From c4733377d0fa375a8d585f5cb1db79bf20ec6710 Mon Sep 17 00:00:00 2001 From: Takanobu Asanuma Date: Tue, 10 Dec 2019 16:03:32 +0900 Subject: [PATCH] HDFS-15040. RBF: Secured Router should not run when SecretManager is not running. (#1745) --- .../security/RouterSecurityManager.java | 2 +- .../security/MockNotRunningSecretManager.java | 44 +++++++++++++++++++ .../security/TestRouterSecurityManager.java | 10 +++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/MockNotRunningSecretManager.java diff --git a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java index 215d5d53e2..8e7a34381c 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java @@ -58,7 +58,7 @@ public RouterSecurityManager(Configuration conf) throws IOException { AuthenticationMethod.KERBEROS; if (authMethodConfigured.equals(authMethodToInit)) { this.dtSecretManager = FederationUtil.newSecretManager(conf); - if (this.dtSecretManager == null) { + if (this.dtSecretManager == null || !this.dtSecretManager.isRunning()) { throw new IOException("Failed to create SecretManager"); } } diff --git a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/MockNotRunningSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/MockNotRunningSecretManager.java new file mode 100644 index 0000000000..891f61bd2a --- /dev/null +++ b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/MockNotRunningSecretManager.java @@ -0,0 +1,44 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier; +import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager; + +import java.io.IOException; + +/** + * Mock functionality of AbstractDelegationTokenSecretManager. + * Test case that SecretManager is not running. + */ +public class MockNotRunningSecretManager + extends AbstractDelegationTokenSecretManager { + + public MockNotRunningSecretManager(Configuration conf) + throws IOException { + super(100000, 100000, 100000, 100000); + // It doesn't execute startThreads() to keep the running status false. + } + + @Override + public DelegationTokenIdentifier createIdentifier() { + return new DelegationTokenIdentifier(); + } +} diff --git a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityManager.java b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityManager.java index 05f371c2e2..b88fd147ac 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityManager.java @@ -201,4 +201,14 @@ public void testWithoutSecretManager() throws Exception { intercept(ServiceStateException.class, "Failed to create SecretManager", () -> router.init(conf)); } + + @Test + public void testNotRunningSecretManager() throws Exception { + Configuration conf = initSecurity(); + conf.set(DFS_ROUTER_DELEGATION_TOKEN_DRIVER_CLASS, + MockNotRunningSecretManager.class.getName()); + Router router = new Router(); + intercept(ServiceStateException.class, "Failed to create SecretManager", + () -> router.init(conf)); + } }