accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject accumulo git commit: ACCUMULO-3701 Make sure we log in before returning from parseArgs.
Date Mon, 30 Mar 2015 23:35:17 GMT
Repository: accumulo
Updated Branches:
  refs/heads/master 94bd393e0 -> 139c00274


ACCUMULO-3701 Make sure we log in before returning from parseArgs.

When a MapReduce Job is constructed, it makes a copy of the current
user for the lifetime of that job. Therefore, ClientOpts needs
to ensure that the user is logged in when a keytab is provided.
To do this, we need to perform the login during parseArgs().


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/139c0027
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/139c0027
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/139c0027

Branch: refs/heads/master
Commit: 139c002745d9d512d1fbbdee99ae827cd3a68d11
Parents: 94bd393
Author: Josh Elser <elserj@apache.org>
Authored: Mon Mar 30 19:04:03 2015 -0400
Committer: Josh Elser <elserj@apache.org>
Committed: Mon Mar 30 19:34:46 2015 -0400

----------------------------------------------------------------------
 .../apache/accumulo/core/cli/ClientOpts.java    | 38 ++++-----
 .../test/security/KerberosClientOptsTest.java   | 89 ++++++++++++++++++++
 2 files changed, 106 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/139c0027/core/src/main/java/org/apache/accumulo/core/cli/ClientOpts.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/accumulo/core/cli/ClientOpts.java b/core/src/main/java/org/apache/accumulo/core/cli/ClientOpts.java
index b2eb857..6185419 100644
--- a/core/src/main/java/org/apache/accumulo/core/cli/ClientOpts.java
+++ b/core/src/main/java/org/apache/accumulo/core/cli/ClientOpts.java
@@ -132,26 +132,7 @@ public class ClientOpts extends Help {
           props.put(loginOption.getKey(), loginOption.getValue());
       }
 
-      // If the user isn't currently logged in with Kerberos, they might have provided a
keytab file
-      // instead which can be used to log them in. Check that before constructing the KerberosToken
-      // as it will expect the user is already logged in.
-      if (KerberosToken.CLASS_NAME.equals(tokenClassName)) {
-        if (null != keytabPath) {
-          File keytab = new File(keytabPath);
-          if (!keytab.exists() || !keytab.isFile()) {
-            throw new IllegalArgumentException("Keytab isn't a normal file: " + keytabPath);
-          }
-          if (null == principal) {
-            throw new IllegalArgumentException("Principal must be provided if logging in
via Keytab");
-          }
-          try {
-            UserGroupInformation.loginUserFromKeytab(principal, keytab.getAbsolutePath());
-          } catch (IOException e) {
-            throw new RuntimeException("Failed to log in with keytab", e);
-          }
-        }
-      }
-
+      // It's expected that the user is already logged in via UserGroupInformation or external
to this program (kinit).
       try {
         AuthenticationToken token = Class.forName(tokenClassName).asSubclass(AuthenticationToken.class).newInstance();
         token.init(props);
@@ -159,7 +140,6 @@ public class ClientOpts extends Help {
       } catch (Exception e) {
         throw new RuntimeException(e);
       }
-
     }
 
     if (securePassword != null)
@@ -246,6 +226,22 @@ public class ClientOpts extends Help {
     final boolean clientConfSaslEnabled = Boolean.parseBoolean(clientConfig.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
     if ((saslEnabled || clientConfSaslEnabled) && null == tokenClassName) {
       tokenClassName = KerberosToken.CLASS_NAME;
+      // ACCUMULO-3701 We need to ensure we're logged in before parseArgs returns as the
MapReduce Job is going to make a copy of the current user (UGI)
+      // when it is instantiated.
+      if (null != keytabPath) {
+        File keytab = new File(keytabPath);
+        if (!keytab.exists() || !keytab.isFile()) {
+          throw new IllegalArgumentException("Keytab isn't a normal file: " + keytabPath);
+        }
+        if (null == principal) {
+          throw new IllegalArgumentException("Principal must be provided if logging in via
Keytab");
+        }
+        try {
+          UserGroupInformation.loginUserFromKeytab(principal, keytab.getAbsolutePath());
+        } catch (IOException e) {
+          throw new RuntimeException("Failed to log in with keytab", e);
+        }
+      }
     }
   }
 

http://git-wip-us.apache.org/repos/asf/accumulo/blob/139c0027/test/src/test/java/org/apache/accumulo/test/security/KerberosClientOptsTest.java
----------------------------------------------------------------------
diff --git a/test/src/test/java/org/apache/accumulo/test/security/KerberosClientOptsTest.java
b/test/src/test/java/org/apache/accumulo/test/security/KerberosClientOptsTest.java
new file mode 100644
index 0000000..69c5811
--- /dev/null
+++ b/test/src/test/java/org/apache/accumulo/test/security/KerberosClientOptsTest.java
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.accumulo.test.security;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.File;
+
+import org.apache.accumulo.core.cli.ClientOpts;
+import org.apache.accumulo.harness.TestingKdc;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestName;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Test that kerberos features work properly in {@link ClientOpts}
+ */
+public class KerberosClientOptsTest {
+  private static final Logger log = LoggerFactory.getLogger(KerberosClientOptsTest.class);
+
+  @Rule
+  public TestName testName = new TestName();
+
+  private static TestingKdc kdc;
+
+  @BeforeClass
+  public static void startKdc() throws Exception {
+    kdc = new TestingKdc();
+    kdc.start();
+  }
+
+  @AfterClass
+  public static void stopKdc() throws Exception {
+    if (null != kdc) {
+      kdc.stop();
+    }
+  }
+
+  @Before
+  public void resetUgiForKrb() {
+    Configuration conf = new Configuration(false);
+    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
+    UserGroupInformation.setConfiguration(conf);
+  }
+
+  @Test
+  public void testParseArgsPerformsLogin() throws Exception {
+    String user = testName.getMethodName();
+    File userKeytab = new File(kdc.getKeytabDir(), user + ".keytab");
+    if (userKeytab.exists() && !userKeytab.delete()) {
+      log.warn("Unable to delete {}", userKeytab);
+    }
+
+    kdc.createPrincipal(userKeytab, user);
+
+    user = kdc.qualifyUser(user);
+
+    ClientOpts opts = new ClientOpts();
+    String[] args = new String[] {"--sasl", "--keytab", userKeytab.getAbsolutePath(), "-u",
user};
+    opts.parseArgs(testName.getMethodName(), args);
+
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    assertEquals(user, ugi.getUserName());
+    assertEquals(AuthenticationMethod.KERBEROS, ugi.getAuthenticationMethod());
+  }
+}


Mime
View raw message