You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@slider.apache.org by go...@apache.org on 2016/03/16 21:57:58 UTC
[07/50] incubator-slider git commit: SLIDER-1035 kdiag check skips
user login if a keytab and principal is provided
SLIDER-1035 kdiag check skips user login if a keytab and principal is provided
Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/d619bab9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/d619bab9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/d619bab9
Branch: refs/heads/feature/SLIDER-906_docker_support
Commit: d619bab92391f810a82348fbb946846bb6f47d79
Parents: 4fa7c18
Author: Steve Loughran <st...@apache.org>
Authored: Sun Jan 17 19:22:52 2016 -0800
Committer: Steve Loughran <st...@apache.org>
Committed: Sun Jan 17 19:22:52 2016 -0800
----------------------------------------------------------------------
.../apache/hadoop/security/KerberosDiags.java | 72 +++++++++++++-------
1 file changed, 49 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/d619bab9/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
----------------------------------------------------------------------
diff --git a/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java b/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
index d0fba8e..a3d91f8 100644
--- a/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
+++ b/slider-core/src/main/java/org/apache/hadoop/security/KerberosDiags.java
@@ -139,6 +139,7 @@ public class KerberosDiags implements Closeable {
// Fail fast on a JVM without JCE installed.
validateKeyLength();
+ validateJVMBinding();
title("System Properties");
for (String prop : new String[]{
@@ -188,7 +189,6 @@ public class KerberosDiags implements Closeable {
return false;
}
- validateJVM();
validateKrb5File();
validateSasl(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS);
validateSasl("dfs.data.transfer.saslproperties.resolver.class");
@@ -199,12 +199,17 @@ public class KerberosDiags implements Closeable {
boolean spnegoDebug = getAndSet(SUN_SECURITY_SPNEGO_DEBUG);
try {
title("Logging in");
- UserGroupInformation loginUser = getLoginUser();
- dumpUser("Log in user", loginUser);
- println("Ticket based login: %b", isLoginTicketBased());
- println("Keytab based login: %b", isLoginKeytabBased());
- validateUser("Login user", loginUser);
- loginFromKeytab();
+
+ if (keytab != null) {
+ dumpKeytab(keytab);
+ loginFromKeytab();
+ } else {
+ UserGroupInformation loginUser = getLoginUser();
+ dumpUGI("Log in user", loginUser);
+ validateUGI("Login user", loginUser);
+ println("Ticket based login: %b", isLoginTicketBased());
+ println("Keytab based login: %b", isLoginKeytabBased());
+ }
return true;
} finally {
@@ -227,7 +232,7 @@ public class KerberosDiags implements Closeable {
protected void validateKeyLength() throws NoSuchAlgorithmException {
int aesLen = Cipher.getMaxAllowedKeyLength("AES");
- println("Maximum AES encryption key length %d", aesLen);
+ println("Maximum AES encryption key length %d bits", aesLen);
failif (aesLen < minKeyLength,
CAT_JVM,
"Java Cryptography Extensions are not installed on this JVM."
@@ -236,9 +241,9 @@ public class KerberosDiags implements Closeable {
}
/**
- *
+ * Validate the binding between Hadoop and the JVM.
*/
- protected void validateJVM() {
+ protected void validateJVMBinding() {
println("JVM Kerberos Login Module = %s",
getKrb5LoginModuleName());
try {
@@ -255,7 +260,8 @@ public class KerberosDiags implements Closeable {
}
/**
- * Locate the krb5.conf file and dump it. No-op on windows
+ * Locate the krb5.conf file and dump it.
+ * No-op on windows.
* @throws IOException
*/
private void validateKrb5File() throws IOException {
@@ -296,15 +302,24 @@ public class KerberosDiags implements Closeable {
*/
private void dumpKeytab(File keytabFile) throws IOException {
title("Examining keytab %s", keytabFile);
+ File kt = keytabFile.getCanonicalFile();
+ failif(!kt.exists(), CAT_CONFIG, "Keytab not found: %s", kt);
+ failif(!kt.isFile(), CAT_CONFIG, "Keytab is not a valid file: %s", kt);
+
String[] names = getPrincipalNames(keytabFile.getCanonicalPath(),
Pattern.compile(".*"));
println("keytab entry count: %d", names.length);
for (String name : names) {
- println(name);
+ println(" %s", name);
}
println("-----");
}
+ /**
+ * Log in from a keytab, dump the UGI, validate it, then try and log in again.
+ * That second-time login catches JVM/Hadoop compatibility problems.
+ * @throws IOException
+ */
private void loginFromKeytab() throws IOException {
UserGroupInformation ugi;
String identity;
@@ -312,15 +327,12 @@ public class KerberosDiags implements Closeable {
File kt = keytab.getCanonicalFile();
println("Using keytab %s principal %s", kt, principal);
identity = principal;
- failif(!kt.exists(), CAT_LOGIN, "Keytab not found: %s", kt);
- failif(!kt.isFile(), CAT_LOGIN, "Keytab is not a valid file: %s", kt);
- dumpKeytab(kt);
failif(StringUtils.isEmpty(principal), CAT_KERBEROS,
"No principal defined");
ugi = loginUserFromKeytabAndReturnUGI(principal, kt.getPath());
- dumpUser(identity, ugi);
- validateUser(principal, ugi);
+ dumpUGI(identity, ugi);
+ validateUGI(principal, ugi);
title("Attempting to log in from keytab again");
// package scoped -hence the reason why this class must be in the
@@ -333,9 +345,15 @@ public class KerberosDiags implements Closeable {
}
}
- private void dumpUser(String message, UserGroupInformation ugi)
+ /**
+ * Dump a UGI.
+ * @param title title of this section
+ * @param ugi UGI to dump
+ * @throws IOException
+ */
+ private void dumpUGI(String title, UserGroupInformation ugi)
throws IOException {
- title(message);
+ title(title);
println("UGI instance = %s", ugi);
println("Has kerberos credentials: %b", ugi.hasKerberosCredentials());
println("Authentication method: %s", ugi.getAuthenticationMethod());
@@ -360,15 +378,23 @@ public class KerberosDiags implements Closeable {
dumpTokens(ugi);
}
- private void validateUser(String message, UserGroupInformation user) {
+ /**
+ * Validate the UGI: verify it is kerberized.
+ * @param messagePrefix message in exceptions
+ * @param user user to validate
+ */
+ private void validateUGI(String messagePrefix, UserGroupInformation user) {
failif(!user.hasKerberosCredentials(),
- CAT_LOGIN, "%s: No kerberos credentials for %s", message, user);
+ CAT_LOGIN, "%s: No kerberos credentials for %s", messagePrefix, user);
failif(user.getAuthenticationMethod() == null,
- CAT_LOGIN, "%s: Null AuthenticationMethod for %s", message, user);
+ CAT_LOGIN, "%s: Null AuthenticationMethod for %s", messagePrefix, user);
}
/**
- * A cursory look at the kinit executable: exists, size > 0.
+ * A cursory look at the {@code kinit} executable.
+ * If it is an absolute path: it must exist with a size > 0.
+ * If it is just a command, it has to be on the path. There's no check
+ * for that -but the PATH is printed out.
*/
private void validateKinitExecutable() {
String kinit = conf.getTrimmed(KERBEROS_KINIT_COMMAND, "");