hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r1077331 - in /hadoop/common/branches/branch-0.20-security-patches/src: core/org/apache/hadoop/security/ hdfs/org/apache/hadoop/hdfs/server/namenode/
Date Fri, 04 Mar 2011 04:04:13 GMT
Author: omalley
Date: Fri Mar  4 04:04:13 2011
New Revision: 1077331

URL: http://svn.apache.org/viewvc?rev=1077331&view=rev
Log:
commit e563cb8d6f227da2933e842be75d24392bd7b9a4
Author: Jakob Homan <jhoman@yahoo-inc.com>
Date:   Wed Mar 17 20:32:34 2010 -0700

    HDFS:1045 from https://issues.apache.org/jira/secure/attachment/12439110/HDFS-1045-Y20.patch
    
    +++ b/YAHOO-CHANGES.txt
    +    HDFS-1045.  In secure clusters, re-login is necessary for https
    +    clients before opening connections (jhoman)
    +

Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
    hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java
    hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java

Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1077331&r1=1077330&r2=1077331&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
Fri Mar  4 04:04:13 2011
@@ -411,6 +411,45 @@ public class UserGroupInformation {
                             path, le);
     }
   }
+  /**
+   * Log a user in from a keytab file. Loads a user identity from a keytab
+   * file and login them in. This new user does not affect the currently
+   * logged-in user.
+   * @param user the principal name to load from the keytab
+   * @param path the path to the keytab file
+   * @throws IOException if the keytab file can't be read
+   */
+  public synchronized
+  static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
+                                  String path
+                                  ) throws IOException {
+    if (!isSecurityEnabled())
+      return UserGroupInformation.getCurrentUser();
+    String oldKeytabFile = null;
+    String oldKeytabPrincipal = null;
+
+    try {
+      oldKeytabFile = keytabFile;
+      oldKeytabPrincipal = keytabPrincipal;
+      keytabFile = path;
+      keytabPrincipal = user;
+      Subject subject = new Subject();
+      LoginContext login = 
+        new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); 
+       
+      login.login();
+      UserGroupInformation newLoginUser = new UserGroupInformation(subject);
+      newLoginUser.login = login;
+      
+      return newLoginUser;
+    } catch (LoginException le) {
+      throw new IOException("Login failure for " + user + " from keytab " + 
+                            path, le);
+    } finally {
+      if(oldKeytabFile != null) keytabFile = oldKeytabFile;
+      if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
+    }
+  }
   
   /**
    * Re-Login a user in from a keytab file. Loads a user identity from a keytab

Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java?rev=1077331&r1=1077330&r2=1077331&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java
Fri Mar  4 04:04:13 2011
@@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletRes
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.StringUtils;
 
@@ -55,7 +56,7 @@ public class GetImageServlet extends Htt
       ServletContext context = getServletContext();
       final FSImage nnImage = (FSImage)context.getAttribute("name.system.image");
       final TransferFsImage ff = new TransferFsImage(pmap, request, response);
-      Configuration conf = (Configuration)getServletContext().getAttribute("name.conf");
+      final Configuration conf = (Configuration)getServletContext().getAttribute("name.conf");
       if(UserGroupInformation.isSecurityEnabled() && 
           !isValidRequestor(request.getRemoteUser(), conf)) {
         response.sendError(HttpServletResponse.SC_FORBIDDEN, 
@@ -80,12 +81,30 @@ public class GetImageServlet extends Htt
           } else if (ff.putImage()) {
             // issue a HTTP get request to download the new fsimage 
             nnImage.validateCheckpointUpload(ff.getToken());
-            TransferFsImage.getFileClient(ff.getInfoServer(), "getimage=1", 
-                                          nnImage.getFsImageNameCheckpoint());
+            reloginIfNecessary().doAs(new PrivilegedExceptionAction<Void>() {
+              @Override
+              public Void run() throws Exception {
+                TransferFsImage.getFileClient(ff.getInfoServer(), "getimage=1", 
+                    nnImage.getFsImageNameCheckpoint());
+                return null;
+              }
+            });
+
             nnImage.checkpointUploadDone();
           }
           return null;
         }
+
+        // We may have lost our ticket since the last time we tried to open
+        // an http connection, so log in just in case.
+        private UserGroupInformation reloginIfNecessary() throws IOException {
+          // This method is only called on the NN, therefore it is safe to
+          // use these key values.
+          return UserGroupInformation
+          .loginUserFromKeytabAndReturnUGI(
+              conf.get(DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY), 
+              conf.get(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY));
+        }
       });
 
     } catch (Exception ie) {

Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java?rev=1077331&r1=1077330&r2=1077331&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
Fri Mar  4 04:04:13 2011
@@ -379,6 +379,9 @@ public class SecondaryNameNode implement
                             "after creating edits.new");
     }
 
+    // We may have lost our ticket since last checkpoint, log in again, just in case
+    if(UserGroupInformation.isSecurityEnabled())
+      UserGroupInformation.getCurrentUser().reloginFromKeytab();
     downloadCheckpointFiles(sig);   // Fetch fsimage and edits
     doMerge(sig);                   // Do the merge
   



Mime
View raw message