diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java index e3d1a93299..cd773dd666 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java @@ -28,6 +28,7 @@ import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension; import org.apache.hadoop.crypto.key.KeyProviderFactory; import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.util.VersionInfo; import org.apache.log4j.PropertyConfigurator; @@ -121,6 +122,7 @@ public void contextInitialized(ServletContextEvent sce) { } kmsConf = KMSConfiguration.getKMSConf(); initLogging(confDir); + UserGroupInformation.setConfiguration(kmsConf); LOG.info("-------------------------------------------------------------"); LOG.info(" Java runtime version : {}", System.getProperty( "java.runtime.version")); diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index 61b9a90b1b..9cbd08ab1e 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -143,11 +143,31 @@ protected T runServer(int port, String keystore, String password, File confD } protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception { - Configuration conf = new Configuration(false); - conf.set(KMSConfiguration.KEY_PROVIDER_URI, + return createBaseKMSConf(keyStoreDir, null); + } + + /** + * The Configuration object is shared by both KMS client and server in unit + * tests because UGI gets/sets it to a static variable. + * As a workaround, make sure the client configurations are copied to server + * so that client can read them. + * @param keyStoreDir where keystore is located. + * @param conf KMS client configuration + * @return KMS server configuration based on client. + * @throws Exception + */ + protected Configuration createBaseKMSConf(File keyStoreDir, + Configuration conf) throws Exception { + Configuration newConf; + if (conf == null) { + newConf = new Configuration(false); + } else { + newConf = new Configuration(conf); + } + newConf.set(KMSConfiguration.KEY_PROVIDER_URI, "jceks://file@" + new Path(keyStoreDir.getAbsolutePath(), "kms.keystore").toUri()); - conf.set("hadoop.kms.authentication.type", "simple"); - return conf; + newConf.set("hadoop.kms.authentication.type", "simple"); + return newConf; } public static void writeConf(File confDir, Configuration conf) @@ -280,9 +300,8 @@ public void testStartStop(final boolean ssl, final boolean kerberos) if (kerberos) { conf.set("hadoop.security.authentication", "kerberos"); } - UserGroupInformation.setConfiguration(conf); File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); final String keystore; final String password; @@ -404,9 +423,8 @@ public void testSpecialKeyNames() throws Exception { final String specialKey = "key %^[\n{]}|\"<>\\"; Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); File confDir = getTestDir(); - conf = createBaseKMSConf(confDir); + conf = createBaseKMSConf(confDir, conf); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + specialKey + ".ALL", "*"); writeConf(confDir, conf); @@ -439,9 +457,8 @@ public Void call() throws Exception { public void testKMSProvider() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); File confDir = getTestDir(); - conf = createBaseKMSConf(confDir); + conf = createBaseKMSConf(confDir, conf); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.MANAGEMENT", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.READ", "*"); @@ -699,9 +716,8 @@ public Void call() throws Exception { public void testKeyACLs() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); @@ -977,9 +993,8 @@ public void testKMSRestartSimpleAuth() throws Exception { public void doKMSRestart(boolean useKrb) throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); if (useKrb) { conf.set("hadoop.kms.authentication.type", "kerberos"); } @@ -1057,9 +1072,8 @@ public Void run() throws Exception { public void testKMSAuthFailureRetry() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); @@ -1151,9 +1165,8 @@ public Void run() throws Exception { public void testACLs() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); @@ -1461,9 +1474,8 @@ public Void run() throws Exception { public void testKMSBlackList() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); @@ -1550,9 +1562,8 @@ public Void run() throws Exception { public void testServicePrincipalACLs() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); @@ -1676,9 +1687,8 @@ public void testKMSTimeout() throws Exception { public void testDelegationTokenAccess() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); @@ -1759,9 +1769,8 @@ public void testDelegationTokensOpsKerberized() throws Exception { private void testDelegationTokensOps(Configuration conf, final boolean useKrb) throws Exception { - UserGroupInformation.setConfiguration(conf); File confDir = getTestDir(); - conf = createBaseKMSConf(confDir); + conf = createBaseKMSConf(confDir, conf); if (useKrb) { conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", @@ -1885,9 +1894,8 @@ public Void run() throws Exception { @Test public void testDelegationTokensUpdatedInUGI() throws Exception { Configuration conf = new Configuration(); - UserGroupInformation.setConfiguration(conf); File confDir = getTestDir(); - conf = createBaseKMSConf(confDir); + conf = createBaseKMSConf(confDir, conf); conf.set( "hadoop.kms.authentication.delegation-token.max-lifetime.sec", "5"); conf.set( @@ -2024,9 +2032,8 @@ public void doKMSWithZK(boolean zkDTSM, boolean zkSigner) throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); @@ -2114,9 +2121,8 @@ public void testProxyUserSimple() throws Exception { public void doProxyUserTest(final boolean kerberos) throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); if (kerberos) { conf.set("hadoop.kms.authentication.type", "kerberos"); } @@ -2226,9 +2232,8 @@ public void testTGTRenewal() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); @@ -2286,9 +2291,8 @@ public Void run() throws Exception { public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); final File testDir = getTestDir(); - conf = createBaseKMSConf(testDir); + conf = createBaseKMSConf(testDir, conf); if (kerberos) { conf.set("hadoop.kms.authentication.type", "kerberos"); }