hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r1077294 - in /hadoop/common/branches/branch-0.20-security-patches/src: core/org/apache/hadoop/security/ hdfs/org/apache/hadoop/hdfs/server/namenode/ hdfs/org/apache/hadoop/hdfs/tools/ test/org/apache/hadoop/security/
Date Fri, 04 Mar 2011 04:00:41 GMT
Author: omalley
Date: Fri Mar  4 04:00:41 2011
New Revision: 1077294

URL: http://svn.apache.org/viewvc?rev=1077294&view=rev
Log:
commit 29a401193b1332f23fffcb3e9367e3d5748bc374
Author: Jakob Homan <jhoman@yahoo-inc.com>
Date:   Fri Mar 5 18:42:28 2010 -0800

    HADOOP:6603 from https://issues.apache.org/jira/secure/attachment/12437826/HADOOP-6603-Y20S-4.patch
    
    +++ b/YAHOO-CHANGES.txt
    +    HADOOP-6603. Provide workaround for issue with Kerberos not
    +    resolving corss-realm principal. (kan via jhoman)
    +

Added:
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/SecurityUtil.java
    hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestSecurityUtil.java
Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
    hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java

Added: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1077294&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/SecurityUtil.java
(added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/SecurityUtil.java
Fri Mar  4 04:00:41 2011
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.AccessController;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import sun.security.jgss.krb5.Krb5Util;
+import sun.security.krb5.Credentials;
+import sun.security.krb5.PrincipalName;
+
+public class SecurityUtil {
+  private static final Log LOG = LogFactory.getLog(SecurityUtil.class);
+
+  /**
+   * Find the original TGT within the current subject's credentials. Cross-realm
+   * TGT's of the form "krbtgt/TWO.COM@ONE.COM" may be present.
+   * 
+   * @return The TGT from the current subject
+   * @throws IOException
+   *           if TGT can't be found
+   */
+  private static KerberosTicket getTgtFromSubject() throws IOException {
+    Set<KerberosTicket> tickets = Subject.getSubject(
+        AccessController.getContext()).getPrivateCredentials(
+        KerberosTicket.class);
+    for (KerberosTicket t : tickets) {
+      if (isOriginalTGT(t.getServer().getName()))
+        return t;
+    }
+    throw new IOException("Failed to find TGT from current Subject");
+  }
+  
+  // Original TGT must be of form "krbtgt/FOO@FOO". Verify this
+  protected static boolean isOriginalTGT(String name) {
+    if(name == null) return false;
+    
+    String [] components = name.split("[/@]");
+
+    return components.length == 3 &&
+           "krbtgt".equals(components[0]) &&
+           components[1].equals(components[2]);
+  }
+
+  /**
+   * Explicitly pull the service ticket for the specified host.  This solves a
+   * problem with Java's Kerberos SSL problem where the client cannot 
+   * authenticate against a cross-realm service.  It is necessary for clients
+   * making kerberized https requests to call this method on the target URL
+   * to ensure that in a cross-realm environment the remote host will be 
+   * successfully authenticated.  
+   * 
+   * This method will be removed when the Java behavior is changed.
+   * 
+   * @param remoteHost Target URL the krb-https client will access
+   */
+  public static void fetchServiceTicket(URL remoteHost) throws IOException {
+    if(!UserGroupInformation.isSecurityEnabled())
+      return;
+    
+    String serviceName = "host/" + remoteHost.getHost();
+    LOG.debug("Fetching service ticket for host at: " + serviceName);
+    Credentials serviceCred = null;
+    try {
+      PrincipalName principal = new PrincipalName(serviceName,
+          PrincipalName.KRB_NT_SRV_HST);
+      serviceCred = Credentials.acquireServiceCreds(principal
+          .toString(), Krb5Util.ticketToCreds(getTgtFromSubject()));
+    } catch (Exception e) {
+      throw new IOException("Invalid service principal name: "
+          + serviceName, e);
+    }
+    if (serviceCred == null) {
+      throw new IOException("Can't get service ticket for " + serviceName);
+    }
+    Subject.getSubject(AccessController.getContext()).getPrivateCredentials()
+        .add(Krb5Util.credsToTicket(serviceCred));
+  }
+}

Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java?rev=1077294&r1=1077293&r2=1077294&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/TransferFsImage.java
Fri Mar  4 04:00:41 2011
@@ -27,6 +27,7 @@ import javax.servlet.http.HttpServletReq
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.hdfs.protocol.FSConstants;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode.ErrorSimulator;
 import org.apache.hadoop.security.UserGroupInformation;
 
@@ -152,6 +153,9 @@ class TransferFsImage implements FSConst
     // open connection to remote server
     //
     URL url = new URL(str.toString());
+    
+    // Avoid Krb bug with cross-realm hosts
+    SecurityUtil.fetchServiceTicket(url);
     URLConnection connection = url.openConnection();
     InputStream stream = connection.getInputStream();
     FileOutputStream[] output = null;

Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java?rev=1077294&r1=1077293&r2=1077294&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java
Fri Mar  4 04:00:41 2011
@@ -30,6 +30,7 @@ import java.security.PrivilegedException
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.server.namenode.DelegationTokenServlet;
 import org.apache.hadoop.io.Text;
@@ -127,6 +128,7 @@ public class DelegationTokenFetcher {
     ts.addToken(new Text(shortName), token);
     ts.write(out);
   }
+
   /**
    * Utility method to obtain a delegation token over http
    * @param nnHttpAddr Namenode http addr, such as http://namenode:50070
@@ -148,6 +150,7 @@ public class DelegationTokenFetcher {
      }
      System.out.println("Retrieving token from: " + url);
      URL remoteURL = new URL(url.toString());
+     SecurityUtil.fetchServiceTicket(remoteURL);
      URLConnection connection = remoteURL.openConnection();
      
      InputStream in = connection.getInputStream();

Added: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestSecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestSecurityUtil.java?rev=1077294&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestSecurityUtil.java
(added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestSecurityUtil.java
Fri Mar  4 04:00:41 2011
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.security;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+
+public class TestSecurityUtil {
+  @Test
+  public void isOriginalTGTReturnsCorrectValues() {
+    assertTrue(SecurityUtil.isOriginalTGT("krbtgt/foo@foo"));
+    assertTrue(SecurityUtil.isOriginalTGT("krbtgt/foo.bar.bat@foo.bar.bat"));
+    assertFalse(SecurityUtil.isOriginalTGT(null));
+    assertFalse(SecurityUtil.isOriginalTGT("blah"));
+    assertFalse(SecurityUtil.isOriginalTGT(""));
+    assertFalse(SecurityUtil.isOriginalTGT("krbtgt/hello"));
+    assertFalse(SecurityUtil.isOriginalTGT("/@"));
+    assertFalse(SecurityUtil.isOriginalTGT("this@is/notright"));
+    assertFalse(SecurityUtil.isOriginalTGT("krbtgt/foo@FOO"));
+  }
+}



Mime
View raw message