HADOOP-7070. JAAS configuration should delegate unknown application names to pre-existing configuration. Contributed by Todd Lipcon

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1055996 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Todd Lipcon 2011-01-06 18:33:24 +00:00
parent 717579f3bd
commit c9fb201099
3 changed files with 65 additions and 3 deletions

View File

@ -416,6 +416,9 @@ Release 0.22.0 - Unreleased
HADOOP-7082. Configuration.writeXML should not hold lock while outputting HADOOP-7082. Configuration.writeXML should not hold lock while outputting
(todd) (todd)
HADOOP-7070. JAAS configuration should delegate unknown application names
to pre-existing configuration. (todd)
Release 0.21.1 - Unreleased Release 0.21.1 - Unreleased
IMPROVEMENTS IMPROVEMENTS

View File

@ -245,8 +245,22 @@ private static synchronized void initUGI(Configuration conf) {
// Set the configuration for JAAS to be the Hadoop configuration. // Set the configuration for JAAS to be the Hadoop configuration.
// This is done here rather than a static initializer to avoid a // This is done here rather than a static initializer to avoid a
// circular dependence. // circular dependence.
javax.security.auth.login.Configuration.setConfiguration javax.security.auth.login.Configuration existingConfig = null;
(new HadoopConfiguration()); try {
existingConfig =
javax.security.auth.login.Configuration.getConfiguration();
} catch (SecurityException se) {
// If no security configuration is on the classpath, then
// we catch this exception, and we don't need to delegate
// to anyone
}
if (existingConfig instanceof HadoopConfiguration) {
LOG.info("JAAS Configuration already set up for Hadoop, not re-installing.");
} else {
javax.security.auth.login.Configuration.setConfiguration(
new HadoopConfiguration(existingConfig));
}
isInitialized = true; isInitialized = true;
UserGroupInformation.conf = conf; UserGroupInformation.conf = conf;
@ -395,6 +409,12 @@ private static class HadoopConfiguration
private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN}; new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
private final javax.security.auth.login.Configuration parent;
HadoopConfiguration(javax.security.auth.login.Configuration parent) {
this.parent = parent;
}
@Override @Override
public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
if (SIMPLE_CONFIG_NAME.equals(appName)) { if (SIMPLE_CONFIG_NAME.equals(appName)) {
@ -405,6 +425,8 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
return KEYTAB_KERBEROS_CONF; return KEYTAB_KERBEROS_CONF;
} else if (parent != null) {
return parent.getAppConfigurationEntry(appName);
} }
return null; return null;
} }

View File

@ -21,6 +21,7 @@
import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import org.mockito.Mockito;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import java.io.BufferedReader; import java.io.BufferedReader;
@ -31,6 +32,7 @@
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
import junit.framework.Assert; import junit.framework.Assert;
@ -49,7 +51,11 @@ public class TestUserGroupInformation {
final private static String[] GROUP_NAMES = final private static String[] GROUP_NAMES =
new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME}; new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
private static javax.security.auth.login.Configuration mockJaasConf;
static { static {
setupMockJaasParent();
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.auth_to_local", conf.set("hadoop.security.auth_to_local",
"RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" + "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
@ -346,4 +352,35 @@ public static void verifyLoginMetrics(int success, int failure)
assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0); assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0);
} }
} }
/**
* Setup a JAAS Configuration that handles a fake app.
* This runs before UserGroupInformation has been initialized,
* so UGI picks up this Configuration as the parent.
*/
private static void setupMockJaasParent() {
javax.security.auth.login.Configuration existing = null;
try {
existing =javax.security.auth.login.Configuration.getConfiguration();
assertFalse("setupMockJaasParent should run before the Hadoop " +
"configuration provider is installed.",
existing.getClass().getCanonicalName()
.startsWith("org.apache.hadoop"));
} catch (SecurityException se) {
// We get this if no configuration has been set. So it's OK.
}
mockJaasConf = mock(javax.security.auth.login.Configuration.class);
Mockito.doReturn(new AppConfigurationEntry[] {})
.when(mockJaasConf)
.getAppConfigurationEntry("foobar-app");
javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
}
@Test
public void testDelegateJaasConfiguration() throws Exception {
// This will throw if the Configuration doesn't have any entries
// for "foobar"
LoginContext login = new LoginContext("foobar-app");
}
} }