You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-user@hadoop.apache.org by lulynn_2008 <lu...@163.com> on 2013/07/01 12:41:00 UTC

KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler

 Hi All,

I am trying to add kerberos support to a web servlet via hadoop authentication classes. This is to make this web servlet server to authenticate its client via kerberos. I assume this should work. Right?

The whole design is to add AuthFilter at server side and AuthenticatedURL.injectToken(conn, currentToken) during create connection at client side.  But the process failed at KerberosName.rules, I made a fix based on 2.0.4-alpha branch. Could you please help to review it and give some suggestions? I think with this fix, we can add kerberos support to any web servlet via hadoop authentication classes. I have opened HADOOP-9679 to trace this issue and applied the patch.

Error:
The process failed during AuthenticationFilter.doFilter,  with following error:
java.lang.NullPointerException
        at org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
        at java.security.AccessController.doPrivileged(AccessController.java:310)
        at javax.security.auth.Subject.doAs(Subject.java:573)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)


Root cause:
this error happened because KerberosName.rules are not initialized. I found that this parameter only be initialized during initialize UserGroupInformation which is used for manager hadoop user and group. Then this parameter will be initialized during hadoop client(like oozie) access hadoop. But the servlet I am testing is not hadoop client, then current there is no place for initializing it. But I think we should make it work via value KerberosName.rules with default value "DEFAULT".

FIX:
Following is my draft fix based on hadoop-2.0.4-alpha branch, with this fix, my test web servlet can support kerberos now.
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
               } else {
                 String clientPrincipal = gssContext.getSrcName().toString();
                 KerberosName kerberosName = new KerberosName(clientPrincipal);
+                if( !KerberosName.hasRulesBeenSet()){
+                    LOG.warn("No rules applied to " + kerberosName.toString() + ". Using DEFAULT rules.");
+                    KerberosName.setRules("DEFAULT");
+                }
                 String userName = kerberosName.getShortName();
                 token = new AuthenticationToken(userName, clientPrincipal, getType());
                 response.setStatus(HttpServletResponse.SC_OK);

Re: KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler

Posted by Alejandro Abdelnur <tu...@cloudera.com>.

Hi Lulynn,

I've commented in the JIRA, now that I see your email that gives me a bit
more of context on what you are trying to do.

If I understand correctly, you are trying to use this outside of Hadoop. If
that is the case you should set the <PREFIX>.kerberos.name.rules=DEFAULT
(or a custom name.rules if you have one) in your hadoop-auth
AuthenticationFilter configuration.

This is required because you are not initializing UGI before initializing
the filter.

Thanks.




On Mon, Jul 1, 2013 at 3:41 AM, lulynn_2008 <lu...@163.com> wrote:

>  Hi All,
>
> I am trying to add kerberos support to a web servlet via hadoop
> authentication classes. This is to make this web servlet server to
> authenticate its client via kerberos. I assume this should work. Right?
>
> The whole design is to add AuthFilter at server side and
> AuthenticatedURL.injectToken(conn, currentToken) during create connection
> at client side.  But the process failed at KerberosName.rules, I made a fix
> based on 2.0.4-alpha branch. Could you please help to review it and give
> some suggestions? I think with this fix, we can add kerberos support to any
> web servlet via hadoop authentication classes. I have opened HADOOP-9679 to
> trace this issue and applied the patch.
>
> Error:
> The process failed during AuthenticationFilter.doFilter,  with following
> error:
> java.lang.NullPointerException
>         at
> org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
>         at
> java.security.AccessController.doPrivileged(AccessController.java:310)
>         at javax.security.auth.Subject.doAs(Subject.java:573)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
>         at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
>
>
> Root cause:
> this error happened because KerberosName.rules are not initialized. I
> found that this parameter only be initialized during initialize
> UserGroupInformation which is used for manager hadoop user and group. Then
> this parameter will be initialized during hadoop client(like oozie) access
> hadoop. But the servlet I am testing is not hadoop client, then current
> there is no place for initializing it. But I think we should make it work
> via value KerberosName.rules with default value "DEFAULT".
>
> FIX:
> Following is my draft fix based on hadoop-2.0.4-alpha branch, with this
> fix, my test web servlet can support kerberos now.
> ---
> a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> +++
> b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> @@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
>                } else {
>                  String clientPrincipal =
> gssContext.getSrcName().toString();
>                  KerberosName kerberosName = new
> KerberosName(clientPrincipal);
> +                if( !KerberosName.hasRulesBeenSet()){
> +                    LOG.warn("No rules applied to " +
> kerberosName.toString() + ". Using DEFAULT rules.");
> +                    KerberosName.setRules("DEFAULT");
> +                }
>                  String userName = kerberosName.getShortName();
>                  token = new AuthenticationToken(userName,
> clientPrincipal, getType());
>                  response.setStatus(HttpServletResponse.SC_OK);
>
>
>


-- 
Alejandro