You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Ayush Saxena (Jira)" <ji...@apache.org> on 2020/04/13 20:48:00 UTC
[jira] [Commented] (HADOOP-16958) NPE when
hadoop.security.authorization is enabled but the input PolicyProvider for
ZKFCRpcServer is NULL
[ https://issues.apache.org/jira/browse/HADOOP-16958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17082653#comment-17082653 ]
Ayush Saxena commented on HADOOP-16958:
---------------------------------------
Committed to trunk.
Thanx [~ctest.team] for the contribution!!!
> NPE when hadoop.security.authorization is enabled but the input PolicyProvider for ZKFCRpcServer is NULL
> --------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-16958
> URL: https://issues.apache.org/jira/browse/HADOOP-16958
> Project: Hadoop Common
> Issue Type: Bug
> Components: common, ha
> Affects Versions: 3.2.1
> Reporter: Ctest
> Assignee: Ctest
> Priority: Critical
> Attachments: HADOOP-16958.000.patch, HADOOP-16958.001.patch, HADOOP-16958.002.patch, HADOOP-16958.003.patch, HADOOP-16958.004.patch
>
>
> During initialization, ZKFCRpcServer refreshes the service authorization ACL for the service handled by this server if config hadoop.security.authorization is enabled, by calling refreshServiceAcl with the input PolicyProvider and Configuration.
> {code:java}
> ZKFCRpcServer(Configuration conf,
> InetSocketAddress bindAddr,
> ZKFailoverController zkfc,
> PolicyProvider policy) throws IOException {
> this.server = ...
>
> // set service-level authorization security policy
> if (conf.getBoolean(
> CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
> server.refreshServiceAcl(conf, policy);
> }
> }{code}
> refreshServiceAcl calls ServiceAuthorizationManager#refreshWithLoadedConfiguration which directly gets services from the provider with provider.getServices(). When the provider is NULL, the code throws NPE without an informative message. In addition, the default value of config `hadoop.security.authorization.policyprovider` (which controls PolicyProvider here) is NULL and the only usage of ZKFCRpcServer initializer provides only an abstract method getPolicyProvider which does not enforce that PolicyProvider should not be NULL.
> The suggestion here is to either add a guard check or exception handling with an informative logging message on ZKFCRpcServer to handle input PolicyProvider being NULL.
>
> I am very happy to provide a patch for it if the issue is confirmed :)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org