You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by ka...@apache.org on 2017/01/18 22:12:02 UTC

incubator-hawq git commit: HAWQ-762. Login to kerberos if credentials are no longer valid

Repository: incubator-hawq
Updated Branches:
  refs/heads/master 7f36b35bd -> 8261c13ef


HAWQ-762. Login to kerberos if credentials are no longer valid


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/8261c13e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/8261c13e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/8261c13e

Branch: refs/heads/master
Commit: 8261c13ef73de9109ec5340304471871f544fa17
Parents: 7f36b35
Author: Kavinder Dhaliwal <ka...@gmail.com>
Authored: Fri Jan 6 11:56:29 2017 -0800
Committer: Kavinder Dhaliwal <ka...@gmail.com>
Committed: Wed Jan 18 14:06:32 2017 -0800

----------------------------------------------------------------------
 .../hawq/pxf/service/utilities/SecuredHDFS.java | 11 +++--
 .../pxf/service/utilities/SecuredHDFSTest.java  | 45 ++++++++++----------
 2 files changed, 31 insertions(+), 25 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8261c13e/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
----------------------------------------------------------------------
diff --git a/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java b/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
index f442a6d..1e1bcd3 100644
--- a/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
+++ b/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java
@@ -53,6 +53,14 @@ public class SecuredHDFS {
     public static void verifyToken(ProtocolData protData, ServletContext context) {
         try {
             if (UserGroupInformation.isSecurityEnabled()) {
+                /*
+                 * HAWQ-1215: The verify token method validates that the token sent from
+                 * Hawq to PXF is valid. However, this token is for a user other than
+                 * 'pxf'. The following line ensures that before attempting any secure communication
+                 * PXF tries to relogin in the case that its own ticket is about to expire
+                 * #reloginFromKeytab is a no-op if the ticket is not near expiring
+                 */
+                UserGroupInformation.getLoginUser().reloginFromKeytab();
                 Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>();
                 String tokenString = protData.getToken();
                 token.decodeFromUrlString(tokenString);
@@ -103,9 +111,6 @@ public class SecuredHDFS {
             LOG.debug("user " + userGroupInformation.getUserName() + " ("
                     + userGroupInformation.getShortUserName()
                     + ") authenticated");
-
-            // re-login if necessary
-            userGroupInformation.checkTGTAndReloginFromKeytab();
         } catch (IOException e) {
             throw new SecurityException("Failed to verify delegation token "
                     + e, e);

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8261c13e/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
----------------------------------------------------------------------
diff --git a/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java b/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
index 4944a35..9aecce0 100644
--- a/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
+++ b/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java
@@ -29,24 +29,25 @@ import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 
 import javax.servlet.ServletContext;
-import java.util.HashMap;
-import java.util.Map;
+import java.io.IOException;
 
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 
 @RunWith(PowerMockRunner.class)
 @PrepareForTest({UserGroupInformation.class})
 public class SecuredHDFSTest {
-    Map<String, String> parameters;
     ProtocolData mockProtocolData;
     ServletContext mockContext;
 
     @Test
-    public void invalidTokenThrows() {
+    public void invalidTokenThrows() throws IOException {
         when(UserGroupInformation.isSecurityEnabled()).thenReturn(true);
+        UserGroupInformation ugi = mock(UserGroupInformation.class);
+        when(UserGroupInformation.getLoginUser()).thenReturn(ugi);
         when(mockProtocolData.getToken()).thenReturn("This is odd");
 
         try {
@@ -57,30 +58,30 @@ public class SecuredHDFSTest {
         }
     }
 
+    @Test
+    public void loggedOutUser() throws IOException {
+        when(UserGroupInformation.isSecurityEnabled()).thenReturn(true);
+        UserGroupInformation ugi = mock(UserGroupInformation.class);
+        when(UserGroupInformation.getLoginUser()).thenReturn(ugi);
+        when(mockProtocolData.getToken()).thenReturn("This is odd");
+
+        try {
+            SecuredHDFS.verifyToken(mockProtocolData, mockContext);
+            fail("invalid X-GP-TOKEN should throw");
+        } catch (SecurityException e) {
+            verify(ugi).reloginFromKeytab();
+            assertEquals("Failed to verify delegation token java.io.EOFException", e.getMessage());
+        }
+    }
+
     /*
      * setUp function called before each test
 	 */
     @Before
     public void setUp() {
-        parameters = new HashMap<>();
-
-        parameters.put("X-GP-ALIGNMENT", "all");
-        parameters.put("X-GP-SEGMENT-ID", "-44");
-        parameters.put("X-GP-SEGMENT-COUNT", "2");
-        parameters.put("X-GP-HAS-FILTER", "0");
-        parameters.put("X-GP-FORMAT", "TEXT");
-        parameters.put("X-GP-URL-HOST", "my://bags");
-        parameters.put("X-GP-URL-PORT", "-8020");
-        parameters.put("X-GP-ATTRS", "-1");
-        parameters.put("X-GP-ACCESSOR", "are");
-        parameters.put("X-GP-RESOLVER", "packed");
-        parameters.put("X-GP-DATA-DIR", "i'm/ready/to/go");
-        parameters.put("X-GP-FRAGMENT-METADATA", "U29tZXRoaW5nIGluIHRoZSB3YXk=");
-        parameters.put("X-GP-I'M-STANDING-HERE", "outside-your-door");
-
-        mockProtocolData = mock(ProtocolData.class);        
+        mockProtocolData = mock(ProtocolData.class);
         mockContext = mock(ServletContext.class);
 
         PowerMockito.mockStatic(UserGroupInformation.class);
     }
-}
+}
\ No newline at end of file