You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by xy...@apache.org on 2019/03/29 04:55:44 UTC

[hadoop] branch trunk updated: HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao.

This is an automated email from the ASF dual-hosted git repository.

xyao pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/trunk by this push:
     new f41f938  HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao.
f41f938 is described below

commit f41f938b2e498161da96bfad77410871a3a85728
Author: Xiaoyu Yao <xy...@apache.org>
AuthorDate: Thu Mar 28 21:55:31 2019 -0700

    HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao.
    
    This closes  #642.
---
 .../key/kms/LoadBalancingKMSClientProvider.java    |  3 ++
 .../kms/TestLoadBalancingKMSClientProvider.java    | 35 ++++++++++++++++++----
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
index 6cb2cdc..ee2295c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
@@ -148,6 +148,9 @@ public class LoadBalancingKMSClientProvider extends KeyProvider implements
       selectDelegationToken(Credentials creds) {
     Token<? extends TokenIdentifier> token =
         KMSClientProvider.selectDelegationToken(creds, canonicalService);
+    if (token == null) {
+      token = KMSClientProvider.selectDelegationToken(creds, dtService);
+    }
     // fallback to querying each sub-provider.
     if (token == null) {
       for (KMSClientProvider provider : getProviders()) {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java
index 259feda..7804c73 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java
@@ -916,10 +916,7 @@ public class TestLoadBalancingKMSClientProvider {
     }
   }
 
-  @Test
-  public void testGetActualUGI() throws Exception {
-    // enable security
-    final Configuration conf = new Configuration();
+  private void testTokenSelectionWithConf(Configuration conf) throws Exception {
     conf.set("hadoop.security.authentication", "kerberos");
     UserGroupInformation.setConfiguration(conf);
 
@@ -927,6 +924,9 @@ public class TestLoadBalancingKMSClientProvider {
         "foo", new String[] {"hadoop"});
 
     String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo";
+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
+        providerUriString);
+
     final URI kmsUri = URI.create(providerUriString);
     // create a fake kms dt
     final Token token = new Token();
@@ -951,7 +951,30 @@ public class TestLoadBalancingKMSClientProvider {
         });
     // make sure getActualUgi() returns the current user, not login user.
     assertEquals(
-        "getActualUgi() should return the current user, not login user",
-        ugi, actualUgi);
+        "testTokenSelectionWithConf() should return the" +
+            " current user, not login user", ugi, actualUgi);
+  }
+
+  @Test
+  public void testTokenSelectionWithKMSUriInConf() throws Exception {
+    final Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+
+    // test client with hadoop.security.key.provider.path configured.
+    String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo";
+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
+        providerUriString);
+
+    testTokenSelectionWithConf(conf);
+  }
+
+  @Test
+  public void testGetActualUGI() throws Exception {
+    final Configuration conf = new Configuration();
+    conf.set("hadoop.security.authentication", "kerberos");
+    UserGroupInformation.setConfiguration(conf);
+
+    // test client without hadoop.security.key.provider.path configured.
+    testTokenSelectionWithConf(conf);
   }
 }
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org