You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by xy...@apache.org on 2019/03/29 04:55:44 UTC
[hadoop] branch trunk updated: HADOOP-16199.
KMSLoadBlanceClientProvider does not select token correctly. Contributed by
Xiaoyu Yao.
This is an automated email from the ASF dual-hosted git repository.
xyao pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new f41f938 HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao.
f41f938 is described below
commit f41f938b2e498161da96bfad77410871a3a85728
Author: Xiaoyu Yao <xy...@apache.org>
AuthorDate: Thu Mar 28 21:55:31 2019 -0700
HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao.
This closes #642.
---
.../key/kms/LoadBalancingKMSClientProvider.java | 3 ++
.../kms/TestLoadBalancingKMSClientProvider.java | 35 ++++++++++++++++++----
2 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
index 6cb2cdc..ee2295c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
@@ -148,6 +148,9 @@ public class LoadBalancingKMSClientProvider extends KeyProvider implements
selectDelegationToken(Credentials creds) {
Token<? extends TokenIdentifier> token =
KMSClientProvider.selectDelegationToken(creds, canonicalService);
+ if (token == null) {
+ token = KMSClientProvider.selectDelegationToken(creds, dtService);
+ }
// fallback to querying each sub-provider.
if (token == null) {
for (KMSClientProvider provider : getProviders()) {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java
index 259feda..7804c73 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java
@@ -916,10 +916,7 @@ public class TestLoadBalancingKMSClientProvider {
}
}
- @Test
- public void testGetActualUGI() throws Exception {
- // enable security
- final Configuration conf = new Configuration();
+ private void testTokenSelectionWithConf(Configuration conf) throws Exception {
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
@@ -927,6 +924,9 @@ public class TestLoadBalancingKMSClientProvider {
"foo", new String[] {"hadoop"});
String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo";
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
+ providerUriString);
+
final URI kmsUri = URI.create(providerUriString);
// create a fake kms dt
final Token token = new Token();
@@ -951,7 +951,30 @@ public class TestLoadBalancingKMSClientProvider {
});
// make sure getActualUgi() returns the current user, not login user.
assertEquals(
- "getActualUgi() should return the current user, not login user",
- ugi, actualUgi);
+ "testTokenSelectionWithConf() should return the" +
+ " current user, not login user", ugi, actualUgi);
+ }
+
+ @Test
+ public void testTokenSelectionWithKMSUriInConf() throws Exception {
+ final Configuration conf = new Configuration();
+ conf.set("hadoop.security.authentication", "kerberos");
+
+ // test client with hadoop.security.key.provider.path configured.
+ String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo";
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
+ providerUriString);
+
+ testTokenSelectionWithConf(conf);
+ }
+
+ @Test
+ public void testGetActualUGI() throws Exception {
+ final Configuration conf = new Configuration();
+ conf.set("hadoop.security.authentication", "kerberos");
+ UserGroupInformation.setConfiguration(conf);
+
+ // test client without hadoop.security.key.provider.path configured.
+ testTokenSelectionWithConf(conf);
}
}
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org