You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by ka...@apache.org on 2017/01/18 22:12:02 UTC
incubator-hawq git commit: HAWQ-762. Login to kerberos if credentials
are no longer valid
Repository: incubator-hawq
Updated Branches:
refs/heads/master 7f36b35bd -> 8261c13ef
HAWQ-762. Login to kerberos if credentials are no longer valid
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/8261c13e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/8261c13e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/8261c13e
Branch: refs/heads/master
Commit: 8261c13ef73de9109ec5340304471871f544fa17
Parents: 7f36b35
Author: Kavinder Dhaliwal <ka...@gmail.com>
Authored: Fri Jan 6 11:56:29 2017 -0800
Committer: Kavinder Dhaliwal <ka...@gmail.com>
Committed: Wed Jan 18 14:06:32 2017 -0800
----------------------------------------------------------------------
.../hawq/pxf/service/utilities/SecuredHDFS.java | 11 +++--
.../pxf/service/utilities/SecuredHDFSTest.java | 45 ++++++++++----------
2 files changed, 31 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8261c13e/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
----------------------------------------------------------------------
diff --git a/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java b/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
index f442a6d..1e1bcd3 100644
--- a/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
+++ b/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
@@ -53,6 +53,14 @@ public class SecuredHDFS {
public static void verifyToken(ProtocolData protData, ServletContext context) {
try {
if (UserGroupInformation.isSecurityEnabled()) {
+ /*
+ * HAWQ-1215: The verify token method validates that the token sent from
+ * Hawq to PXF is valid. However, this token is for a user other than
+ * 'pxf'. The following line ensures that before attempting any secure communication
+ * PXF tries to relogin in the case that its own ticket is about to expire
+ * #reloginFromKeytab is a no-op if the ticket is not near expiring
+ */
+ UserGroupInformation.getLoginUser().reloginFromKeytab();
Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>();
String tokenString = protData.getToken();
token.decodeFromUrlString(tokenString);
@@ -103,9 +111,6 @@ public class SecuredHDFS {
LOG.debug("user " + userGroupInformation.getUserName() + " ("
+ userGroupInformation.getShortUserName()
+ ") authenticated");
-
- // re-login if necessary
- userGroupInformation.checkTGTAndReloginFromKeytab();
} catch (IOException e) {
throw new SecurityException("Failed to verify delegation token "
+ e, e);
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8261c13e/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
----------------------------------------------------------------------
diff --git a/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java b/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
index 4944a35..9aecce0 100644
--- a/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
+++ b/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
@@ -29,24 +29,25 @@ import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import javax.servlet.ServletContext;
-import java.util.HashMap;
-import java.util.Map;
+import java.io.IOException;
import static org.junit.Assert.*;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
@RunWith(PowerMockRunner.class)
@PrepareForTest({UserGroupInformation.class})
public class SecuredHDFSTest {
- Map<String, String> parameters;
ProtocolData mockProtocolData;
ServletContext mockContext;
@Test
- public void invalidTokenThrows() {
+ public void invalidTokenThrows() throws IOException {
when(UserGroupInformation.isSecurityEnabled()).thenReturn(true);
+ UserGroupInformation ugi = mock(UserGroupInformation.class);
+ when(UserGroupInformation.getLoginUser()).thenReturn(ugi);
when(mockProtocolData.getToken()).thenReturn("This is odd");
try {
@@ -57,30 +58,30 @@ public class SecuredHDFSTest {
}
}
+ @Test
+ public void loggedOutUser() throws IOException {
+ when(UserGroupInformation.isSecurityEnabled()).thenReturn(true);
+ UserGroupInformation ugi = mock(UserGroupInformation.class);
+ when(UserGroupInformation.getLoginUser()).thenReturn(ugi);
+ when(mockProtocolData.getToken()).thenReturn("This is odd");
+
+ try {
+ SecuredHDFS.verifyToken(mockProtocolData, mockContext);
+ fail("invalid X-GP-TOKEN should throw");
+ } catch (SecurityException e) {
+ verify(ugi).reloginFromKeytab();
+ assertEquals("Failed to verify delegation token java.io.EOFException", e.getMessage());
+ }
+ }
+
/*
* setUp function called before each test
*/
@Before
public void setUp() {
- parameters = new HashMap<>();
-
- parameters.put("X-GP-ALIGNMENT", "all");
- parameters.put("X-GP-SEGMENT-ID", "-44");
- parameters.put("X-GP-SEGMENT-COUNT", "2");
- parameters.put("X-GP-HAS-FILTER", "0");
- parameters.put("X-GP-FORMAT", "TEXT");
- parameters.put("X-GP-URL-HOST", "my://bags");
- parameters.put("X-GP-URL-PORT", "-8020");
- parameters.put("X-GP-ATTRS", "-1");
- parameters.put("X-GP-ACCESSOR", "are");
- parameters.put("X-GP-RESOLVER", "packed");
- parameters.put("X-GP-DATA-DIR", "i'm/ready/to/go");
- parameters.put("X-GP-FRAGMENT-METADATA", "U29tZXRoaW5nIGluIHRoZSB3YXk=");
- parameters.put("X-GP-I'M-STANDING-HERE", "outside-your-door");
-
- mockProtocolData = mock(ProtocolData.class);
+ mockProtocolData = mock(ProtocolData.class);
mockContext = mock(ServletContext.class);
PowerMockito.mockStatic(UserGroupInformation.class);
}
-}
+}
\ No newline at end of file