accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bus...@apache.org
Subject [1/3] accumulo git commit: ACCUMULO-4421 Check if the Trace User is expected to use Kerberos before attempting to login to Kerberos as the trace user.
Date Sat, 27 Aug 2016 01:08:40 GMT
Repository: accumulo
Updated Branches:
  refs/heads/1.8 c2900a380 -> e68b8dbc6


ACCUMULO-4421 Check if the Trace User is expected to use Kerberos before attempting to login
to Kerberos as the trace user.

Signed-off-by: Josh Elser <elserj@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/d66a8d08
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/d66a8d08
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/d66a8d08

Branch: refs/heads/1.8
Commit: d66a8d08627e98e9bbdd2bd0b1ab4f4658a84d9f
Parents: 40d5a72
Author: Sean Busbey <busbey@cloudera.com>
Authored: Thu Aug 25 14:47:38 2016 -0500
Committer: Sean Busbey <busbey@cloudera.com>
Committed: Fri Aug 26 19:08:30 2016 -0500

----------------------------------------------------------------------
 .../org/apache/accumulo/tracer/TraceServer.java | 61 +++++++++++++-------
 1 file changed, 41 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/d66a8d08/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
----------------------------------------------------------------------
diff --git a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
index 4b07dcc..2a06dc3 100644
--- a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
+++ b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java
@@ -36,6 +36,7 @@ import org.apache.accumulo.core.client.IteratorSetting;
 import org.apache.accumulo.core.client.MutationsRejectedException;
 import org.apache.accumulo.core.client.security.tokens.AuthenticationToken;
 import org.apache.accumulo.core.client.security.tokens.AuthenticationToken.Properties;
+import org.apache.accumulo.core.client.security.tokens.KerberosToken;
 import org.apache.accumulo.core.client.security.tokens.PasswordToken;
 import org.apache.accumulo.core.conf.AccumuloConfiguration;
 import org.apache.accumulo.core.conf.Property;
@@ -306,30 +307,50 @@ public class TraceServer implements Watcher {
   }
 
   private static void loginTracer(AccumuloConfiguration acuConf) {
-    Map<String,String> loginMap = acuConf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX);
-    String keyTab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab");
-    if (keyTab == null || keyTab.length() == 0) {
-      keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
-    }
-    if (keyTab == null || keyTab.length() == 0)
-      return;
+    try {
+      Class<? extends AuthenticationToken> traceTokenType = AccumuloVFSClassLoader.getClassLoader().loadClass(acuConf.get(Property.TRACE_TOKEN_TYPE))
+          .asSubclass(AuthenticationToken.class);
+
+      if (!(KerberosToken.class.isAssignableFrom(traceTokenType))) {
+        // We're not using Kerberos to talk to Accumulo, but we might still need it for talking
to HDFS/ZK for
+        // instance information.
+        log.info("Handling login under the assumption that Accumulo users are not using Kerberos.");
+        SecurityUtil.serverLogin(acuConf);
+      } else {
+        // We're using Kerberos to talk to Accumulo, so check for trace user specific auth
details.
+        // We presume this same user will have the needed access for the service to interact
with HDFS/ZK for
+        // instance information.
+        log.info("Handling login under the assumption that Accumulo users are using Kerberos.");
+        Map<String,String> loginMap = acuConf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX);
+        String keyTab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab");
+        if (keyTab == null || keyTab.length() == 0) {
+          keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
+        }
+        if (keyTab == null || keyTab.length() == 0)
+          return;
 
-    String principalConfig = acuConf.get(Property.TRACE_USER);
-    if (principalConfig == null || principalConfig.length() == 0)
-      return;
+        String principalConfig = acuConf.get(Property.TRACE_USER);
+        if (principalConfig == null || principalConfig.length() == 0)
+          return;
 
-    log.info("Attempting to login as {} with {}", principalConfig, keyTab);
-    if (SecurityUtil.login(principalConfig, keyTab)) {
-      try {
-        // This spawns a thread to periodically renew the logged in (trace) user
-        UserGroupInformation.getLoginUser();
-        return;
-      } catch (IOException io) {
-        log.error("Error starting up renewal thread. This shouldn't be happening.", io);
+        log.info("Attempting to login as {} with {}", principalConfig, keyTab);
+        if (SecurityUtil.login(principalConfig, keyTab)) {
+          try {
+            // This spawns a thread to periodically renew the logged in (trace) user
+            UserGroupInformation.getLoginUser();
+            return;
+          } catch (IOException io) {
+            log.error("Error starting up renewal thread. This shouldn't be happening.", io);
+          }
+        }
+
+        throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig
+ " using  " + keyTab);
       }
+    } catch (IOException | ClassNotFoundException exception) {
+      final String msg = String.format("Failed to retrieve trace user token information based
on property %1s.", Property.TRACE_TOKEN_TYPE);
+      log.error(msg, exception);
+      throw new RuntimeException(msg, exception);
     }
-
-    throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig
+ " using  " + keyTab);
   }
 
   public static void main(String[] args) throws Exception {


Mime
View raw message