You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by bo...@apache.org on 2010/08/31 01:42:17 UTC

svn commit: r991030 - in /hadoop/common/trunk: CHANGES.txt src/java/org/apache/hadoop/security/SecurityUtil.java src/test/core/org/apache/hadoop/security/TestSecurityUtil.java

Author: boryas
Date: Mon Aug 30 23:42:17 2010
New Revision: 991030

URL: http://svn.apache.org/viewvc?rev=991030&view=rev
Log:
HADOOP-6932.  Namenode start (init) fails because of invalid kerberos key, even when security set to simple

Modified:
    hadoop/common/trunk/CHANGES.txt
    hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java
    hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java

Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=991030&r1=991029&r2=991030&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Mon Aug 30 23:42:17 2010
@@ -220,6 +220,9 @@ Trunk (unreleased changes)
     HADOOP-6833. IPC leaks call parameters when exceptions thrown.
     (Todd Lipcon via Eli Collins)
 
+    HADOOP-6932.  Namenode start (init) fails because of invalid kerberos 
+    key, even when security set to "simple" (boryas)
+
 Release 0.21.0 - Unreleased
 
   INCOMPATIBLE CHANGES

Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java?rev=991030&r1=991029&r2=991030&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java Mon Aug 30 23:42:17 2010
@@ -174,7 +174,7 @@ public class SecurityUtil {
   }
 
   /**
-   * If a keytab has been provided, login as that user. Substitute $host in
+   * Login as a principal specified in config. Substitute $host in
    * user's Kerberos principal name with a dynamically looked-up fully-qualified
    * domain name of the current host.
    * 
@@ -192,8 +192,9 @@ public class SecurityUtil {
   }
 
   /**
-   * If a keytab has been provided, login as that user. Substitute $host in
-   * user's Kerberos principal name with hostname.
+   * Login as a principal specified in config. Substitute $host in user's Kerberos principal 
+   * name with hostname. If non-secure mode - return. If no keytab available -
+   * bail out with an exception
    * 
    * @param conf
    *          conf to use
@@ -208,9 +209,14 @@ public class SecurityUtil {
   public static void login(final Configuration conf,
       final String keytabFileKey, final String userNameKey, String hostname)
       throws IOException {
-    String keytabFilename = conf.get(keytabFileKey);
-    if (keytabFilename == null)
+    
+    if(! UserGroupInformation.isSecurityEnabled()) 
       return;
+    
+    String keytabFilename = conf.get(keytabFileKey);
+    if (keytabFilename == null || keytabFilename.length() == 0) {
+      throw new IOException("Running in secure mode, but config doesn't have a keytab");
+    }
 
     String principalConfig = conf.get(userNameKey, System
         .getProperty("user.name"));

Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java?rev=991030&r1=991029&r2=991030&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java Mon Aug 30 23:42:17 2010
@@ -16,12 +16,15 @@
  */
 package org.apache.hadoop.security;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import java.io.IOException;
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Assert;
 import org.junit.Test;
 
 public class TestSecurityUtil {
@@ -70,4 +73,23 @@ public class TestSecurityUtil {
     verify(shouldNotReplace, hostname, shouldNotReplace);
     verify(shouldNotReplace, shouldNotReplace, shouldNotReplace);
   }
+  
+  @Test
+  public void testStartsWithIncorrectSettings() throws IOException {
+    Configuration conf = new Configuration();
+    conf.set(
+        org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
+        "kerberos");
+    String keyTabKey="key";
+    conf.set(keyTabKey, "");
+    UserGroupInformation.setConfiguration(conf);
+    boolean gotException = false;
+    try {
+      SecurityUtil.login(conf, keyTabKey, "", "");
+    } catch (IOException e) {
+      // expected
+      gotException=true;
+    }
+    assertTrue("Exception for empty keytabfile name was expected", gotException);
+  }
 }