HADOOP-13018. Make Kdiag check whether hadoop.token.files points to existent and valid files. Contributed by Ravi Prakash
This commit is contained in:
parent
eb0a483ed0
commit
abb9fa7fc6
@ -38,6 +38,7 @@
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import javax.crypto.Cipher;
|
||||
|
||||
import java.io.Closeable;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
@ -61,6 +62,7 @@
|
||||
import static org.apache.hadoop.security.authentication.util.KerberosUtil.*;
|
||||
import static org.apache.hadoop.util.StringUtils.popOption;
|
||||
import static org.apache.hadoop.util.StringUtils.popOptionWithArgument;
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES;
|
||||
|
||||
/**
|
||||
* Kerberos diagnostics
|
||||
@ -145,6 +147,7 @@ public class KDiag extends Configured implements Tool, Closeable {
|
||||
public static final String CAT_OS = "JAAS";
|
||||
public static final String CAT_SASL = "SASL";
|
||||
public static final String CAT_UGI = "UGI";
|
||||
public static final String CAT_TOKEN = "TOKEN";
|
||||
|
||||
public static final String ARG_KEYLEN = "--keylen";
|
||||
public static final String ARG_KEYTAB = "--keytab";
|
||||
@ -371,6 +374,7 @@ public boolean execute() throws Exception {
|
||||
|
||||
try {
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
validateHadoopTokenFiles(conf);
|
||||
validateKrb5File();
|
||||
printDefaultRealm();
|
||||
validateSasl(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS);
|
||||
@ -500,6 +504,47 @@ protected void printDefaultRealm() {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate that hadoop.token.files (if specified) exist and are valid.
|
||||
* @throws ClassNotFoundException
|
||||
* @throws SecurityException
|
||||
* @throws NoSuchMethodException
|
||||
* @throws KerberosDiagsFailure
|
||||
*/
|
||||
private void validateHadoopTokenFiles(Configuration conf)
|
||||
throws ClassNotFoundException, KerberosDiagsFailure, NoSuchMethodException,
|
||||
SecurityException {
|
||||
title("Locating Hadoop token files");
|
||||
|
||||
String tokenFileLocation = System.getProperty(HADOOP_TOKEN_FILES);
|
||||
if(tokenFileLocation != null) {
|
||||
println("Found " + HADOOP_TOKEN_FILES + " in system properties : "
|
||||
+ tokenFileLocation);
|
||||
}
|
||||
|
||||
if(conf.get(HADOOP_TOKEN_FILES) != null) {
|
||||
println("Found " + HADOOP_TOKEN_FILES + " in hadoop configuration : "
|
||||
+ conf.get(HADOOP_TOKEN_FILES));
|
||||
if(System.getProperty(HADOOP_TOKEN_FILES) != null) {
|
||||
println(HADOOP_TOKEN_FILES + " in the system properties overrides the"
|
||||
+ " one specified in hadoop configuration");
|
||||
} else {
|
||||
tokenFileLocation = conf.get(HADOOP_TOKEN_FILES);
|
||||
}
|
||||
}
|
||||
|
||||
if (tokenFileLocation != null) {
|
||||
for (String tokenFileName:
|
||||
StringUtils.getTrimmedStrings(tokenFileLocation)) {
|
||||
if (tokenFileName.length() > 0) {
|
||||
File tokenFile = new File(tokenFileName);
|
||||
verifyFileIsValid(tokenFile, CAT_TOKEN, "token");
|
||||
verify(tokenFile, conf, CAT_TOKEN, "token");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Locate the {@code krb5.conf} file and dump it.
|
||||
*
|
||||
@ -928,6 +973,28 @@ private boolean verify(boolean condition,
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify that tokenFile contains valid Credentials.
|
||||
*
|
||||
* If not, an exception is raised, or, if {@link #nofail} is set,
|
||||
* an error will be logged and the method return false.
|
||||
*
|
||||
*/
|
||||
private boolean verify(File tokenFile, Configuration conf, String category,
|
||||
String message) throws KerberosDiagsFailure {
|
||||
try {
|
||||
Credentials.readTokenStorageFile(tokenFile, conf);
|
||||
} catch(Exception e) {
|
||||
if (!nofail) {
|
||||
fail(category, message);
|
||||
} else {
|
||||
error(category, message);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Print a message as an error
|
||||
* @param category error category
|
||||
|
@ -34,6 +34,7 @@
|
||||
import java.io.File;
|
||||
import java.util.Properties;
|
||||
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES;
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
|
||||
import static org.apache.hadoop.security.KDiag.ARG_KEYLEN;
|
||||
import static org.apache.hadoop.security.KDiag.ARG_KEYTAB;
|
||||
@ -44,6 +45,7 @@
|
||||
import static org.apache.hadoop.security.KDiag.CAT_CONFIG;
|
||||
import static org.apache.hadoop.security.KDiag.CAT_KERBEROS;
|
||||
import static org.apache.hadoop.security.KDiag.CAT_LOGIN;
|
||||
import static org.apache.hadoop.security.KDiag.CAT_TOKEN;
|
||||
import static org.apache.hadoop.security.KDiag.KerberosDiagsFailure;
|
||||
import static org.apache.hadoop.security.KDiag.exec;
|
||||
|
||||
@ -120,4 +122,10 @@ public void testKDiagUsage() throws Throwable {
|
||||
assertEquals(-1, kdiag("usage"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTokenFile() throws Throwable {
|
||||
conf.set(HADOOP_TOKEN_FILES, "SomeNonExistentFile");
|
||||
kdiagFailure(CAT_TOKEN, ARG_KEYLEN, KEYLEN);
|
||||
conf.unset(HADOOP_TOKEN_FILES);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user