You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by cd...@apache.org on 2016/10/28 23:54:20 UTC
hadoop git commit: YARN-3460. TestSecureRMRegistryOperations fails
with IBM_JAVA. Contributed by Pascal Oliva
Repository: hadoop
Updated Branches:
refs/heads/trunk 112f04eb1 -> 76a104298
YARN-3460. TestSecureRMRegistryOperations fails with IBM_JAVA. Contributed by Pascal Oliva
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/76a10429
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/76a10429
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/76a10429
Branch: refs/heads/trunk
Commit: 76a10429809c001c8f75e94e39729987d8100d00
Parents: 112f04e
Author: Chris Douglas <cd...@apache.org>
Authored: Fri Oct 28 13:18:57 2016 -0700
Committer: Chris Douglas <cd...@apache.org>
Committed: Fri Oct 28 16:49:36 2016 -0700
----------------------------------------------------------------------
.../client/impl/zk/RegistrySecurity.java | 14 ++-
.../registry/secure/KerberosConfiguration.java | 39 ++++++--
.../registry/secure/TestSecureLogins.java | 99 ++++++++++++--------
3 files changed, 100 insertions(+), 52 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/76a10429/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
index 49673fc..39325a3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
@@ -52,6 +52,8 @@ import java.util.concurrent.CopyOnWriteArrayList;
import static org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions.*;
import static org.apache.hadoop.registry.client.api.RegistryConstants.*;
+import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
+
/**
* Implement the registry security ... a self contained service for
* testability.
@@ -595,6 +597,16 @@ public class RegistrySecurity extends AbstractService {
* Note the semicolon on the last entry
*/
private static final String JAAS_ENTRY =
+ (IBM_JAVA ?
+ "%s { %n"
+ + " %s required%n"
+ + " useKeytab=\"%s\"%n"
+ + " debug=true%n"
+ + " principal=\"%s\"%n"
+ + " credsType=both%n"
+ + " refreshKrb5Config=true;%n"
+ + "}; %n"
+ :
"%s { %n"
+ " %s required%n"
// kerberos module
@@ -606,7 +618,7 @@ public class RegistrySecurity extends AbstractService {
+ " doNotPrompt=true%n"
+ " storeKey=true;%n"
+ "}; %n"
- ;
+ );
/**
* Create a JAAS entry for insertion
http://git-wip-us.apache.org/repos/asf/hadoop/blob/76a10429/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/KerberosConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/KerberosConfiguration.java
index f511bf6..01f13a3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/KerberosConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/KerberosConfiguration.java
@@ -25,6 +25,8 @@ import java.io.File;
import java.util.HashMap;
import java.util.Map;
+import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
+
class KerberosConfiguration extends javax.security.auth.login.Configuration {
private String principal;
private String keytab;
@@ -52,18 +54,35 @@ class KerberosConfiguration extends javax.security.auth.login.Configuration {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
Map<String, String> options = new HashMap<String, String>();
- options.put("keyTab", keytab);
- options.put("principal", principal);
- options.put("useKeyTab", "true");
- options.put("storeKey", "true");
- options.put("doNotPrompt", "true");
- options.put("useTicketCache", "true");
- options.put("renewTGT", "true");
- options.put("refreshKrb5Config", "true");
- options.put("isInitiator", Boolean.toString(isInitiator));
+ if (IBM_JAVA) {
+ options.put("useKeytab", keytab.startsWith("file://")
+ ? keytab
+ : "file://" + keytab);
+ options.put("principal", principal);
+ options.put("refreshKrb5Config", "true");
+ options.put("credsType", "both");
+ } else {
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", Boolean.toString(isInitiator));
+ }
String ticketCache = System.getenv("KRB5CCNAME");
if (ticketCache != null) {
- options.put("ticketCache", ticketCache);
+ if (IBM_JAVA) {
+ // IBM JAVA only respect system property and not env variable
+ // The first value searched when "useDefaultCcache" is used.
+ System.setProperty("KRB5CCNAME", ticketCache);
+ options.put("useDefaultCcache", "true");
+ options.put("renewTGT", "true");
+ } else {
+ options.put("ticketCache", ticketCache);
+ }
}
options.put("debug", "true");
http://git-wip-us.apache.org/repos/asf/hadoop/blob/76a10429/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java
index 5592e19..d66bb79 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java
@@ -15,40 +15,39 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
package org.apache.hadoop.registry.secure;
+import java.io.File;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import org.apache.zookeeper.Environment;
+import org.apache.zookeeper.data.ACL;
-import com.sun.security.auth.module.Krb5LoginModule;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
-import org.apache.hadoop.util.Shell;
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
import org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions;
-import org.apache.zookeeper.Environment;
-import org.apache.zookeeper.data.ACL;
-import org.junit.Assume;
+import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
+
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-import java.io.File;
-import java.io.IOException;
-import java.security.Principal;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
/**
* Verify that logins work
*/
@@ -79,7 +78,6 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
assertEquals(jaasFile.getAbsolutePath(), confFilename);
}
-
@Test
public void testClientLogin() throws Throwable {
LoginContext client = login(ALICE_LOCALHOST,
@@ -108,7 +106,6 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
client.logout();
}
-
@Test
public void testServerLogin() throws Throwable {
LoginContext loginContext = createLoginContextZookeeperLocalhost();
@@ -127,34 +124,55 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
KerberosConfiguration.createServerConfig(ZOOKEEPER_LOCALHOST, keytab_zk));
}
-
@Test
public void testKerberosAuth() throws Throwable {
File krb5conf = getKdc().getKrb5conf();
String krbConfig = FileUtils.readFileToString(krb5conf);
LOG.info("krb5.conf at {}:\n{}", krb5conf, krbConfig);
Subject subject = new Subject();
-
- final Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
+ Class<?> kerb5LoginClass =
+ Class.forName(KerberosUtil.getKrb5LoginModuleName());
+ Constructor<?> kerb5LoginConstr = kerb5LoginClass.getConstructor();
+ Object kerb5LoginObject = kerb5LoginConstr.newInstance();
final Map<String, String> options = new HashMap<String, String>();
- options.put("keyTab", keytab_alice.getAbsolutePath());
- options.put("principal", ALICE_LOCALHOST);
options.put("debug", "true");
- options.put("doNotPrompt", "true");
- options.put("isInitiator", "true");
- options.put("refreshKrb5Config", "true");
- options.put("renewTGT", "true");
- options.put("storeKey", "true");
- options.put("useKeyTab", "true");
- options.put("useTicketCache", "true");
-
- krb5LoginModule.initialize(subject, null,
- new HashMap<String, String>(),
- options);
-
- boolean loginOk = krb5LoginModule.login();
+ if (IBM_JAVA) {
+ options.put("useKeytab",
+ keytab_alice.getAbsolutePath().startsWith("file://")
+ ? keytab_alice.getAbsolutePath()
+ : "file://" + keytab_alice.getAbsolutePath());
+ options.put("principal", ALICE_LOCALHOST);
+ options.put("refreshKrb5Config", "true");
+ options.put("credsType", "both");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ // IBM JAVA only respect system property and not env variable
+ // The first value searched when "useDefaultCcache" is used.
+ System.setProperty("KRB5CCNAME", ticketCache);
+ options.put("useDefaultCcache", "true");
+ options.put("renewTGT", "true");
+ }
+ } else {
+ options.put("keyTab", keytab_alice.getAbsolutePath());
+ options.put("principal", ALICE_LOCALHOST);
+ options.put("doNotPrompt", "true");
+ options.put("isInitiator", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("renewTGT", "true");
+ options.put("storeKey", "true");
+ options.put("useKeyTab", "true");
+ options.put("useTicketCache", "true");
+ }
+ Method methodInitialize =
+ kerb5LoginObject.getClass().getMethod("initialize", Subject.class,
+ CallbackHandler.class, Map.class, Map.class);
+ methodInitialize.invoke(kerb5LoginObject, subject, null,
+ new HashMap<String, String>(), options);
+ Method methodLogin = kerb5LoginObject.getClass().getMethod("login");
+ boolean loginOk = (Boolean) methodLogin.invoke(kerb5LoginObject);
assertTrue("Failed to login", loginOk);
- boolean commitOk = krb5LoginModule.commit();
+ Method methodCommit = kerb5LoginObject.getClass().getMethod("commit");
+ boolean commitOk = (Boolean) methodCommit.invoke(kerb5LoginObject);
assertTrue("Failed to Commit", commitOk);
}
@@ -185,7 +203,6 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
// new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
}
-
@Test
public void testUGILogin() throws Throwable {
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org