You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:43:50 UTC
svn commit: r1077681 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
core/org/apache/hadoop/security/UserGroupInformation.java
hdfs/org/apache/hadoop/hdfs/HftpFileSystem.java
Author: omalley
Date: Fri Mar 4 04:43:50 2011
New Revision: 1077681
URL: http://svn.apache.org/viewvc?rev=1077681&view=rev
Log:
commit 817f09b0314174d265e745632a5fcb26ab068a38
Author: Jitendra Nath Pandey <jitendra@sufferhome-lm.(none)>
Date: Thu Sep 16 16:45:03 2010 -0700
HDFS-1364. HFTP client should support relogin from keytab
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/HftpFileSystem.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1077681&r1=1077680&r2=1077681&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java Fri Mar 4 04:43:50 2011
@@ -440,6 +440,32 @@ public class UserGroupInformation {
public boolean isFromKeytab() {
return isKeytab;
}
+
+ /**
+ * Get the Kerberos TGT
+ * @return the user's TGT or null if none was found
+ */
+ private KerberosTicket getTGT() {
+ Set<KerberosTicket> tickets =
+ subject.getPrivateCredentials(KerberosTicket.class);
+ for(KerberosTicket ticket: tickets) {
+ KerberosPrincipal server = ticket.getServer();
+ if (server.getName().equals("krbtgt/" + server.getRealm() +
+ "@" + server.getRealm())) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Found tgt " + ticket);
+ }
+ return ticket;
+ }
+ }
+ return null;
+ }
+
+ private long getRefreshTime(KerberosTicket tgt) {
+ long start = tgt.getStartTime().getTime();
+ long end = tgt.getEndTime().getTime();
+ return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
+ }
/**Spawn a thread to do periodic renewals of kerberos credentials*/
private void spawnAutoRenewalThreadForUserCreds() {
@@ -448,32 +474,6 @@ public class UserGroupInformation {
if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
!isKeytab) {
Thread t = new Thread(new Runnable() {
-
- /**
- * Get the Kerberos TGT
- * @return the user's TGT or null if none was found
- */
- private KerberosTicket getTGT() {
- Set<KerberosTicket> tickets =
- subject.getPrivateCredentials(KerberosTicket.class);
- for(KerberosTicket ticket: tickets) {
- KerberosPrincipal server = ticket.getServer();
- if (server.getName().equals("krbtgt/" + server.getRealm() +
- "@" + server.getRealm())) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Found tgt " + ticket);
- }
- return ticket;
- }
- }
- return null;
- }
-
- private long getRefreshTime(KerberosTicket tgt) {
- long start = tgt.getStartTime().getTime();
- long end = tgt.getEndTime().getTime();
- return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
- }
public void run() {
String cmd = conf.get("hadoop.kerberos.kinit.command",
@@ -643,6 +643,28 @@ public class UserGroupInformation {
if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
}
}
+
+ /**
+ * Re-login a user from keytab if TGT is expired or is close to expiry.
+ *
+ * @throws IOException
+ */
+ public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
+ //TODO: The method reloginFromKeytab should be refactored to use this
+ // implementation.
+ if (!isSecurityEnabled()
+ || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
+ || !isKeytab)
+ return;
+ KerberosTicket tgt = getTGT();
+ if (tgt == null) {
+ return;
+ }
+
+ if (System.currentTimeMillis() > getRefreshTime(tgt)) {
+ reloginFromKeytab();
+ }
+ }
/**
* Re-Login a user in from a keytab file. Loads a user identity from a keytab
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/HftpFileSystem.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/HftpFileSystem.java?rev=1077681&r1=1077680&r2=1077681&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/HftpFileSystem.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/HftpFileSystem.java Fri Mar 4 04:43:50 2011
@@ -165,6 +165,10 @@ public class HftpFileSystem extends File
break;
}
}
+
+ //Renew TGT if needed
+ ugi.checkTGTAndReloginFromKeytab();
+
//since we don't already have a token, go get one over https
if (delegationToken == null) {
delegationToken =
@@ -661,6 +665,7 @@ public class HftpFileSystem extends File
final HftpFileSystem fs = weakFs.get();
if (fs != null) {
synchronized (fs) {
+ fs.ugi.checkTGTAndReloginFromKeytab();
fs.ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override