HADOOP-13638. KMS should set UGI's Configuration object properly. Contributed by Wei-Chiu Chuang.
This commit is contained in:
Xiao Chen
parent
4815d024c5
commit
fa397e74fe
@ -28,6 +28,7 @@
|
||||
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
|
||||
import org.apache.hadoop.crypto.key.KeyProviderFactory;
|
||||
import org.apache.hadoop.http.HttpServer2;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||
import org.apache.hadoop.util.VersionInfo;
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
@ -121,6 +122,7 @@ public void contextInitialized(ServletContextEvent sce) {
|
||||
}
|
||||
kmsConf = KMSConfiguration.getKMSConf();
|
||||
initLogging(confDir);
|
||||
UserGroupInformation.setConfiguration(kmsConf);
|
||||
LOG.info("-------------------------------------------------------------");
|
||||
LOG.info(" Java runtime version : {}", System.getProperty(
|
||||
"java.runtime.version"));
|
||||
|
||||
@ -143,11 +143,31 @@ protected <T> T runServer(int port, String keystore, String password, File confD
|
||||
}
|
||||
|
||||
protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception {
|
||||
Configuration conf = new Configuration(false);
|
||||
conf.set(KMSConfiguration.KEY_PROVIDER_URI,
|
||||
return createBaseKMSConf(keyStoreDir, null);
|
||||
}
|
||||
|
||||
/**
|
||||
* The Configuration object is shared by both KMS client and server in unit
|
||||
* tests because UGI gets/sets it to a static variable.
|
||||
* As a workaround, make sure the client configurations are copied to server
|
||||
* so that client can read them.
|
||||
* @param keyStoreDir where keystore is located.
|
||||
* @param conf KMS client configuration
|
||||
* @return KMS server configuration based on client.
|
||||
* @throws Exception
|
||||
*/
|
||||
protected Configuration createBaseKMSConf(File keyStoreDir,
|
||||
Configuration conf) throws Exception {
|
||||
Configuration newConf;
|
||||
if (conf == null) {
|
||||
newConf = new Configuration(false);
|
||||
} else {
|
||||
newConf = new Configuration(conf);
|
||||
}
|
||||
newConf.set(KMSConfiguration.KEY_PROVIDER_URI,
|
||||
"jceks://file@" + new Path(keyStoreDir.getAbsolutePath(), "kms.keystore").toUri());
|
||||
conf.set("hadoop.kms.authentication.type", "simple");
|
||||
return conf;
|
||||
newConf.set("hadoop.kms.authentication.type", "simple");
|
||||
return newConf;
|
||||
}
|
||||
|
||||
public static void writeConf(File confDir, Configuration conf)
|
||||
@ -280,9 +300,8 @@ public void testStartStop(final boolean ssl, final boolean kerberos)
|
||||
if (kerberos) {
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
}
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
|
||||
final String keystore;
|
||||
final String password;
|
||||
@ -404,9 +423,8 @@ public void testSpecialKeyNames() throws Exception {
|
||||
final String specialKey = "key %^[\n{]}|\"<>\\";
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File confDir = getTestDir();
|
||||
conf = createBaseKMSConf(confDir);
|
||||
conf = createBaseKMSConf(confDir, conf);
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + specialKey + ".ALL", "*");
|
||||
writeConf(confDir, conf);
|
||||
|
||||
@ -439,9 +457,8 @@ public Void call() throws Exception {
|
||||
public void testKMSProvider() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File confDir = getTestDir();
|
||||
conf = createBaseKMSConf(confDir);
|
||||
conf = createBaseKMSConf(confDir, conf);
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.MANAGEMENT", "*");
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.READ", "*");
|
||||
@ -699,9 +716,8 @@ public Void call() throws Exception {
|
||||
public void testKeyACLs() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
@ -977,9 +993,8 @@ public void testKMSRestartSimpleAuth() throws Exception {
|
||||
public void doKMSRestart(boolean useKrb) throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
if (useKrb) {
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
}
|
||||
@ -1057,9 +1072,8 @@ public Void run() throws Exception {
|
||||
public void testKMSAuthFailureRetry() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
|
||||
@ -1151,9 +1165,8 @@ public Void run() throws Exception {
|
||||
public void testACLs() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
@ -1461,9 +1474,8 @@ public Void run() throws Exception {
|
||||
public void testKMSBlackList() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
@ -1550,9 +1562,8 @@ public Void run() throws Exception {
|
||||
public void testServicePrincipalACLs() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
@ -1676,9 +1687,8 @@ public void testKMSTimeout() throws Exception {
|
||||
public void testDelegationTokenAccess() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
@ -1759,9 +1769,8 @@ public void testDelegationTokensOpsKerberized() throws Exception {
|
||||
|
||||
private void testDelegationTokensOps(Configuration conf,
|
||||
final boolean useKrb) throws Exception {
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File confDir = getTestDir();
|
||||
conf = createBaseKMSConf(confDir);
|
||||
conf = createBaseKMSConf(confDir, conf);
|
||||
if (useKrb) {
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
@ -1885,9 +1894,8 @@ public Void run() throws Exception {
|
||||
@Test
|
||||
public void testDelegationTokensUpdatedInUGI() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
File confDir = getTestDir();
|
||||
conf = createBaseKMSConf(confDir);
|
||||
conf = createBaseKMSConf(confDir, conf);
|
||||
conf.set(
|
||||
"hadoop.kms.authentication.delegation-token.max-lifetime.sec", "5");
|
||||
conf.set(
|
||||
@ -2024,9 +2032,8 @@ public void doKMSWithZK(boolean zkDTSM, boolean zkSigner) throws Exception {
|
||||
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
|
||||
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
|
||||
@ -2114,9 +2121,8 @@ public void testProxyUserSimple() throws Exception {
|
||||
public void doProxyUserTest(final boolean kerberos) throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
if (kerberos) {
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
}
|
||||
@ -2226,9 +2232,8 @@ public void testTGTRenewal() throws Exception {
|
||||
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
keytab.getAbsolutePath());
|
||||
@ -2286,9 +2291,8 @@ public Void run() throws Exception {
|
||||
public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.set("hadoop.security.authentication", "kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
final File testDir = getTestDir();
|
||||
conf = createBaseKMSConf(testDir);
|
||||
conf = createBaseKMSConf(testDir, conf);
|
||||
if (kerberos) {
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user