From e2c18809d313f73fe476f6fa9e2753cb7d46947a Mon Sep 17 00:00:00 2001 From: Jason Darrell Lowe Date: Thu, 8 May 2014 21:22:26 +0000 Subject: [PATCH] MAPREDUCE-5884. History server uses short user name when canceling tokens. Contributed by Mohammad Kamrul Islam git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1593422 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-mapreduce-project/CHANGES.txt | 3 +++ .../mapreduce/v2/hs/HistoryClientService.java | 2 +- .../TestJHSDelegationTokenSecretManager.java | 20 +++++++++++++++++++ .../mapreduce/security/TestJHSSecurity.java | 5 +++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt index b4d0ac927c..3846ab1c66 100644 --- a/hadoop-mapreduce-project/CHANGES.txt +++ b/hadoop-mapreduce-project/CHANGES.txt @@ -213,6 +213,9 @@ Release 2.5.0 - UNRELEASED MAPREDUCE-5749. TestRMContainerAllocator#testReportedAppProgress Failed (jlowe) + MAPREDUCE-5884. History server uses short user name when canceling tokens + (Mohammad Kamrul Islam via jlowe) + Release 2.4.1 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java index 7bdb7dbd43..96b8105446 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java @@ -396,7 +396,7 @@ public CancelDelegationTokenResponse cancelDelegationToken( .array(), new Text(protoToken.getKind()), new Text( protoToken.getService())); - String user = UserGroupInformation.getCurrentUser().getShortUserName(); + String user = UserGroupInformation.getCurrentUser().getUserName(); jhsDTSecretManager.cancelToken(token, user); return Records.newRecord(CancelDelegationTokenResponse.class); } diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestJHSDelegationTokenSecretManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestJHSDelegationTokenSecretManager.java index 3fa25b9ed6..f41bb3a98f 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestJHSDelegationTokenSecretManager.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/test/java/org/apache/hadoop/mapreduce/v2/hs/TestJHSDelegationTokenSecretManager.java @@ -30,6 +30,8 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.io.Text; import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier; +import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.delegation.DelegationKey; import org.junit.Test; @@ -87,6 +89,24 @@ public void testRecovery() throws IOException { assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1, tokenId3.getSequenceNumber()); mgr.cancelToken(token1, "tokenOwner"); + + // Testing with full principal name + MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier( + new Text("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), + new Text("tokenUser")); + KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]"); + Token tokenFull = new Token( + tokenIdFull, mgr); + // Negative test + try { + mgr.cancelToken(tokenFull, "tokenOwner"); + } catch (AccessControlException ace) { + assertTrue(ace.getMessage().contains( + "is not authorized to cancel the token")); + } + // Succeed to cancel with full principal + mgr.cancelToken(tokenFull, tokenIdFull.getOwner().toString()); + long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate(); mgr.stopThreads(); diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/security/TestJHSSecurity.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/security/TestJHSSecurity.java index b56357fbfb..387e2027c8 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/security/TestJHSSecurity.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapreduce/security/TestJHSSecurity.java @@ -198,6 +198,11 @@ protected void initializeWebApp(Configuration conf) { fail("Unexpected exception" + e); } cancelDelegationToken(loggedInUser, hsService, token); + + // Testing the token with different renewer to cancel the token + Token tokenWithDifferentRenewer = getDelegationToken(loggedInUser, + hsService, "yarn"); + cancelDelegationToken(loggedInUser, hsService, tokenWithDifferentRenewer); if (clientUsingDT != null) { // RPC.stopProxy(clientUsingDT); clientUsingDT = null;