You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by el...@apache.org on 2015/01/23 00:22:34 UTC

[2/3] accumulo git commit: ACCUMULO-3497 Quick check that the provided address uses the FQDN.

ACCUMULO-3497 Quick check that the provided address uses the FQDN.

SASL relies heavily on DNS being properly configured. We can perform
a quick check for users that validates that the provided hostnames
in the "hosts" files in $ACCUMULO_CONF_DIR line up with the FQDN
as computed by InetAddress. This provides an intuitive message
as to the nature of their problem instead of a general GSS handshake
failure.


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/6d1469ee
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/6d1469ee
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/6d1469ee

Branch: refs/heads/master
Commit: 6d1469eef62442db8f574e04bd87e62e92307c81
Parents: 7e61f97
Author: Josh Elser <el...@apache.org>
Authored: Thu Jan 22 14:40:44 2015 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Thu Jan 22 18:22:01 2015 -0500

----------------------------------------------------------------------
 .../apache/accumulo/server/rpc/TServerUtils.java | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/6d1469ee/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java b/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
index cd92e5c..4a93e67 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
@@ -360,8 +360,7 @@ public class TServerUtils {
    * @return A ServerAddress with the bound-socket information and the Thrift server
    */
   public static ServerAddress createSslThreadPoolServer(HostAndPort address, TProcessor processor, long socketTimeout, SslConnectionParams sslParams,
-      String serverName, int numThreads, int numSimpleTimerThreads, long timeBetweenThreadChecks)
-      throws TTransportException {
+      String serverName, int numThreads, int numSimpleTimerThreads, long timeBetweenThreadChecks) throws TTransportException {
     TServerSocket transport;
     try {
       transport = getSslServerSocket(address.getPort(), (int) socketTimeout, InetAddress.getByName(address.getHostText()), sslParams);
@@ -383,16 +382,27 @@ public class TServerUtils {
     // We'd really prefer to use THsHaServer (or similar) to avoid 1 RPC == 1 Thread that the TThreadPoolServer does,
     // but sadly this isn't the case. Because TSaslTransport needs to issue a handshake when it open()'s which will fail
     // when the server does an accept() to (presumably) wake up the eventing system.
-    log.info("Creating SASL thread pool thrift server on port=" + address.getPort());
+    log.info("Creating SASL thread pool thrift server on listening on {}:{}", address.getHostText(), address.getPort());
     TServerSocket transport = new TServerSocket(address.getPort(), (int) socketTimeout);
 
-    final String hostname;
+    final String hostname, fqdn;
     try {
       hostname = InetAddress.getByName(address.getHostText()).getCanonicalHostName();
+      fqdn = InetAddress.getLocalHost().getCanonicalHostName();
     } catch (UnknownHostException e) {
       throw new TTransportException(e);
     }
 
+    // ACCUMULO-3497 an easy sanity check we can perform for the user when SASL is enabled. Clients and servers have to agree upon the FQDN
+    // so that the SASL handshake can occur. If the provided hostname doesn't match the FQDN for this host, fail quickly and inform them to update
+    // their configuration.
+    if (!hostname.equals(fqdn)) {
+      log.error(
+          "Expected hostname of '{}' but got '{}'. Ensure the entries in the Accumulo hosts files (e.g. masters, slaves) are the FQDN for each host when using SASL.",
+          fqdn, hostname);
+      throw new RuntimeException("SASL requires that the address the thrift server listens on is the same as the FQDN for this host");
+    }
+
     final UserGroupInformation serverUser;
     try {
       serverUser = UserGroupInformation.getLoginUser();
@@ -413,6 +423,7 @@ public class TServerUtils {
     TTransportFactory ugiTransportFactory = new UGIAssumingTransportFactory(saslTransportFactory, serverUser);
 
     if (address.getPort() == 0) {
+      // If we chose a port dynamically, make a new use it (along with the proper hostname)
       address = HostAndPort.fromParts(address.getHostText(), transport.getServerSocket().getLocalPort());
     }