HADOOP-7070. JAAS configuration should delegate unknown application names to pre-existing configuration. Contributed by Todd Lipcon
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1055996 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
717579f3bd
commit
c9fb201099
@ -416,6 +416,9 @@ Release 0.22.0 - Unreleased
|
|||||||
HADOOP-7082. Configuration.writeXML should not hold lock while outputting
|
HADOOP-7082. Configuration.writeXML should not hold lock while outputting
|
||||||
(todd)
|
(todd)
|
||||||
|
|
||||||
|
HADOOP-7070. JAAS configuration should delegate unknown application names
|
||||||
|
to pre-existing configuration. (todd)
|
||||||
|
|
||||||
Release 0.21.1 - Unreleased
|
Release 0.21.1 - Unreleased
|
||||||
|
|
||||||
IMPROVEMENTS
|
IMPROVEMENTS
|
||||||
|
@ -245,8 +245,22 @@ private static synchronized void initUGI(Configuration conf) {
|
|||||||
// Set the configuration for JAAS to be the Hadoop configuration.
|
// Set the configuration for JAAS to be the Hadoop configuration.
|
||||||
// This is done here rather than a static initializer to avoid a
|
// This is done here rather than a static initializer to avoid a
|
||||||
// circular dependence.
|
// circular dependence.
|
||||||
javax.security.auth.login.Configuration.setConfiguration
|
javax.security.auth.login.Configuration existingConfig = null;
|
||||||
(new HadoopConfiguration());
|
try {
|
||||||
|
existingConfig =
|
||||||
|
javax.security.auth.login.Configuration.getConfiguration();
|
||||||
|
} catch (SecurityException se) {
|
||||||
|
// If no security configuration is on the classpath, then
|
||||||
|
// we catch this exception, and we don't need to delegate
|
||||||
|
// to anyone
|
||||||
|
}
|
||||||
|
|
||||||
|
if (existingConfig instanceof HadoopConfiguration) {
|
||||||
|
LOG.info("JAAS Configuration already set up for Hadoop, not re-installing.");
|
||||||
|
} else {
|
||||||
|
javax.security.auth.login.Configuration.setConfiguration(
|
||||||
|
new HadoopConfiguration(existingConfig));
|
||||||
|
}
|
||||||
|
|
||||||
isInitialized = true;
|
isInitialized = true;
|
||||||
UserGroupInformation.conf = conf;
|
UserGroupInformation.conf = conf;
|
||||||
@ -395,6 +409,12 @@ private static class HadoopConfiguration
|
|||||||
private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
|
private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
|
||||||
new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
|
new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
|
||||||
|
|
||||||
|
private final javax.security.auth.login.Configuration parent;
|
||||||
|
|
||||||
|
HadoopConfiguration(javax.security.auth.login.Configuration parent) {
|
||||||
|
this.parent = parent;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
|
public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
|
||||||
if (SIMPLE_CONFIG_NAME.equals(appName)) {
|
if (SIMPLE_CONFIG_NAME.equals(appName)) {
|
||||||
@ -405,6 +425,8 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
|
|||||||
KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
|
KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
|
||||||
KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
|
KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
|
||||||
return KEYTAB_KERBEROS_CONF;
|
return KEYTAB_KERBEROS_CONF;
|
||||||
|
} else if (parent != null) {
|
||||||
|
return parent.getAppConfigurationEntry(appName);
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -21,6 +21,7 @@
|
|||||||
import static org.junit.Assert.assertFalse;
|
import static org.junit.Assert.assertFalse;
|
||||||
import static org.junit.Assert.assertTrue;
|
import static org.junit.Assert.assertTrue;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
import org.mockito.Mockito;
|
||||||
import static org.mockito.Mockito.mock;
|
import static org.mockito.Mockito.mock;
|
||||||
|
|
||||||
import java.io.BufferedReader;
|
import java.io.BufferedReader;
|
||||||
@ -31,6 +32,7 @@
|
|||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
|
|
||||||
import junit.framework.Assert;
|
import junit.framework.Assert;
|
||||||
@ -49,7 +51,11 @@ public class TestUserGroupInformation {
|
|||||||
final private static String[] GROUP_NAMES =
|
final private static String[] GROUP_NAMES =
|
||||||
new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
|
new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
|
||||||
|
|
||||||
|
private static javax.security.auth.login.Configuration mockJaasConf;
|
||||||
|
|
||||||
static {
|
static {
|
||||||
|
setupMockJaasParent();
|
||||||
|
|
||||||
Configuration conf = new Configuration();
|
Configuration conf = new Configuration();
|
||||||
conf.set("hadoop.security.auth_to_local",
|
conf.set("hadoop.security.auth_to_local",
|
||||||
"RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
|
"RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
|
||||||
@ -346,4 +352,35 @@ public static void verifyLoginMetrics(int success, int failure)
|
|||||||
assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0);
|
assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setup a JAAS Configuration that handles a fake app.
|
||||||
|
* This runs before UserGroupInformation has been initialized,
|
||||||
|
* so UGI picks up this Configuration as the parent.
|
||||||
|
*/
|
||||||
|
private static void setupMockJaasParent() {
|
||||||
|
javax.security.auth.login.Configuration existing = null;
|
||||||
|
try {
|
||||||
|
existing =javax.security.auth.login.Configuration.getConfiguration();
|
||||||
|
assertFalse("setupMockJaasParent should run before the Hadoop " +
|
||||||
|
"configuration provider is installed.",
|
||||||
|
existing.getClass().getCanonicalName()
|
||||||
|
.startsWith("org.apache.hadoop"));
|
||||||
|
} catch (SecurityException se) {
|
||||||
|
// We get this if no configuration has been set. So it's OK.
|
||||||
|
}
|
||||||
|
|
||||||
|
mockJaasConf = mock(javax.security.auth.login.Configuration.class);
|
||||||
|
Mockito.doReturn(new AppConfigurationEntry[] {})
|
||||||
|
.when(mockJaasConf)
|
||||||
|
.getAppConfigurationEntry("foobar-app");
|
||||||
|
javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDelegateJaasConfiguration() throws Exception {
|
||||||
|
// This will throw if the Configuration doesn't have any entries
|
||||||
|
// for "foobar"
|
||||||
|
LoginContext login = new LoginContext("foobar-app");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user