HADOOP-7930. Kerberos relogin interval in UserGroupInformation should be configurable. Contributed by Robert Kanter. (harsh)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1389783 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
44ae25a4e8
commit
d50e06d9e0
@ -108,6 +108,9 @@ Trunk (Unreleased)
|
||||
NullPointerException if the serializations list is empty.
|
||||
(Sho Shimauchi via harsh)
|
||||
|
||||
HADOOP-7930. Kerberos relogin interval in UserGroupInformation
|
||||
should be configurable (Robert Kanter via harsh)
|
||||
|
||||
BUG FIXES
|
||||
|
||||
HADOOP-8177. MBeans shouldn't try to register when it fails to create MBeanName.
|
||||
|
@ -242,5 +242,11 @@ public class CommonConfigurationKeysPublic {
|
||||
public static final String HADOOP_SSL_ENABLED_KEY = "hadoop.ssl.enabled";
|
||||
public static final boolean HADOOP_SSL_ENABLED_DEFAULT = false;
|
||||
|
||||
/** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
|
||||
public static final String HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN =
|
||||
"hadoop.kerberos.min.seconds.before.relogin";
|
||||
/** Default value for HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN */
|
||||
public static final int HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN_DEFAULT =
|
||||
60;
|
||||
}
|
||||
|
||||
|
@ -18,6 +18,8 @@
|
||||
package org.apache.hadoop.security;
|
||||
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION;
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN;
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN_DEFAULT;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.lang.reflect.UndeclaredThrowableException;
|
||||
@ -192,13 +194,12 @@ public boolean logout() throws LoginException {
|
||||
private static boolean useKerberos;
|
||||
/** Server-side groups fetching service */
|
||||
private static Groups groups;
|
||||
/** Min time (in seconds) before relogin for Kerberos */
|
||||
private static long kerberosMinSecondsBeforeRelogin;
|
||||
/** The configuration to use */
|
||||
private static Configuration conf;
|
||||
|
||||
|
||||
/** Leave 10 minutes between relogin attempts. */
|
||||
private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L;
|
||||
|
||||
/**Environment variable pointing to the token cache file*/
|
||||
public static final String HADOOP_TOKEN_FILE_LOCATION =
|
||||
"HADOOP_TOKEN_FILE_LOCATION";
|
||||
@ -245,6 +246,16 @@ private static synchronized void initUGI(Configuration conf) {
|
||||
HADOOP_SECURITY_AUTHENTICATION +
|
||||
" of " + value);
|
||||
}
|
||||
try {
|
||||
kerberosMinSecondsBeforeRelogin = 1000L * conf.getLong(
|
||||
HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN,
|
||||
HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN_DEFAULT);
|
||||
}
|
||||
catch(NumberFormatException nfe) {
|
||||
throw new IllegalArgumentException("Invalid attribute value for " +
|
||||
HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN + " of " +
|
||||
conf.get(HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN));
|
||||
}
|
||||
// If we haven't set up testing groups, use the configuration to find it
|
||||
if (!(groups instanceof TestingGroups)) {
|
||||
groups = Groups.getUserToGroupsMappingService(conf);
|
||||
@ -729,7 +740,7 @@ public void run() {
|
||||
return;
|
||||
}
|
||||
nextRefresh = Math.max(getRefreshTime(tgt),
|
||||
now + MIN_TIME_BEFORE_RELOGIN);
|
||||
now + kerberosMinSecondsBeforeRelogin);
|
||||
} catch (InterruptedException ie) {
|
||||
LOG.warn("Terminating renewal thread");
|
||||
return;
|
||||
@ -964,10 +975,10 @@ static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
|
||||
}
|
||||
|
||||
private boolean hasSufficientTimeElapsed(long now) {
|
||||
if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) {
|
||||
if (now - user.getLastLogin() < kerberosMinSecondsBeforeRelogin ) {
|
||||
LOG.warn("Not attempting to re-login since the last re-login was " +
|
||||
"attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+
|
||||
" before.");
|
||||
"attempted less than " + (kerberosMinSecondsBeforeRelogin/1000) +
|
||||
" seconds before.");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
|
@ -250,6 +250,14 @@
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kerberos.min.seconds.before.relogin</name>
|
||||
<value>60</value>
|
||||
<description>The minimum time between relogin attempts for Kerberos, in
|
||||
seconds.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.security.auth_to_local</name>
|
||||
<value></value>
|
||||
|
@ -24,6 +24,7 @@
|
||||
import java.io.BufferedReader;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStreamReader;
|
||||
import java.lang.reflect.Method;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.Collection;
|
||||
import java.util.LinkedHashSet;
|
||||
@ -49,6 +50,7 @@ public class TestUserGroupInformation {
|
||||
final private static String GROUP3_NAME = "group3";
|
||||
final private static String[] GROUP_NAMES =
|
||||
new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
|
||||
private static Configuration conf;
|
||||
|
||||
/**
|
||||
* UGI should not use the default security conf, else it will collide
|
||||
@ -68,7 +70,7 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||
/** configure ugi */
|
||||
@BeforeClass
|
||||
public static void setup() {
|
||||
Configuration conf = new Configuration();
|
||||
conf = new Configuration();
|
||||
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
|
||||
"RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
|
||||
"RULE:[1:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//"
|
||||
@ -537,4 +539,39 @@ public Void run() throws IOException {
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/** Test hasSufficientTimeElapsed method */
|
||||
@Test
|
||||
public void testHasSufficientTimeElapsed() throws Exception {
|
||||
// Make hasSufficientTimeElapsed public
|
||||
Method method = UserGroupInformation.class
|
||||
.getDeclaredMethod("hasSufficientTimeElapsed", long.class);
|
||||
method.setAccessible(true);
|
||||
|
||||
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
|
||||
User user = ugi.getSubject().getPrincipals(User.class).iterator().next();
|
||||
long now = System.currentTimeMillis();
|
||||
|
||||
// Using default relogin time (1 minute)
|
||||
user.setLastLogin(now - 2 * 60 * 1000); // 2 minutes before "now"
|
||||
assertTrue((Boolean)method.invoke(ugi, now));
|
||||
user.setLastLogin(now - 30 * 1000); // 30 seconds before "now"
|
||||
assertFalse((Boolean)method.invoke(ugi, now));
|
||||
|
||||
// Using relogin time of 10 minutes
|
||||
Configuration conf2 = new Configuration(conf);
|
||||
conf2.setLong(
|
||||
CommonConfigurationKeysPublic.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN,
|
||||
10 * 60);
|
||||
UserGroupInformation.setConfiguration(conf2);
|
||||
user.setLastLogin(now - 15 * 60 * 1000); // 15 minutes before "now"
|
||||
assertTrue((Boolean)method.invoke(ugi, now));
|
||||
user.setLastLogin(now - 6 * 60 * 1000); // 6 minutes before "now"
|
||||
assertFalse((Boolean)method.invoke(ugi, now));
|
||||
// Restore original conf to UGI
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
|
||||
// Restore hasSufficientTimElapsed back to private
|
||||
method.setAccessible(false);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user