You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2014/02/14 22:25:12 UTC
svn commit: r1568525 - in
/hadoop/common/trunk/hadoop-common-project/hadoop-common: ./
src/main/java/org/apache/hadoop/ipc/
src/main/java/org/apache/hadoop/security/
src/test/java/org/apache/hadoop/security/
Author: omalley
Date: Fri Feb 14 21:25:12 2014
New Revision: 1568525
URL: http://svn.apache.org/r1568525
Log:
HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
build a new UGI. (Larry McCay via omalley)
Modified:
hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1568525&r1=1568524&r2=1568525&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Fri Feb 14 21:25:12 2014
@@ -118,6 +118,9 @@ Trunk (Unreleased)
HADOOP-10325. Improve jenkins javadoc warnings from test-patch.sh (cmccabe)
+ HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
+ build a new UGI. (Larry McCay via omalley)
+
BUG FIXES
HADOOP-9451. Fault single-layer config if node group topology is enabled.
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java?rev=1568525&r1=1568524&r2=1568525&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java Fri Feb 14 21:25:12 2014
@@ -649,7 +649,7 @@ public class Client {
// try re-login
if (UserGroupInformation.isLoginKeytabBased()) {
UserGroupInformation.getLoginUser().reloginFromKeytab();
- } else {
+ } else if (UserGroupInformation.isLoginTicketBased()) {
UserGroupInformation.getLoginUser().reloginFromTicketCache();
}
// have granularity of milliseconds
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java?rev=1568525&r1=1568524&r2=1568525&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java Fri Feb 14 21:25:12 2014
@@ -703,6 +703,35 @@ public class UserGroupInformation {
}
/**
+ * Create a UserGroupInformation from a Subject with Kerberos principal.
+ *
+ * @param user The KerberosPrincipal to use in UGI
+ *
+ * @throws IOException if the kerberos login fails
+ */
+ public static UserGroupInformation getUGIFromSubject(Subject subject)
+ throws IOException {
+ if (subject == null) {
+ throw new IOException("Subject must not be null");
+ }
+
+ if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
+ throw new IOException("Provided Subject must contain a KerberosPrincipal");
+ }
+
+ KerberosPrincipal principal =
+ subject.getPrincipals(KerberosPrincipal.class).iterator().next();
+
+ User ugiUser = new User(principal.getName(),
+ AuthenticationMethod.KERBEROS, null);
+ subject.getPrincipals().add(ugiUser);
+ UserGroupInformation ugi = new UserGroupInformation(subject);
+ ugi.setLogin(null);
+ ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
+ return ugi;
+ }
+
+ /**
* Get the currently logged in user.
* @return the logged in user
* @throws IOException if login fails
@@ -1102,6 +1131,14 @@ public class UserGroupInformation {
}
/**
+ * Did the login happen via ticket cache
+ * @return true or false
+ */
+ public static boolean isLoginTicketBased() throws IOException {
+ return getLoginUser().isKrbTkt;
+ }
+
+ /**
* Create a user from a login name. It is intended to be used for remote
* users in RPC, since it won't have any credentials.
* @param user the full user principal name, must not be empty or null
@@ -1619,5 +1656,4 @@ public class UserGroupInformation {
System.out.println("Keytab " + loginUser.isKeytab);
}
}
-
}
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java?rev=1568525&r1=1568524&r2=1568525&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java Fri Feb 14 21:25:12 2014
@@ -17,8 +17,14 @@
package org.apache.hadoop.security;
import java.io.IOException;
+import java.security.PrivilegedAction;
+import java.util.Set;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
import junit.framework.Assert;
+import static org.junit.Assert.*;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
@@ -72,4 +78,40 @@ public class TestUGIWithSecurityOn {
ex.printStackTrace();
}
}
+
+ @Test
+ public void testGetUGIFromKerberosSubject() throws IOException {
+ String user1keyTabFilepath = System.getProperty("kdc.resource.dir")
+ + "/keytabs/user1.keytab";
+
+ UserGroupInformation ugi = UserGroupInformation
+ .loginUserFromKeytabAndReturnUGI("user1@EXAMPLE.COM",
+ user1keyTabFilepath);
+ Set<KerberosPrincipal> principals = ugi.getSubject().getPrincipals(
+ KerberosPrincipal.class);
+ if (principals.isEmpty()) {
+ Assert.fail("There should be a kerberos principal in the subject.");
+ }
+ else {
+ UserGroupInformation ugi2 = UserGroupInformation.getUGIFromSubject(
+ ugi.getSubject());
+ if (ugi2 != null) {
+ ugi2.doAs(new PrivilegedAction<Object>() {
+
+ @Override
+ public Object run() {
+ try {
+ UserGroupInformation ugi3 = UserGroupInformation.getCurrentUser();
+ String doAsUserName = ugi3.getUserName();
+ assertEquals(doAsUserName, "user1@EXAMPLE.COM");
+ System.out.println("DO AS USERNAME: " + doAsUserName);
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+ });
+ }
+ }
+ }
}
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1568525&r1=1568524&r2=1568525&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java Fri Feb 14 21:25:12 2014
@@ -28,6 +28,7 @@ import org.apache.hadoop.util.Shell;
import org.junit.*;
import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import java.io.BufferedReader;
@@ -768,6 +769,16 @@ public class TestUserGroupInformation {
});
}
+ @Test (timeout = 30000)
+ public void testGetUGIFromSubject() throws Exception {
+ KerberosPrincipal p = new KerberosPrincipal("guest");
+ Subject subject = new Subject();
+ subject.getPrincipals().add(p);
+ UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
+ assertNotNull(ugi);
+ assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
+ }
+
/** Test hasSufficientTimeElapsed method */
@Test (timeout = 30000)
public void testHasSufficientTimeElapsed() throws Exception {