You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ji...@apache.org on 2017/12/28 07:18:12 UTC
hadoop git commit: HADOOP-15143. NPE due to Invalid KerberosTicket in
UGI. Contributed by Mukul Kumar Singh.
Repository: hadoop
Updated Branches:
refs/heads/trunk 52babbb4a -> d31c9d8c4
HADOOP-15143. NPE due to Invalid KerberosTicket in UGI. Contributed by Mukul Kumar Singh.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d31c9d8c
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d31c9d8c
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d31c9d8c
Branch: refs/heads/trunk
Commit: d31c9d8c495794a803fb20729b5ed6b374e23eb4
Parents: 52babbb
Author: Jitendra Pandey <ji...@apache.org>
Authored: Wed Dec 27 23:17:07 2017 -0800
Committer: Jitendra Pandey <ji...@apache.org>
Committed: Wed Dec 27 23:17:07 2017 -0800
----------------------------------------------------------------------
.../hadoop/security/UserGroupInformation.java | 5 +-
.../security/TestFixKerberosTicketOrder.java | 77 ++++++++++++++++++++
2 files changed, 81 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d31c9d8c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index f7aea31..726e811 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -1253,7 +1253,10 @@ public class UserGroupInformation {
Object cred = iter.next();
if (cred instanceof KerberosTicket) {
KerberosTicket ticket = (KerberosTicket) cred;
- if (!ticket.getServer().getName().startsWith("krbtgt")) {
+ if (ticket.isDestroyed() || ticket.getServer() == null) {
+ LOG.warn("Ticket is already destroyed, remove it.");
+ iter.remove();
+ } else if (!ticket.getServer().getName().startsWith("krbtgt")) {
LOG.warn(
"The first kerberos ticket is not TGT"
+ "(the server principal is {}), remove and destroy it.",
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d31c9d8c/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java
index 4b75a36..cbea393 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java
@@ -155,4 +155,81 @@ public class TestFixKerberosTicketOrder extends KerberosSecurityTestcase {
.filter(t -> t.getServer().getName().startsWith(server2Protocol))
.findAny().isPresent());
}
+
+ @Test
+ public void testWithDestroyedTGT() throws Exception {
+ UserGroupInformation ugi =
+ UserGroupInformation.loginUserFromKeytabAndReturnUGI(clientPrincipal,
+ keytabFile.getCanonicalPath());
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+
+ @Override
+ public Void run() throws Exception {
+ SaslClient client = Sasl.createSaslClient(
+ new String[] {AuthMethod.KERBEROS.getMechanismName()},
+ clientPrincipal, server1Protocol, host, props, null);
+ client.evaluateChallenge(new byte[0]);
+ client.dispose();
+ return null;
+ }
+ });
+
+ Subject subject = ugi.getSubject();
+
+ // mark the ticket as destroyed
+ for (KerberosTicket ticket : subject
+ .getPrivateCredentials(KerberosTicket.class)) {
+ if (ticket.getServer().getName().startsWith("krbtgt")) {
+ ticket.destroy();
+ break;
+ }
+ }
+
+ ugi.fixKerberosTicketOrder();
+
+ // verify that after fixing, the tgt ticket should be removed
+ assertFalse("The first ticket is not tgt",
+ subject.getPrivateCredentials().stream()
+ .filter(c -> c instanceof KerberosTicket)
+ .map(c -> ((KerberosTicket) c).getServer().getName()).findFirst()
+ .isPresent());
+
+
+ // should fail as we send a service ticket instead of tgt to KDC.
+ intercept(SaslException.class,
+ () -> ugi.doAs(new PrivilegedExceptionAction<Void>() {
+
+ @Override
+ public Void run() throws Exception {
+ SaslClient client = Sasl.createSaslClient(
+ new String[] {AuthMethod.KERBEROS.getMechanismName()},
+ clientPrincipal, server2Protocol, host, props, null);
+ client.evaluateChallenge(new byte[0]);
+ client.dispose();
+ return null;
+ }
+ }));
+
+ // relogin to get a new ticket
+ ugi.reloginFromKeytab();
+
+ // make sure we can get new service ticket after the relogin.
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+
+ @Override
+ public Void run() throws Exception {
+ SaslClient client = Sasl.createSaslClient(
+ new String[] {AuthMethod.KERBEROS.getMechanismName()},
+ clientPrincipal, server2Protocol, host, props, null);
+ client.evaluateChallenge(new byte[0]);
+ client.dispose();
+ return null;
+ }
+ });
+
+ assertTrue("No service ticket for " + server2Protocol + " found",
+ subject.getPrivateCredentials(KerberosTicket.class).stream()
+ .filter(t -> t.getServer().getName().startsWith(server2Protocol))
+ .findAny().isPresent());
+ }
}
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org