You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by bo...@apache.org on 2010/08/31 01:42:17 UTC
svn commit: r991030 - in /hadoop/common/trunk: CHANGES.txt
src/java/org/apache/hadoop/security/SecurityUtil.java
src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
Author: boryas
Date: Mon Aug 30 23:42:17 2010
New Revision: 991030
URL: http://svn.apache.org/viewvc?rev=991030&view=rev
Log:
HADOOP-6932. Namenode start (init) fails because of invalid kerberos key, even when security set to simple
Modified:
hadoop/common/trunk/CHANGES.txt
hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=991030&r1=991029&r2=991030&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Mon Aug 30 23:42:17 2010
@@ -220,6 +220,9 @@ Trunk (unreleased changes)
HADOOP-6833. IPC leaks call parameters when exceptions thrown.
(Todd Lipcon via Eli Collins)
+ HADOOP-6932. Namenode start (init) fails because of invalid kerberos
+ key, even when security set to "simple" (boryas)
+
Release 0.21.0 - Unreleased
INCOMPATIBLE CHANGES
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java?rev=991030&r1=991029&r2=991030&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java Mon Aug 30 23:42:17 2010
@@ -174,7 +174,7 @@ public class SecurityUtil {
}
/**
- * If a keytab has been provided, login as that user. Substitute $host in
+ * Login as a principal specified in config. Substitute $host in
* user's Kerberos principal name with a dynamically looked-up fully-qualified
* domain name of the current host.
*
@@ -192,8 +192,9 @@ public class SecurityUtil {
}
/**
- * If a keytab has been provided, login as that user. Substitute $host in
- * user's Kerberos principal name with hostname.
+ * Login as a principal specified in config. Substitute $host in user's Kerberos principal
+ * name with hostname. If non-secure mode - return. If no keytab available -
+ * bail out with an exception
*
* @param conf
* conf to use
@@ -208,9 +209,14 @@ public class SecurityUtil {
public static void login(final Configuration conf,
final String keytabFileKey, final String userNameKey, String hostname)
throws IOException {
- String keytabFilename = conf.get(keytabFileKey);
- if (keytabFilename == null)
+
+ if(! UserGroupInformation.isSecurityEnabled())
return;
+
+ String keytabFilename = conf.get(keytabFileKey);
+ if (keytabFilename == null || keytabFilename.length() == 0) {
+ throw new IOException("Running in secure mode, but config doesn't have a keytab");
+ }
String principalConfig = conf.get(userNameKey, System
.getProperty("user.name"));
Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java?rev=991030&r1=991029&r2=991030&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java Mon Aug 30 23:42:17 2010
@@ -16,12 +16,15 @@
*/
package org.apache.hadoop.security;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import java.io.IOException;
import javax.security.auth.kerberos.KerberosPrincipal;
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Assert;
import org.junit.Test;
public class TestSecurityUtil {
@@ -70,4 +73,23 @@ public class TestSecurityUtil {
verify(shouldNotReplace, hostname, shouldNotReplace);
verify(shouldNotReplace, shouldNotReplace, shouldNotReplace);
}
+
+ @Test
+ public void testStartsWithIncorrectSettings() throws IOException {
+ Configuration conf = new Configuration();
+ conf.set(
+ org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
+ "kerberos");
+ String keyTabKey="key";
+ conf.set(keyTabKey, "");
+ UserGroupInformation.setConfiguration(conf);
+ boolean gotException = false;
+ try {
+ SecurityUtil.login(conf, keyTabKey, "", "");
+ } catch (IOException e) {
+ // expected
+ gotException=true;
+ }
+ assertTrue("Exception for empty keytabfile name was expected", gotException);
+ }
}