You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by bu...@apache.org on 2016/08/27 00:21:41 UTC
[1/2] accumulo git commit: ACCUMULO-4421 Check if the Trace User is
expected to use Kerberos before attempting to login to Kerberos as the trace
user.
Repository: accumulo
Updated Branches:
refs/heads/1.7 40d5a722b -> 2be85ade3
ACCUMULO-4421 Check if the Trace User is expected to use Kerberos before attempting to login to Kerberos as the trace user.
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/d66a8d08
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/d66a8d08
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/d66a8d08
Branch: refs/heads/1.7
Commit: d66a8d08627e98e9bbdd2bd0b1ab4f4658a84d9f
Parents: 40d5a72
Author: Sean Busbey <bu...@cloudera.com>
Authored: Thu Aug 25 14:47:38 2016 -0500
Committer: Sean Busbey <bu...@cloudera.com>
Committed: Fri Aug 26 19:08:30 2016 -0500
----------------------------------------------------------------------
.../org/apache/accumulo/tracer/TraceServer.java | 61 +++++++++++++-------
1 file changed, 41 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/d66a8d08/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
----------------------------------------------------------------------
diff --git a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
index 4b07dcc..2a06dc3 100644
--- a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
+++ b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
@@ -36,6 +36,7 @@ import org.apache.accumulo.core.client.IteratorSetting;
import org.apache.accumulo.core.client.MutationsRejectedException;
import org.apache.accumulo.core.client.security.tokens.AuthenticationToken;
import org.apache.accumulo.core.client.security.tokens.AuthenticationToken.Properties;
+import org.apache.accumulo.core.client.security.tokens.KerberosToken;
import org.apache.accumulo.core.client.security.tokens.PasswordToken;
import org.apache.accumulo.core.conf.AccumuloConfiguration;
import org.apache.accumulo.core.conf.Property;
@@ -306,30 +307,50 @@ public class TraceServer implements Watcher {
}
private static void loginTracer(AccumuloConfiguration acuConf) {
- Map<String,String> loginMap = acuConf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX);
- String keyTab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab");
- if (keyTab == null || keyTab.length() == 0) {
- keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
- }
- if (keyTab == null || keyTab.length() == 0)
- return;
+ try {
+ Class<? extends AuthenticationToken> traceTokenType = AccumuloVFSClassLoader.getClassLoader().loadClass(acuConf.get(Property.TRACE_TOKEN_TYPE))
+ .asSubclass(AuthenticationToken.class);
+
+ if (!(KerberosToken.class.isAssignableFrom(traceTokenType))) {
+ // We're not using Kerberos to talk to Accumulo, but we might still need it for talking to HDFS/ZK for
+ // instance information.
+ log.info("Handling login under the assumption that Accumulo users are not using Kerberos.");
+ SecurityUtil.serverLogin(acuConf);
+ } else {
+ // We're using Kerberos to talk to Accumulo, so check for trace user specific auth details.
+ // We presume this same user will have the needed access for the service to interact with HDFS/ZK for
+ // instance information.
+ log.info("Handling login under the assumption that Accumulo users are using Kerberos.");
+ Map<String,String> loginMap = acuConf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX);
+ String keyTab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab");
+ if (keyTab == null || keyTab.length() == 0) {
+ keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
+ }
+ if (keyTab == null || keyTab.length() == 0)
+ return;
- String principalConfig = acuConf.get(Property.TRACE_USER);
- if (principalConfig == null || principalConfig.length() == 0)
- return;
+ String principalConfig = acuConf.get(Property.TRACE_USER);
+ if (principalConfig == null || principalConfig.length() == 0)
+ return;
- log.info("Attempting to login as {} with {}", principalConfig, keyTab);
- if (SecurityUtil.login(principalConfig, keyTab)) {
- try {
- // This spawns a thread to periodically renew the logged in (trace) user
- UserGroupInformation.getLoginUser();
- return;
- } catch (IOException io) {
- log.error("Error starting up renewal thread. This shouldn't be happening.", io);
+ log.info("Attempting to login as {} with {}", principalConfig, keyTab);
+ if (SecurityUtil.login(principalConfig, keyTab)) {
+ try {
+ // This spawns a thread to periodically renew the logged in (trace) user
+ UserGroupInformation.getLoginUser();
+ return;
+ } catch (IOException io) {
+ log.error("Error starting up renewal thread. This shouldn't be happening.", io);
+ }
+ }
+
+ throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab);
}
+ } catch (IOException | ClassNotFoundException exception) {
+ final String msg = String.format("Failed to retrieve trace user token information based on property %1s.", Property.TRACE_TOKEN_TYPE);
+ log.error(msg, exception);
+ throw new RuntimeException(msg, exception);
}
-
- throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab);
}
public static void main(String[] args) throws Exception {
[2/2] accumulo git commit: ACCUMULO-4421 Ensure that TraceServer
launches the Kerberos ticket renewal thread
Posted by bu...@apache.org.
ACCUMULO-4421 Ensure that TraceServer launches the Kerberos ticket renewal thread
The previous method that TraceServer was using on SecurityUtil
only performed the login and was relying on incorrect functionality
in Hadoop's UGI to launch a renewal thread. This logic is incorrect.
Refactored SecurityUtil a little to prevent other callers from
making the same mistake in the future.
Signed-off-by: Sean Busbey <bu...@cloudera.com>
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/2be85ade
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/2be85ade
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/2be85ade
Branch: refs/heads/1.7
Commit: 2be85ade34c413cc32db838e6125e582b829ef03
Parents: d66a8d0
Author: Josh Elser <el...@apache.org>
Authored: Fri Aug 26 17:33:42 2016 -0400
Committer: Sean Busbey <bu...@cloudera.com>
Committed: Fri Aug 26 19:08:56 2016 -0500
----------------------------------------------------------------------
.../accumulo/server/security/SecurityUtil.java | 30 ++++++++++++++------
.../org/apache/accumulo/tracer/TraceServer.java | 13 +--------
2 files changed, 23 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/2be85ade/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
index 73f671b..38afa31 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
@@ -40,17 +40,31 @@ public class SecurityUtil {
* {@link #login(String, String)}
*/
public static void serverLogin(AccumuloConfiguration acuConf) {
- String keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
+ serverLogin(acuConf, acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB), acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL));
+ }
+
+ /**
+ * Performs a Kerberos login using the given Kerberos principal and keytab if they are non-null and positive length Strings. This method automaticallys spawns
+ * a thread to renew the given ticket upon successful login using {@link Property#GENERAL_KERBEROS_RENEWAL_PERIOD} as the renewal period. This method does
+ * nothing if either {@code keyTab} or {@code principal} are null or of zero length.
+ *
+ * @param acuConf
+ * The Accumulo configuration
+ * @param keyTab
+ * The path to the Kerberos keytab file
+ * @param principal
+ * The Kerberos principal
+ */
+ public static void serverLogin(AccumuloConfiguration acuConf, String keyTab, String principal) {
if (keyTab == null || keyTab.length() == 0)
return;
- usingKerberos = true;
-
- String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL);
- if (principalConfig == null || principalConfig.length() == 0)
+ if (principal == null || principal.length() == 0)
return;
- if (login(principalConfig, keyTab)) {
+ usingKerberos = true;
+
+ if (login(principal, keyTab)) {
try {
startTicketRenewalThread(UserGroupInformation.getCurrentUser(), acuConf.getTimeInMillis(Property.GENERAL_KERBEROS_RENEWAL_PERIOD));
return;
@@ -59,7 +73,7 @@ public class SecurityUtil {
}
}
- throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab);
+ throw new RuntimeException("Failed to perform Kerberos login for " + principal + " using " + keyTab);
}
/**
@@ -70,7 +84,7 @@ public class SecurityUtil {
* replaced by the systems host name.
* @return true if login succeeded, otherwise false
*/
- public static boolean login(String principalConfig, String keyTabPath) {
+ static boolean login(String principalConfig, String keyTabPath) {
try {
String principalName = getServerPrincipal(principalConfig);
if (keyTabPath != null && principalName != null && keyTabPath.length() != 0 && principalName.length() != 0) {
http://git-wip-us.apache.org/repos/asf/accumulo/blob/2be85ade/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
----------------------------------------------------------------------
diff --git a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
index 2a06dc3..10601ba 100644
--- a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
+++ b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
@@ -61,7 +61,6 @@ import org.apache.accumulo.tracer.thrift.RemoteSpan;
import org.apache.accumulo.tracer.thrift.SpanReceiver.Iface;
import org.apache.accumulo.tracer.thrift.SpanReceiver.Processor;
import org.apache.hadoop.io.Text;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.htrace.Span;
import org.apache.thrift.TByteArrayOutputStream;
import org.apache.thrift.TException;
@@ -334,17 +333,7 @@ public class TraceServer implements Watcher {
return;
log.info("Attempting to login as {} with {}", principalConfig, keyTab);
- if (SecurityUtil.login(principalConfig, keyTab)) {
- try {
- // This spawns a thread to periodically renew the logged in (trace) user
- UserGroupInformation.getLoginUser();
- return;
- } catch (IOException io) {
- log.error("Error starting up renewal thread. This shouldn't be happening.", io);
- }
- }
-
- throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab);
+ SecurityUtil.serverLogin(acuConf, keyTab, principalConfig);
}
} catch (IOException | ClassNotFoundException exception) {
final String msg = String.format("Failed to retrieve trace user token information based on property %1s.", Property.TRACE_TOKEN_TYPE);