You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by et...@apache.org on 2020/04/08 21:11:25 UTC
[storm] branch master updated: STORM-3606 prevent Hadoop renewal
thread from running (NPEs and restarts worker)
This is an automated email from the ASF dual-hosted git repository.
ethanli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/storm.git
The following commit(s) were added to refs/heads/master by this push:
new 257ae2f STORM-3606 prevent Hadoop renewal thread from running (NPEs and restarts worker)
new 00f48d6 Merge pull request #3245 from agresch/agresch_storm_3606
257ae2f is described below
commit 257ae2fc52a1b097e62cacdae9a0347d1c7db139
Author: Aaron Gresch <ag...@yahoo-inc.com>
AuthorDate: Wed Apr 1 16:55:31 2020 -0500
STORM-3606 prevent Hadoop renewal thread from running (NPEs and restarts worker)
---
.../storm/security/auth/kerberos/AutoTGT.java | 40 ++++++++++++++++------
1 file changed, 30 insertions(+), 10 deletions(-)
diff --git a/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java b/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
index 6d7e16b..f7fdda7 100644
--- a/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
@@ -12,7 +12,9 @@
package org.apache.storm.security.auth.kerberos;
+import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
+import java.security.Principal;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
@@ -207,19 +209,37 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer, IMetricsR
return;
}
- LOG.info("Invoking Hadoop UserGroupInformation.loginUserFromSubject.");
- Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
- login.invoke(null, subject);
+ // We are just trying to do the following:
+ //
+ // Configuration conf = new Configuration();
+ // HadoopKerberosName.setConfiguration(conf);
+ // subject.getPrincipals().add(new User(tgt.getClient().toString(), AuthenticationMethod.KERBEROS, null));
- //Refer to STORM-3606 for details
- LOG.warn("UserGroupInformation.loginUserFromSubject will spawn a TGT renewal thread (\"TGT Renewer for <username>\") "
- + "to execute \"kinit -R\" command some time before the current TGT expires. "
- + "It will fail because TGT is not in the local TGT cache and the thread will eventually abort. "
- + "Exceptions from this TGT renewal thread can be ignored. Note: TGT for the Worker is kept in memory. "
- + "Please refer to STORM-3606 for detailed explanations");
+ Class<?> confClass = Class.forName("org.apache.hadoop.conf.Configuration");
+ Constructor confCons = confClass.getConstructor();
+ Object conf = confCons.newInstance();
+ Class<?> hknClass = Class.forName("org.apache.hadoop.security.HadoopKerberosName");
+ Method hknSetConf = hknClass.getMethod("setConfiguration", confClass);
+ hknSetConf.invoke(null, conf);
+
+ Class<?> authMethodClass = Class.forName("org.apache.hadoop.security.UserGroupInformation$AuthenticationMethod");
+ Object kerbAuthMethod = null;
+ for (Object authMethod : authMethodClass.getEnumConstants()) {
+ if ("KERBEROS".equals(authMethod.toString())) {
+ kerbAuthMethod = authMethod;
+ break;
+ }
+ }
+
+ Class<?> userClass = Class.forName("org.apache.hadoop.security.User");
+ Constructor userCons = userClass.getConstructor(String.class, authMethodClass, LoginContext.class);
+ userCons.setAccessible(true);
+ String name = getTGT(subject).getClient().toString();
+ Object user = userCons.newInstance(name, kerbAuthMethod, null);
+ subject.getPrincipals().add((Principal) user);
} catch (Exception e) {
- LOG.warn("Something went wrong while trying to initialize Hadoop through reflection. This version of hadoop "
+ LOG.error("Something went wrong while trying to initialize Hadoop through reflection. This version of hadoop "
+ "may not be compatible.", e);
}
}