You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by ad...@apache.org on 2017/10/11 17:20:20 UTC
kudu git commit: mini-kdc: two workarounds to help Java tests pass in
more environments
Repository: kudu
Updated Branches:
refs/heads/master afdeb9ea2 -> 3e8f1af30
mini-kdc: two workarounds to help Java tests pass in more environments
Environments with an older krb5 must enable the krb5_get_host_realm
workaround. This was previously handled by OverrideKrb5Environment (gtests)
and the Java MiniKdc, but now that the Java tests use the C++ MiniKdc, they
stopped receiving the workaround. To fix, I moved the workaround from
OverrideKrb5Environment to the C++ MiniKdc's GetEnvVars function. This
ensures it gets enabled by any MiniKDC user, be it a standalone gtest or a
full minicluster.
Separately, not all JVMs include "unlimited strength crypto". The old Java
MiniKdc explicitly disabled aes256 to accommodate these JVMs, but the C++
MiniKdc does not. Now it does.
I tested this patch by running all C++ and Java unit tests on a machine that
had libkrb5 1.10 and no "unlimited strength crypto" in its JVM.
Change-Id: I6775d159c43e13213fb8f83b80a46b6c0818f468
Reviewed-on: http://gerrit.cloudera.org:8080/8253
Tested-by: Kudu Jenkins
Reviewed-by: Todd Lipcon <to...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/3e8f1af3
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/3e8f1af3
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/3e8f1af3
Branch: refs/heads/master
Commit: 3e8f1af30b9e2b1d81d654293b4019cf6ef51db9
Parents: afdeb9e
Author: Adar Dembo <ad...@cloudera.com>
Authored: Tue Oct 10 14:54:15 2017 -0700
Committer: Adar Dembo <ad...@cloudera.com>
Committed: Wed Oct 11 17:20:04 2017 +0000
----------------------------------------------------------------------
src/kudu/security/test/mini_kdc.cc | 14 +++++++++++++-
src/kudu/util/test_util.cc | 2 --
2 files changed, 13 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/3e8f1af3/src/kudu/security/test/mini_kdc.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/test/mini_kdc.cc b/src/kudu/security/test/mini_kdc.cc
index 7830a2b..e47ceaf 100644
--- a/src/kudu/security/test/mini_kdc.cc
+++ b/src/kudu/security/test/mini_kdc.cc
@@ -81,7 +81,9 @@ map<string, string> MiniKdc::GetEnvVars() const {
return {
{"KRB5_CONFIG", JoinPathSegments(options_.data_root, "krb5.conf")},
{"KRB5_KDC_PROFILE", JoinPathSegments(options_.data_root, "kdc.conf")},
- {"KRB5CCNAME", JoinPathSegments(options_.data_root, "krb5cc")}
+ {"KRB5CCNAME", JoinPathSegments(options_.data_root, "krb5cc")},
+ // Enable the workaround for MIT krb5 1.10 bugs from krb5_realm_override.cc.
+ {"KUDU_ENABLE_KRB5_REALM_FIX", "yes"}
};
}
@@ -209,6 +211,16 @@ Status MiniKdc::CreateKrb5Conf() const {
renew_lifetime = $2
ticket_lifetime = $3
+ # Disable aes256 since Java does not support it without JCE. Java is only
+ # one of several minicluster consumers, but disabling aes256 doesn't
+ # appreciably hurt Kudu code coverage, so we disable it universally.
+ #
+ # For more details, see:
+ # https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html
+ default_tkt_enctypes = aes128-cts des3-cbc-sha1
+ default_tgs_enctypes = aes128-cts des3-cbc-sha1
+ permitted_enctypes = aes128-cts des3-cbc-sha1
+
# In miniclusters, we start daemons on local loopback IPs that
# have no reverse DNS entries. So, disable reverse DNS.
rdns = false
http://git-wip-us.apache.org/repos/asf/kudu/blob/3e8f1af3/src/kudu/util/test_util.cc
----------------------------------------------------------------------
diff --git a/src/kudu/util/test_util.cc b/src/kudu/util/test_util.cc
index e5d2a4b..b7d4c57 100644
--- a/src/kudu/util/test_util.cc
+++ b/src/kudu/util/test_util.cc
@@ -143,8 +143,6 @@ void KuduTest::OverrideKrb5Environment() {
setenv("KRB5_CONFIG", kInvalidPath, 1);
setenv("KRB5_KTNAME", kInvalidPath, 1);
setenv("KRB5CCNAME", kInvalidPath, 1);
- // Enable the workaround for MIT krb5 1.10 bugs from krb5_realm_override.cc.
- setenv("KUDU_ENABLE_KRB5_REALM_FIX", "yes", 1);
}
///////////////////////////////////////////////////