You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by el...@apache.org on 2015/01/23 00:22:34 UTC
[2/3] accumulo git commit: ACCUMULO-3497 Quick check that the
provided address uses the FQDN.
ACCUMULO-3497 Quick check that the provided address uses the FQDN.
SASL relies heavily on DNS being properly configured. We can perform
a quick check for users that validates that the provided hostnames
in the "hosts" files in $ACCUMULO_CONF_DIR line up with the FQDN
as computed by InetAddress. This provides an intuitive message
as to the nature of their problem instead of a general GSS handshake
failure.
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/6d1469ee
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/6d1469ee
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/6d1469ee
Branch: refs/heads/master
Commit: 6d1469eef62442db8f574e04bd87e62e92307c81
Parents: 7e61f97
Author: Josh Elser <el...@apache.org>
Authored: Thu Jan 22 14:40:44 2015 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Thu Jan 22 18:22:01 2015 -0500
----------------------------------------------------------------------
.../apache/accumulo/server/rpc/TServerUtils.java | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/6d1469ee/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java b/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
index cd92e5c..4a93e67 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java
@@ -360,8 +360,7 @@ public class TServerUtils {
* @return A ServerAddress with the bound-socket information and the Thrift server
*/
public static ServerAddress createSslThreadPoolServer(HostAndPort address, TProcessor processor, long socketTimeout, SslConnectionParams sslParams,
- String serverName, int numThreads, int numSimpleTimerThreads, long timeBetweenThreadChecks)
- throws TTransportException {
+ String serverName, int numThreads, int numSimpleTimerThreads, long timeBetweenThreadChecks) throws TTransportException {
TServerSocket transport;
try {
transport = getSslServerSocket(address.getPort(), (int) socketTimeout, InetAddress.getByName(address.getHostText()), sslParams);
@@ -383,16 +382,27 @@ public class TServerUtils {
// We'd really prefer to use THsHaServer (or similar) to avoid 1 RPC == 1 Thread that the TThreadPoolServer does,
// but sadly this isn't the case. Because TSaslTransport needs to issue a handshake when it open()'s which will fail
// when the server does an accept() to (presumably) wake up the eventing system.
- log.info("Creating SASL thread pool thrift server on port=" + address.getPort());
+ log.info("Creating SASL thread pool thrift server on listening on {}:{}", address.getHostText(), address.getPort());
TServerSocket transport = new TServerSocket(address.getPort(), (int) socketTimeout);
- final String hostname;
+ final String hostname, fqdn;
try {
hostname = InetAddress.getByName(address.getHostText()).getCanonicalHostName();
+ fqdn = InetAddress.getLocalHost().getCanonicalHostName();
} catch (UnknownHostException e) {
throw new TTransportException(e);
}
+ // ACCUMULO-3497 an easy sanity check we can perform for the user when SASL is enabled. Clients and servers have to agree upon the FQDN
+ // so that the SASL handshake can occur. If the provided hostname doesn't match the FQDN for this host, fail quickly and inform them to update
+ // their configuration.
+ if (!hostname.equals(fqdn)) {
+ log.error(
+ "Expected hostname of '{}' but got '{}'. Ensure the entries in the Accumulo hosts files (e.g. masters, slaves) are the FQDN for each host when using SASL.",
+ fqdn, hostname);
+ throw new RuntimeException("SASL requires that the address the thrift server listens on is the same as the FQDN for this host");
+ }
+
final UserGroupInformation serverUser;
try {
serverUser = UserGroupInformation.getLoginUser();
@@ -413,6 +423,7 @@ public class TServerUtils {
TTransportFactory ugiTransportFactory = new UGIAssumingTransportFactory(saslTransportFactory, serverUser);
if (address.getPort() == 0) {
+ // If we chose a port dynamically, make a new use it (along with the proper hostname)
address = HostAndPort.fromParts(address.getHostText(), transport.getServerSocket().getLocalPort());
}