You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by et...@apache.org on 2018/04/30 03:40:32 UTC
[1/2] storm git commit: [STORM-3029] don't use keytab based login for
hbase if AutoTGT is used.
Repository: storm
Updated Branches:
refs/heads/master e62ee2852 -> 1bd53a58e
[STORM-3029] don't use keytab based login for hbase if AutoTGT is used.
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/19f08671
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/19f08671
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/19f08671
Branch: refs/heads/master
Commit: 19f086714deefe1835b8af4464b50f7d2e49d07e
Parents: 4137328
Author: Ethan Li <et...@gmail.com>
Authored: Mon Apr 16 10:49:19 2018 -0500
Committer: Ethan Li <et...@gmail.com>
Committed: Fri Apr 27 09:28:22 2018 -0500
----------------------------------------------------------------------
.../storm/hbase/security/HBaseSecurityUtil.java | 39 ++++++++++--------
.../org/apache/storm/hbase/common/Utils.java | 43 +++++++++++---------
2 files changed, 45 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/19f08671/external/storm-autocreds/src/main/java/org/apache/storm/hbase/security/HBaseSecurityUtil.java
----------------------------------------------------------------------
diff --git a/external/storm-autocreds/src/main/java/org/apache/storm/hbase/security/HBaseSecurityUtil.java b/external/storm-autocreds/src/main/java/org/apache/storm/hbase/security/HBaseSecurityUtil.java
index 1afdf63..cb8329b 100644
--- a/external/storm-autocreds/src/main/java/org/apache/storm/hbase/security/HBaseSecurityUtil.java
+++ b/external/storm-autocreds/src/main/java/org/apache/storm/hbase/security/HBaseSecurityUtil.java
@@ -15,11 +15,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
package org.apache.storm.hbase.security;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.storm.security.auth.kerberos.AutoTGT;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -52,24 +54,27 @@ public class HBaseSecurityUtil {
public static UserProvider login(Map<String, Object> conf, Configuration hbaseConfig) throws IOException {
//Allowing keytab based login for backward compatibility.
- if (UserGroupInformation.isSecurityEnabled() && (conf.get(TOPOLOGY_AUTO_CREDENTIALS) == null ||
- !(((List) conf.get(TOPOLOGY_AUTO_CREDENTIALS)).contains(AutoHBase.class.getName())))) {
- LOG.info("Logging in using keytab as AutoHBase is not specified for " + TOPOLOGY_AUTO_CREDENTIALS);
- //insure that if keytab is used only one login per process executed
- if(legacyProvider == null) {
- synchronized (HBaseSecurityUtil.class) {
- if(legacyProvider == null) {
- legacyProvider = UserProvider.instantiate(hbaseConfig);
- String keytab = (String) conf.get(STORM_KEYTAB_FILE_KEY);
- if (keytab != null) {
- hbaseConfig.set(STORM_KEYTAB_FILE_KEY, keytab);
- }
- String userName = (String) conf.get(STORM_USER_NAME_KEY);
- if (userName != null) {
- hbaseConfig.set(STORM_USER_NAME_KEY, userName);
+ if (UserGroupInformation.isSecurityEnabled()) {
+ List<String> autoCredentials = (List) conf.get(TOPOLOGY_AUTO_CREDENTIALS);
+ if ((autoCredentials == null)
+ || (!autoCredentials.contains(AutoHBase.class.getName()) && !autoCredentials.contains(AutoTGT.class.getName()))) {
+ LOG.info("Logging in using keytab as neither AutoHBase or AutoTGT is specified for " + TOPOLOGY_AUTO_CREDENTIALS);
+ //insure that if keytab is used only one login per process executed
+ if (legacyProvider == null) {
+ synchronized (HBaseSecurityUtil.class) {
+ if (legacyProvider == null) {
+ legacyProvider = UserProvider.instantiate(hbaseConfig);
+ String keytab = (String) conf.get(STORM_KEYTAB_FILE_KEY);
+ if (keytab != null) {
+ hbaseConfig.set(STORM_KEYTAB_FILE_KEY, keytab);
+ }
+ String userName = (String) conf.get(STORM_USER_NAME_KEY);
+ if (userName != null) {
+ hbaseConfig.set(STORM_USER_NAME_KEY, userName);
+ }
+ legacyProvider.login(STORM_KEYTAB_FILE_KEY, STORM_USER_NAME_KEY,
+ InetAddress.getLocalHost().getCanonicalHostName());
}
- legacyProvider.login(STORM_KEYTAB_FILE_KEY, STORM_USER_NAME_KEY,
- InetAddress.getLocalHost().getCanonicalHostName());
}
}
}
http://git-wip-us.apache.org/repos/asf/storm/blob/19f08671/external/storm-hbase/src/main/java/org/apache/storm/hbase/common/Utils.java
----------------------------------------------------------------------
diff --git a/external/storm-hbase/src/main/java/org/apache/storm/hbase/common/Utils.java b/external/storm-hbase/src/main/java/org/apache/storm/hbase/common/Utils.java
index 0dca16e..f9e6e34 100644
--- a/external/storm-hbase/src/main/java/org/apache/storm/hbase/common/Utils.java
+++ b/external/storm-hbase/src/main/java/org/apache/storm/hbase/common/Utils.java
@@ -42,33 +42,36 @@ public class Utils {
ugi = UserGroupInformation.getCurrentUser();
LOG.debug("UGI for current USER : {}", ugi.getUserName());
- boolean foundHBaseAuthToken = false;
- for (Token<? extends TokenIdentifier> token : ugi.getTokens()) {
- LOG.debug("Token in UGI (delegation token): {} / {}", token.toString(),
- token.decodeIdentifier().getUser());
+ if (ugi.hasKerberosCredentials()) {
+ LOG.debug("UGI has Kerberos credentials");
+ } else {
+ boolean foundHBaseAuthToken = false;
+ for (Token<? extends TokenIdentifier> token : ugi.getTokens()) {
+ LOG.debug("Token in UGI (delegation token): {} / {}", token.toString(),
+ token.decodeIdentifier().getUser());
- // token.getKind() = Text, Text is annotated by @Stringable
- // which ensures toString() implementation
- if (token.getKind().toString().equals(TOKEN_KIND_HBASE_AUTH_TOKEN)) {
- // use UGI from token
- if (!foundHBaseAuthToken) {
- LOG.debug("Found HBASE_AUTH_TOKEN - using the token to replace current user.");
+ // token.getKind() = Text, Text is annotated by @Stringable
+ // which ensures toString() implementation
+ if (token.getKind().toString().equals(TOKEN_KIND_HBASE_AUTH_TOKEN)) {
+ // use UGI from token
+ if (!foundHBaseAuthToken) {
+ LOG.debug("Found HBASE_AUTH_TOKEN - using the token to replace current user.");
- ugi = token.decodeIdentifier().getUser();
- ugi.addToken(token);
+ ugi = token.decodeIdentifier().getUser();
+ ugi.addToken(token);
- foundHBaseAuthToken = true;
- } else {
- LOG.warn("Found multiple HBASE_AUTH_TOKEN - will use already found token. " +
- "Please enable DEBUG log level to track delegation tokens.");
+ foundHBaseAuthToken = true;
+ } else {
+ LOG.warn("Found multiple HBASE_AUTH_TOKEN - will use already found token. " +
+ "Please enable DEBUG log level to track delegation tokens.");
+ }
}
}
- }
- if (!foundHBaseAuthToken) {
- LOG.warn("Can't find HBase auth token in delegation tokens.");
+ if (!foundHBaseAuthToken) {
+ LOG.warn("Can't find HBase auth token in delegation tokens.");
+ }
}
-
}
return ugi.doAs(new PrivilegedExceptionAction<HTable>() {
[2/2] storm git commit: Merge branch 'STORM-3029' of
https://github.com/Ethanlm/storm into STORM-3029
Posted by et...@apache.org.
Merge branch 'STORM-3029' of https://github.com/Ethanlm/storm into STORM-3029
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/1bd53a58
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/1bd53a58
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/1bd53a58
Branch: refs/heads/master
Commit: 1bd53a58e198efd2e43cc3bd5edfc6514816ebef
Parents: e62ee28 19f0867
Author: Ethan Li <et...@gmail.com>
Authored: Sun Apr 29 22:39:55 2018 -0500
Committer: Ethan Li <et...@gmail.com>
Committed: Sun Apr 29 22:39:55 2018 -0500
----------------------------------------------------------------------
.../storm/hbase/security/HBaseSecurityUtil.java | 39 ++++++++++--------
.../org/apache/storm/hbase/common/Utils.java | 43 +++++++++++---------
2 files changed, 45 insertions(+), 37 deletions(-)
----------------------------------------------------------------------