From c6ba793b65014306ec1ff40c61938399412e72c1 Mon Sep 17 00:00:00 2001 From: Kihwal Lee Date: Thu, 8 Aug 2013 15:03:12 +0000 Subject: [PATCH] HADOOP-9850. RPC kerberos errors don't trigger relogin. Contributed by Daryn Sharp. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1511823 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 2 ++ .../java/org/apache/hadoop/ipc/Client.java | 1 + .../apache/hadoop/security/SaslRpcClient.java | 19 +++++++++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 432019d2d1..93ff4dbca9 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -699,6 +699,8 @@ Release 2.1.0-beta - 2013-08-06 HADOOP-9816. RPC Sasl QOP is broken (daryn) + HADOOP-9850. RPC kerberos errors don't trigger relogin. (daryn via kihwal) + BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS HADOOP-8924. Hadoop Common creating package-info.java must not depend on diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java index 45e5535aeb..7f94bb4148 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java @@ -713,6 +713,7 @@ public AuthMethod run() } }); } catch (Exception ex) { + authMethod = saslRpcClient.getAuthMethod(); if (rand == null) { rand = new Random(); } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java index a6fcd97d72..da8d474b5b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java @@ -83,6 +83,7 @@ public class SaslRpcClient { private final Configuration conf; private SaslClient saslClient; + private AuthMethod authMethod; private static final RpcRequestHeaderProto saslHeader = ProtoUtil .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER, @@ -113,6 +114,18 @@ public Object getNegotiatedProperty(String key) { return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null; } + + // the RPC Client has an inelegant way of handling expiration of TGTs + // acquired via a keytab. any connection failure causes a relogin, so + // the Client needs to know what authMethod was being attempted if an + // exception occurs. the SASL prep for a kerberos connection should + // ideally relogin if necessary instead of exposing this detail to the + // Client + @InterfaceAudience.Private + public AuthMethod getAuthMethod() { + return authMethod; + } + /** * Instantiate a sasl client for the first supported auth type in the * given list. The auth type must be defined, enabled, and the user @@ -319,8 +332,9 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS) DataOutputStream outStream = new DataOutputStream(new BufferedOutputStream( outS)); - // redefined if/when a SASL negotiation completes - AuthMethod authMethod = AuthMethod.SIMPLE; + // redefined if/when a SASL negotiation starts, can be queried if the + // negotiation fails + authMethod = AuthMethod.SIMPLE; sendSaslMessage(outStream, negotiateRequest); @@ -357,6 +371,7 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS) case NEGOTIATE: { // create a compatible SASL client, throws if no supported auths SaslAuth saslAuthType = selectSaslClient(saslMessage.getAuthsList()); + // define auth being attempted, caller can query if connect fails authMethod = AuthMethod.valueOf(saslAuthType.getMethod()); byte[] responseToken = null;