Return-Path: Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: (qmail 58734 invoked from network); 6 Jan 2011 18:35:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 6 Jan 2011 18:35:08 -0000 Received: (qmail 13913 invoked by uid 500); 6 Jan 2011 18:35:08 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 13803 invoked by uid 500); 6 Jan 2011 18:35:08 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 13796 invoked by uid 99); 6 Jan 2011 18:35:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Jan 2011 18:35:08 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Jan 2011 18:35:05 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id CADEF23888FE; Thu, 6 Jan 2011 18:34:44 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1055997 - in /hadoop/common/branches/branch-0.22: CHANGES.txt src/java/org/apache/hadoop/security/UserGroupInformation.java src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java Date: Thu, 06 Jan 2011 18:34:44 -0000 To: common-commits@hadoop.apache.org From: todd@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110106183444.CADEF23888FE@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: todd Date: Thu Jan 6 18:34:44 2011 New Revision: 1055997 URL: http://svn.apache.org/viewvc?rev=1055997&view=rev Log: HADOOP-7070. JAAS configuration should delegate unknown application names to pre-existing configuration. Contributed by Todd Lipcon Modified: hadoop/common/branches/branch-0.22/CHANGES.txt hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java Modified: hadoop/common/branches/branch-0.22/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/CHANGES.txt?rev=1055997&r1=1055996&r2=1055997&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/CHANGES.txt (original) +++ hadoop/common/branches/branch-0.22/CHANGES.txt Thu Jan 6 18:34:44 2011 @@ -360,6 +360,9 @@ Release 0.22.0 - Unreleased HADOOP-7082. Configuration.writeXML should not hold lock while outputting (todd) + HADOOP-7070. JAAS configuration should delegate unknown application names + to pre-existing configuration. (todd) + Release 0.21.1 - Unreleased IMPROVEMENTS Modified: hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java?rev=1055997&r1=1055996&r2=1055997&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.22/src/java/org/apache/hadoop/security/UserGroupInformation.java Thu Jan 6 18:34:44 2011 @@ -245,9 +245,23 @@ public class UserGroupInformation { // Set the configuration for JAAS to be the Hadoop configuration. // This is done here rather than a static initializer to avoid a // circular dependence. - javax.security.auth.login.Configuration.setConfiguration - (new HadoopConfiguration()); - + javax.security.auth.login.Configuration existingConfig = null; + try { + existingConfig = + javax.security.auth.login.Configuration.getConfiguration(); + } catch (SecurityException se) { + // If no security configuration is on the classpath, then + // we catch this exception, and we don't need to delegate + // to anyone + } + + if (existingConfig instanceof HadoopConfiguration) { + LOG.info("JAAS Configuration already set up for Hadoop, not re-installing."); + } else { + javax.security.auth.login.Configuration.setConfiguration( + new HadoopConfiguration(existingConfig)); + } + isInitialized = true; UserGroupInformation.conf = conf; } @@ -395,6 +409,12 @@ public class UserGroupInformation { private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN}; + private final javax.security.auth.login.Configuration parent; + + HadoopConfiguration(javax.security.auth.login.Configuration parent) { + this.parent = parent; + } + @Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (SIMPLE_CONFIG_NAME.equals(appName)) { @@ -405,6 +425,8 @@ public class UserGroupInformation { KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); return KEYTAB_KERBEROS_CONF; + } else if (parent != null) { + return parent.getAppConfigurationEntry(appName); } return null; } Modified: hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1055997&r1=1055996&r2=1055997&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.22/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java Thu Jan 6 18:34:44 2011 @@ -21,6 +21,7 @@ import static org.junit.Assert.assertEqu import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import org.mockito.Mockito; import static org.mockito.Mockito.mock; import java.io.BufferedReader; @@ -31,6 +32,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.LoginContext; import junit.framework.Assert; @@ -49,7 +51,11 @@ public class TestUserGroupInformation { final private static String[] GROUP_NAMES = new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME}; + private static javax.security.auth.login.Configuration mockJaasConf; + static { + setupMockJaasParent(); + Configuration conf = new Configuration(); conf.set("hadoop.security.auth_to_local", "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" + @@ -346,4 +352,35 @@ public class TestUserGroupInformation { assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0); } } + + /** + * Setup a JAAS Configuration that handles a fake app. + * This runs before UserGroupInformation has been initialized, + * so UGI picks up this Configuration as the parent. + */ + private static void setupMockJaasParent() { + javax.security.auth.login.Configuration existing = null; + try { + existing =javax.security.auth.login.Configuration.getConfiguration(); + assertFalse("setupMockJaasParent should run before the Hadoop " + + "configuration provider is installed.", + existing.getClass().getCanonicalName() + .startsWith("org.apache.hadoop")); + } catch (SecurityException se) { + // We get this if no configuration has been set. So it's OK. + } + + mockJaasConf = mock(javax.security.auth.login.Configuration.class); + Mockito.doReturn(new AppConfigurationEntry[] {}) + .when(mockJaasConf) + .getAppConfigurationEntry("foobar-app"); + javax.security.auth.login.Configuration.setConfiguration(mockJaasConf); + } + + @Test + public void testDelegateJaasConfiguration() throws Exception { + // This will throw if the Configuration doesn't have any entries + // for "foobar" + LoginContext login = new LoginContext("foobar-app"); + } }