You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by bu...@apache.org on 2016/08/27 03:10:41 UTC
[2/4] accumulo git commit: ACCUMULO-4421 Ensure that TraceServer
launches the Kerberos ticket renewal thread
ACCUMULO-4421 Ensure that TraceServer launches the Kerberos ticket renewal thread
The previous method that TraceServer was using on SecurityUtil
only performed the login and was relying on incorrect functionality
in Hadoop's UGI to launch a renewal thread. This logic is incorrect.
Refactored SecurityUtil a little to prevent other callers from
making the same mistake in the future.
Signed-off-by: Sean Busbey <bu...@cloudera.com>
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/2be85ade
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/2be85ade
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/2be85ade
Branch: refs/heads/master
Commit: 2be85ade34c413cc32db838e6125e582b829ef03
Parents: d66a8d0
Author: Josh Elser <el...@apache.org>
Authored: Fri Aug 26 17:33:42 2016 -0400
Committer: Sean Busbey <bu...@cloudera.com>
Committed: Fri Aug 26 19:08:56 2016 -0500
----------------------------------------------------------------------
.../accumulo/server/security/SecurityUtil.java | 30 ++++++++++++++------
.../org/apache/accumulo/tracer/TraceServer.java | 13 +--------
2 files changed, 23 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/2be85ade/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
index 73f671b..38afa31 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
@@ -40,17 +40,31 @@ public class SecurityUtil {
* {@link #login(String, String)}
*/
public static void serverLogin(AccumuloConfiguration acuConf) {
- String keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
+ serverLogin(acuConf, acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB), acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL));
+ }
+
+ /**
+ * Performs a Kerberos login using the given Kerberos principal and keytab if they are non-null and positive length Strings. This method automaticallys spawns
+ * a thread to renew the given ticket upon successful login using {@link Property#GENERAL_KERBEROS_RENEWAL_PERIOD} as the renewal period. This method does
+ * nothing if either {@code keyTab} or {@code principal} are null or of zero length.
+ *
+ * @param acuConf
+ * The Accumulo configuration
+ * @param keyTab
+ * The path to the Kerberos keytab file
+ * @param principal
+ * The Kerberos principal
+ */
+ public static void serverLogin(AccumuloConfiguration acuConf, String keyTab, String principal) {
if (keyTab == null || keyTab.length() == 0)
return;
- usingKerberos = true;
-
- String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL);
- if (principalConfig == null || principalConfig.length() == 0)
+ if (principal == null || principal.length() == 0)
return;
- if (login(principalConfig, keyTab)) {
+ usingKerberos = true;
+
+ if (login(principal, keyTab)) {
try {
startTicketRenewalThread(UserGroupInformation.getCurrentUser(), acuConf.getTimeInMillis(Property.GENERAL_KERBEROS_RENEWAL_PERIOD));
return;
@@ -59,7 +73,7 @@ public class SecurityUtil {
}
}
- throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab);
+ throw new RuntimeException("Failed to perform Kerberos login for " + principal + " using " + keyTab);
}
/**
@@ -70,7 +84,7 @@ public class SecurityUtil {
* replaced by the systems host name.
* @return true if login succeeded, otherwise false
*/
- public static boolean login(String principalConfig, String keyTabPath) {
+ static boolean login(String principalConfig, String keyTabPath) {
try {
String principalName = getServerPrincipal(principalConfig);
if (keyTabPath != null && principalName != null && keyTabPath.length() != 0 && principalName.length() != 0) {
http://git-wip-us.apache.org/repos/asf/accumulo/blob/2be85ade/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
----------------------------------------------------------------------
diff --git a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
index 2a06dc3..10601ba 100644
--- a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
+++ b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
@@ -61,7 +61,6 @@ import org.apache.accumulo.tracer.thrift.RemoteSpan;
import org.apache.accumulo.tracer.thrift.SpanReceiver.Iface;
import org.apache.accumulo.tracer.thrift.SpanReceiver.Processor;
import org.apache.hadoop.io.Text;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.htrace.Span;
import org.apache.thrift.TByteArrayOutputStream;
import org.apache.thrift.TException;
@@ -334,17 +333,7 @@ public class TraceServer implements Watcher {
return;
log.info("Attempting to login as {} with {}", principalConfig, keyTab);
- if (SecurityUtil.login(principalConfig, keyTab)) {
- try {
- // This spawns a thread to periodically renew the logged in (trace) user
- UserGroupInformation.getLoginUser();
- return;
- } catch (IOException io) {
- log.error("Error starting up renewal thread. This shouldn't be happening.", io);
- }
- }
-
- throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab);
+ SecurityUtil.serverLogin(acuConf, keyTab, principalConfig);
}
} catch (IOException | ClassNotFoundException exception) {
final String msg = String.format("Failed to retrieve trace user token information based on property %1s.", Property.TRACE_TOKEN_TYPE);