You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by to...@apache.org on 2011/01/06 19:34:44 UTC
svn commit: r1055997 - in /hadoop/common/branches/branch-0.22: CHANGES.txt src/java/org/apache/hadoop/security/UserGroupInformation.java src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java

Author: todd
Date: Thu Jan  6 18:34:44 2011
New Revision: 1055997

URL: http://svn.apache.org/viewvc?rev=1055997&view=rev
Log:
HADOOP-7070. JAAS configuration should delegate unknown application names to pre-existing configuration. Contributed by Todd Lipcon

Modified:
    hadoop/common/branches/branch-0.22/CHANGES.txt
    hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java
    hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java

Modified: hadoop/common/branches/branch-0.22/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/CHANGES.txt?rev=1055997&r1=1055996&r2=1055997&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.22/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.22/CHANGES.txt Thu Jan  6 18:34:44 2011
@@ -360,6 +360,9 @@ Release 0.22.0 - Unreleased
     HADOOP-7082. Configuration.writeXML should not hold lock while outputting
     (todd)
 
+    HADOOP-7070. JAAS configuration should delegate unknown application names
+    to pre-existing configuration. (todd)
+
 Release 0.21.1 - Unreleased
 
   IMPROVEMENTS

Modified: hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java?rev=1055997&r1=1055996&r2=1055997&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java Thu Jan  6 18:34:44 2011
@@ -245,9 +245,23 @@ public class UserGroupInformation {
     // Set the configuration for JAAS to be the Hadoop configuration. 
     // This is done here rather than a static initializer to avoid a
     // circular dependence.
-    javax.security.auth.login.Configuration.setConfiguration
-        (new HadoopConfiguration());
-    
+    javax.security.auth.login.Configuration existingConfig = null;
+    try {
+      existingConfig =
+        javax.security.auth.login.Configuration.getConfiguration();
+    } catch (SecurityException se) {
+      // If no security configuration is on the classpath, then
+      // we catch this exception, and we don't need to delegate
+      // to anyone
+    }
+
+    if (existingConfig instanceof HadoopConfiguration) {
+      LOG.info("JAAS Configuration already set up for Hadoop, not re-installing.");
+    } else {
+      javax.security.auth.login.Configuration.setConfiguration(
+        new HadoopConfiguration(existingConfig));
+    }
+
     isInitialized = true;
     UserGroupInformation.conf = conf;
   }
@@ -395,6 +409,12 @@ public class UserGroupInformation {
     private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
       new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
 
+    private final javax.security.auth.login.Configuration parent;
+
+    HadoopConfiguration(javax.security.auth.login.Configuration parent) {
+      this.parent = parent;
+    }
+
     @Override
     public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
       if (SIMPLE_CONFIG_NAME.equals(appName)) {
@@ -405,6 +425,8 @@ public class UserGroupInformation {
         KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
         KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
         return KEYTAB_KERBEROS_CONF;
+      } else if (parent != null) {
+        return parent.getAppConfigurationEntry(appName);
       }
       return null;
     }

Modified: hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1055997&r1=1055996&r2=1055997&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java (original)
+++ hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java Thu Jan  6 18:34:44 2011
@@ -21,6 +21,7 @@ import static org.junit.Assert.assertEqu
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import org.mockito.Mockito;
 import static org.mockito.Mockito.mock;
 
 import java.io.BufferedReader;
@@ -31,6 +32,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.LoginContext;
 
 import junit.framework.Assert;
@@ -49,7 +51,11 @@ public class TestUserGroupInformation {
   final private static String[] GROUP_NAMES = 
     new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
   
+  private static javax.security.auth.login.Configuration mockJaasConf;
+
   static {
+    setupMockJaasParent();
+
     Configuration conf = new Configuration();
     conf.set("hadoop.security.auth_to_local",
         "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
@@ -346,4 +352,35 @@ public class TestUserGroupInformation {
       assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0);
     }
   }
+
+  /**
+   * Setup a JAAS Configuration that handles a fake app.
+   * This runs before UserGroupInformation has been initialized,
+   * so UGI picks up this Configuration as the parent.
+   */
+  private static void setupMockJaasParent() {
+    javax.security.auth.login.Configuration existing = null;
+    try {
+      existing =javax.security.auth.login.Configuration.getConfiguration();
+      assertFalse("setupMockJaasParent should run before the Hadoop " +
+                  "configuration provider is installed.",
+                  existing.getClass().getCanonicalName()
+                  .startsWith("org.apache.hadoop"));
+    } catch (SecurityException se) {
+      // We get this if no configuration has been set. So it's OK.
+    }
+
+    mockJaasConf = mock(javax.security.auth.login.Configuration.class);
+    Mockito.doReturn(new AppConfigurationEntry[] {})
+      .when(mockJaasConf)
+      .getAppConfigurationEntry("foobar-app");
+    javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
+  }
+
+  @Test
+  public void testDelegateJaasConfiguration() throws Exception {
+    // This will throw if the Configuration doesn't have any entries
+    // for "foobar"
+    LoginContext login = new LoginContext("foobar-app");
+  }
 }