You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by jg...@apache.org on 2010/06/11 02:40:06 UTC
svn commit: r953517 - in /hadoop/common/trunk: CHANGES.txt
src/java/org/apache/hadoop/security/SecurityUtil.java
src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
Author: jghoman
Date: Fri Jun 11 00:40:05 2010
New Revision: 953517
URL: http://svn.apache.org/viewvc?rev=953517&view=rev
Log:
HADOOP-6603. Provide workaround for issue with Kerberos not resolving cross-realm principal. Contributed by Kan Zhang and Jitendra Pandey.
Added:
hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
Modified:
hadoop/common/trunk/CHANGES.txt
Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=953517&r1=953516&r2=953517&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Fri Jun 11 00:40:05 2010
@@ -81,6 +81,9 @@ Trunk (unreleased changes)
HADOOP-6796. FileStatus allows null srcPath but crashes if that's done. (Rodrigo Schmidt via eli)
+ HADOOP-6603. Provide workaround for issue with Kerberos not resolving
+ cross-realm principal (Kan Zhang and Jitendra Pandey via jghoman)
+
Release 0.21.0 - Unreleased
INCOMPATIBLE CHANGES
Added: hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java?rev=953517&view=auto
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java (added)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/SecurityUtil.java Fri Jun 11 00:40:05 2010
@@ -0,0 +1,105 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.AccessController;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import sun.security.jgss.krb5.Krb5Util;
+import sun.security.krb5.Credentials;
+import sun.security.krb5.PrincipalName;
+
+public class SecurityUtil {
+ private static final Log LOG = LogFactory.getLog(SecurityUtil.class);
+
+ /**
+ * Find the original TGT within the current subject's credentials. Cross-realm
+ * TGT's of the form "krbtgt/TWO.COM@ONE.COM" may be present.
+ *
+ * @return The TGT from the current subject
+ * @throws IOException
+ * if TGT can't be found
+ */
+ private static KerberosTicket getTgtFromSubject() throws IOException {
+ Set<KerberosTicket> tickets = Subject.getSubject(
+ AccessController.getContext()).getPrivateCredentials(
+ KerberosTicket.class);
+ for (KerberosTicket t : tickets) {
+ if (isOriginalTGT(t.getServer().getName()))
+ return t;
+ }
+ throw new IOException("Failed to find TGT from current Subject");
+ }
+
+ // Original TGT must be of form "krbtgt/FOO@FOO". Verify this
+ protected static boolean isOriginalTGT(String name) {
+ if(name == null) return false;
+
+ String [] components = name.split("[/@]");
+
+ return components.length == 3 &&
+ "krbtgt".equals(components[0]) &&
+ components[1].equals(components[2]);
+ }
+
+ /**
+ * Explicitly pull the service ticket for the specified host. This solves a
+ * problem with Java's Kerberos SSL problem where the client cannot
+ * authenticate against a cross-realm service. It is necessary for clients
+ * making kerberized https requests to call this method on the target URL
+ * to ensure that in a cross-realm environment the remote host will be
+ * successfully authenticated.
+ *
+ * This method is internal to Hadoop and should not be used by other
+ * applications. This method should not be considered stable or open:
+ * it will be removed when the Java behavior is changed.
+ *
+ * @param remoteHost Target URL the krb-https client will access
+ * @throws IOException
+ */
+ public static void fetchServiceTicket(URL remoteHost) throws IOException {
+ if(!UserGroupInformation.isSecurityEnabled())
+ return;
+
+ String serviceName = "host/" + remoteHost.getHost();
+ LOG.debug("Fetching service ticket for host at: " + serviceName);
+ Credentials serviceCred = null;
+ try {
+ PrincipalName principal = new PrincipalName(serviceName,
+ PrincipalName.KRB_NT_SRV_HST);
+ serviceCred = Credentials.acquireServiceCreds(principal
+ .toString(), Krb5Util.ticketToCreds(getTgtFromSubject()));
+ } catch (Exception e) {
+ throw new IOException("Invalid service principal name: "
+ + serviceName, e);
+ }
+ if (serviceCred == null) {
+ throw new IOException("Can't get service ticket for " + serviceName);
+ }
+ Subject.getSubject(AccessController.getContext()).getPrivateCredentials()
+ .add(Krb5Util.credsToTicket(serviceCred));
+ }
+}
Added: hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java?rev=953517&view=auto
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java (added)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java Fri Jun 11 00:40:05 2010
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+
+public class TestSecurityUtil {
+ @Test
+ public void isOriginalTGTReturnsCorrectValues() {
+ assertTrue(SecurityUtil.isOriginalTGT("krbtgt/foo@foo"));
+ assertTrue(SecurityUtil.isOriginalTGT("krbtgt/foo.bar.bat@foo.bar.bat"));
+ assertFalse(SecurityUtil.isOriginalTGT(null));
+ assertFalse(SecurityUtil.isOriginalTGT("blah"));
+ assertFalse(SecurityUtil.isOriginalTGT(""));
+ assertFalse(SecurityUtil.isOriginalTGT("krbtgt/hello"));
+ assertFalse(SecurityUtil.isOriginalTGT("/@"));
+ assertFalse(SecurityUtil.isOriginalTGT("this@is/notright"));
+ assertFalse(SecurityUtil.isOriginalTGT("krbtgt/foo@FOO"));
+ }
+}