws IOException {
|
||||
if (!isSecurityEnabled() ||
|
||||
user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS) {
|
||||
return;
|
||||
}
|
||||
LoginContext login = getLogin();
|
||||
if (login == null || keytabFile == null) {
|
||||
throw new IOException("loginUserFromKeytab must be done first");
|
||||
}
|
||||
|
||||
try {
|
||||
if (LOG.isDebugEnabled()) {
|
||||
LOG.debug("Initiating logout for " + getUserName());
|
||||
}
|
||||
synchronized (UserGroupInformation.class) {
|
||||
login.logout();
|
||||
}
|
||||
} catch (LoginException le) {
|
||||
throw new IOException("Logout failure for " + user + " from keytab " +
|
||||
keytabFile, le);
|
||||
}
|
||||
|
||||
LOG.info("Logout successful for user " + keytabPrincipal
|
||||
+ " using keytab file " + keytabFile);
|
||||
}
|
||||
|
||||
/**
|
||||
* Re-login a user from keytab if TGT is expired or is close to expiry.
|
||||
*
|
||||
|
@ -44,10 +44,8 @@
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileWriter;
|
||||
@ -59,16 +57,13 @@
|
||||
import java.net.SocketTimeoutException;
|
||||
import java.net.URI;
|
||||
import java.net.URL;
|
||||
import java.security.Principal;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
@ -250,22 +245,12 @@ public static void tearDownMiniKdc() throws Exception {
|
||||
|
||||
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
|
||||
throws Exception {
|
||||
Set<Principal> principals = new HashSet<Principal>();
|
||||
principals.add(new KerberosPrincipal(user));
|
||||
|
||||
//client login
|
||||
Subject subject = new Subject(false, principals,
|
||||
new HashSet<Object>(), new HashSet<Object>());
|
||||
LoginContext loginContext = new LoginContext("", subject, null,
|
||||
KerberosConfiguration.createClientConfig(user, keytab));
|
||||
UserGroupInformation.loginUserFromKeytab(user, keytab.getAbsolutePath());
|
||||
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
|
||||
try {
|
||||
loginContext.login();
|
||||
subject = loginContext.getSubject();
|
||||
UserGroupInformation ugi =
|
||||
UserGroupInformation.getUGIFromSubject(subject);
|
||||
return ugi.doAs(action);
|
||||
} finally {
|
||||
loginContext.logout();
|
||||
ugi.logoutUserFromKeytab();
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user