accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [1/6] accumulo git commit: ACCUMULO-4070 Backport server-side fix Kerberos renewal from ACCUMULO-4069
Date Thu, 03 Dec 2015 21:49:25 GMT
Repository: accumulo
Updated Branches:
  refs/heads/1.6 bd8cf5e21 -> 4d952ac07
  refs/heads/1.7 3aa9d307d -> c20996d83
  refs/heads/master 6e5fa1c6b -> f02a65cd2


ACCUMULO-4070 Backport server-side fix Kerberos renewal from ACCUMULO-4069


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/4d952ac0
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/4d952ac0
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/4d952ac0

Branch: refs/heads/1.6
Commit: 4d952ac070c399cd16688eefd5d8a5c3f80e753c
Parents: bd8cf5e
Author: Josh Elser <elserj@apache.org>
Authored: Thu Dec 3 01:53:27 2015 -0500
Committer: Josh Elser <elserj@apache.org>
Committed: Thu Dec 3 16:20:56 2015 -0500

----------------------------------------------------------------------
 .../org/apache/accumulo/core/conf/Property.java |  2 +
 .../accumulo/server/security/SecurityUtil.java  | 47 ++++++++++++++++++--
 2 files changed, 45 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/4d952ac0/core/src/main/java/org/apache/accumulo/core/conf/Property.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/accumulo/core/conf/Property.java b/core/src/main/java/org/apache/accumulo/core/conf/Property.java
index 6d1f043..632bb59 100644
--- a/core/src/main/java/org/apache/accumulo/core/conf/Property.java
+++ b/core/src/main/java/org/apache/accumulo/core/conf/Property.java
@@ -160,6 +160,8 @@ public enum Property {
   GENERAL_KERBEROS_KEYTAB("general.kerberos.keytab", "", PropertyType.PATH, "Path to the
kerberos keytab to use. Leave blank if not using kerberoized hdfs"),
   GENERAL_KERBEROS_PRINCIPAL("general.kerberos.principal", "", PropertyType.STRING, "Name
of the kerberos principal to use. _HOST will automatically be "
       + "replaced by the machines hostname in the hostname portion of the principal. Leave
blank if not using kerberoized hdfs"),
+  GENERAL_KERBEROS_RENEWAL_PERIOD("general.kerberos.renewal.period", "30s", PropertyType.TIMEDURATION,
"The amount of time between attempts to perform "
+      + "Kerberos ticket renewals. This does not equate to how often tickets are actually
renewed (which is performed at 80% of the ticket lifetime)."),
   GENERAL_MAX_MESSAGE_SIZE("general.server.message.size.max", "1G", PropertyType.MEMORY,
"The maximum size of a message that can be sent to a server."),
   @Experimental
   GENERAL_VOLUME_CHOOSER("general.volume.chooser", "org.apache.accumulo.server.fs.RandomVolumeChooser",
PropertyType.CLASSNAME,

http://git-wip-us.apache.org/repos/asf/accumulo/blob/4d952ac0/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
index 42d1313..9e0eb04 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
@@ -21,6 +21,8 @@ import java.net.InetAddress;
 
 import org.apache.accumulo.core.conf.AccumuloConfiguration;
 import org.apache.accumulo.core.conf.Property;
+import org.apache.accumulo.core.util.Daemon;
+import org.apache.accumulo.fate.util.LoggingRunnable;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.log4j.Logger;
 
@@ -29,6 +31,7 @@ import org.apache.log4j.Logger;
  */
 public class SecurityUtil {
   private static final Logger log = Logger.getLogger(SecurityUtil.class);
+  private static final Logger renewalLog = Logger.getLogger("KerberosTicketRenewal");
   public static boolean usingKerberos = false;
 
   /**
@@ -48,11 +51,10 @@ public class SecurityUtil {
 
     if (login(principalConfig, keyTab)) {
       try {
-        // This spawns a thread to periodically renew the logged in (accumulo) user
-        UserGroupInformation.getLoginUser();
+        startTicketRenewalThread(UserGroupInformation.getCurrentUser(), acuConf.getTimeInMillis(Property.GENERAL_KERBEROS_RENEWAL_PERIOD));
         return;
-      } catch (IOException io) {
-        log.error("Error starting up renewal thread. This shouldn't be happenining.", io);
+      } catch (IOException e) {
+        log.error("Failed to obtain Kerberos user after successfully logging in", e);
       }
     }
 
@@ -80,4 +82,41 @@ public class SecurityUtil {
     }
     return false;
   }
+
+  /**
+   * Start a thread that periodically attempts to renew the current Kerberos user's ticket.
+   *
+   * @param ugi
+   *          The current Kerberos user.
+   * @param renewalPeriod
+   *          The amount of time between attempting renewals.
+   */
+  static void startTicketRenewalThread(final UserGroupInformation ugi, final long renewalPeriod)
{
+    Thread t = new Daemon(new LoggingRunnable(renewalLog, new Runnable() {
+      @Override
+      public void run() {
+        while (true) {
+          try {
+            renewalLog.debug("Invoking renewal attempt for Kerberos ticket");
+            // While we run this "frequently", the Hadoop implementation will only perform
the login at 80% of ticket lifetime.
+            ugi.checkTGTAndReloginFromKeytab();
+          } catch (IOException e) {
+            // Should failures to renew the ticket be retried more quickly?
+            renewalLog.error("Failed to renew Kerberos ticket", e);
+          }
+
+          // Wait for a bit before checking again.
+          try {
+            Thread.sleep(renewalPeriod);
+          } catch (InterruptedException e) {
+            renewalLog.error("Renewal thread interrupted", e);
+            Thread.currentThread().interrupt();
+            return;
+          }
+        }
+      }
+    }));
+    t.setName("Kerberos Ticket Renewal");
+    t.start();
+  }
 }


Mime
View raw message