HADOOP-13018. Make Kdiag check whether hadoop.token.files points to existent and valid files. Contributed by Ravi Prakash
This commit is contained in:
parent
eb0a483ed0
commit
abb9fa7fc6
@ -38,6 +38,7 @@
|
|||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
import javax.crypto.Cipher;
|
import javax.crypto.Cipher;
|
||||||
|
|
||||||
import java.io.Closeable;
|
import java.io.Closeable;
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.FileInputStream;
|
import java.io.FileInputStream;
|
||||||
@ -61,6 +62,7 @@
|
|||||||
import static org.apache.hadoop.security.authentication.util.KerberosUtil.*;
|
import static org.apache.hadoop.security.authentication.util.KerberosUtil.*;
|
||||||
import static org.apache.hadoop.util.StringUtils.popOption;
|
import static org.apache.hadoop.util.StringUtils.popOption;
|
||||||
import static org.apache.hadoop.util.StringUtils.popOptionWithArgument;
|
import static org.apache.hadoop.util.StringUtils.popOptionWithArgument;
|
||||||
|
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Kerberos diagnostics
|
* Kerberos diagnostics
|
||||||
@ -145,6 +147,7 @@ public class KDiag extends Configured implements Tool, Closeable {
|
|||||||
public static final String CAT_OS = "JAAS";
|
public static final String CAT_OS = "JAAS";
|
||||||
public static final String CAT_SASL = "SASL";
|
public static final String CAT_SASL = "SASL";
|
||||||
public static final String CAT_UGI = "UGI";
|
public static final String CAT_UGI = "UGI";
|
||||||
|
public static final String CAT_TOKEN = "TOKEN";
|
||||||
|
|
||||||
public static final String ARG_KEYLEN = "--keylen";
|
public static final String ARG_KEYLEN = "--keylen";
|
||||||
public static final String ARG_KEYTAB = "--keytab";
|
public static final String ARG_KEYTAB = "--keytab";
|
||||||
@ -371,6 +374,7 @@ public boolean execute() throws Exception {
|
|||||||
|
|
||||||
try {
|
try {
|
||||||
UserGroupInformation.setConfiguration(conf);
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
validateHadoopTokenFiles(conf);
|
||||||
validateKrb5File();
|
validateKrb5File();
|
||||||
printDefaultRealm();
|
printDefaultRealm();
|
||||||
validateSasl(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS);
|
validateSasl(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS);
|
||||||
@ -500,6 +504,47 @@ protected void printDefaultRealm() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validate that hadoop.token.files (if specified) exist and are valid.
|
||||||
|
* @throws ClassNotFoundException
|
||||||
|
* @throws SecurityException
|
||||||
|
* @throws NoSuchMethodException
|
||||||
|
* @throws KerberosDiagsFailure
|
||||||
|
*/
|
||||||
|
private void validateHadoopTokenFiles(Configuration conf)
|
||||||
|
throws ClassNotFoundException, KerberosDiagsFailure, NoSuchMethodException,
|
||||||
|
SecurityException {
|
||||||
|
title("Locating Hadoop token files");
|
||||||
|
|
||||||
|
String tokenFileLocation = System.getProperty(HADOOP_TOKEN_FILES);
|
||||||
|
if(tokenFileLocation != null) {
|
||||||
|
println("Found " + HADOOP_TOKEN_FILES + " in system properties : "
|
||||||
|
+ tokenFileLocation);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(conf.get(HADOOP_TOKEN_FILES) != null) {
|
||||||
|
println("Found " + HADOOP_TOKEN_FILES + " in hadoop configuration : "
|
||||||
|
+ conf.get(HADOOP_TOKEN_FILES));
|
||||||
|
if(System.getProperty(HADOOP_TOKEN_FILES) != null) {
|
||||||
|
println(HADOOP_TOKEN_FILES + " in the system properties overrides the"
|
||||||
|
+ " one specified in hadoop configuration");
|
||||||
|
} else {
|
||||||
|
tokenFileLocation = conf.get(HADOOP_TOKEN_FILES);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (tokenFileLocation != null) {
|
||||||
|
for (String tokenFileName:
|
||||||
|
StringUtils.getTrimmedStrings(tokenFileLocation)) {
|
||||||
|
if (tokenFileName.length() > 0) {
|
||||||
|
File tokenFile = new File(tokenFileName);
|
||||||
|
verifyFileIsValid(tokenFile, CAT_TOKEN, "token");
|
||||||
|
verify(tokenFile, conf, CAT_TOKEN, "token");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Locate the {@code krb5.conf} file and dump it.
|
* Locate the {@code krb5.conf} file and dump it.
|
||||||
*
|
*
|
||||||
@ -928,6 +973,28 @@ private boolean verify(boolean condition,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify that tokenFile contains valid Credentials.
|
||||||
|
*
|
||||||
|
* If not, an exception is raised, or, if {@link #nofail} is set,
|
||||||
|
* an error will be logged and the method return false.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
private boolean verify(File tokenFile, Configuration conf, String category,
|
||||||
|
String message) throws KerberosDiagsFailure {
|
||||||
|
try {
|
||||||
|
Credentials.readTokenStorageFile(tokenFile, conf);
|
||||||
|
} catch(Exception e) {
|
||||||
|
if (!nofail) {
|
||||||
|
fail(category, message);
|
||||||
|
} else {
|
||||||
|
error(category, message);
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Print a message as an error
|
* Print a message as an error
|
||||||
* @param category error category
|
* @param category error category
|
||||||
|
@ -34,6 +34,7 @@
|
|||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.util.Properties;
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES;
|
||||||
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
|
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
|
||||||
import static org.apache.hadoop.security.KDiag.ARG_KEYLEN;
|
import static org.apache.hadoop.security.KDiag.ARG_KEYLEN;
|
||||||
import static org.apache.hadoop.security.KDiag.ARG_KEYTAB;
|
import static org.apache.hadoop.security.KDiag.ARG_KEYTAB;
|
||||||
@ -44,6 +45,7 @@
|
|||||||
import static org.apache.hadoop.security.KDiag.CAT_CONFIG;
|
import static org.apache.hadoop.security.KDiag.CAT_CONFIG;
|
||||||
import static org.apache.hadoop.security.KDiag.CAT_KERBEROS;
|
import static org.apache.hadoop.security.KDiag.CAT_KERBEROS;
|
||||||
import static org.apache.hadoop.security.KDiag.CAT_LOGIN;
|
import static org.apache.hadoop.security.KDiag.CAT_LOGIN;
|
||||||
|
import static org.apache.hadoop.security.KDiag.CAT_TOKEN;
|
||||||
import static org.apache.hadoop.security.KDiag.KerberosDiagsFailure;
|
import static org.apache.hadoop.security.KDiag.KerberosDiagsFailure;
|
||||||
import static org.apache.hadoop.security.KDiag.exec;
|
import static org.apache.hadoop.security.KDiag.exec;
|
||||||
|
|
||||||
@ -120,4 +122,10 @@ public void testKDiagUsage() throws Throwable {
|
|||||||
assertEquals(-1, kdiag("usage"));
|
assertEquals(-1, kdiag("usage"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTokenFile() throws Throwable {
|
||||||
|
conf.set(HADOOP_TOKEN_FILES, "SomeNonExistentFile");
|
||||||
|
kdiagFailure(CAT_TOKEN, ARG_KEYLEN, KEYLEN);
|
||||||
|
conf.unset(HADOOP_TOKEN_FILES);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user