Return-Path: X-Original-To: apmail-hadoop-common-commits-archive@www.apache.org Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CE96FA67E for ; Thu, 24 Nov 2011 02:08:21 +0000 (UTC) Received: (qmail 43395 invoked by uid 500); 24 Nov 2011 02:08:21 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 43371 invoked by uid 500); 24 Nov 2011 02:08:21 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 43364 invoked by uid 99); 24 Nov 2011 02:08:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Nov 2011 02:08:21 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Nov 2011 02:08:19 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id C30242388A32 for ; Thu, 24 Nov 2011 02:07:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1205704 - in /hadoop/common/branches/branch-0.20-security: ./ src/core/org/apache/hadoop/security/ src/core/org/apache/hadoop/security/authentication/client/ src/test/org/apache/hadoop/security/ Date: Thu, 24 Nov 2011 02:07:59 -0000 To: common-commits@hadoop.apache.org From: jitendra@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20111124020759.C30242388A32@eris.apache.org> Author: jitendra Date: Thu Nov 24 02:07:57 2011 New Revision: 1205704 URL: http://svn.apache.org/viewvc?rev=1205704&view=rev Log: HADOOP-7853. multiple javax security configurations cause conflicts. Contributed by Daryn Sharp. Modified: hadoop/common/branches/branch-0.20-security/CHANGES.txt hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java Modified: hadoop/common/branches/branch-0.20-security/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/CHANGES.txt?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/CHANGES.txt (original) +++ hadoop/common/branches/branch-0.20-security/CHANGES.txt Thu Nov 24 02:07:57 2011 @@ -217,6 +217,9 @@ Release 0.20.205.1 - unreleased HDFS-611. Heartbeats times from Datanodes increase when there are plenty of blocks to delete. (Zheng Shao via jitendra) + HADOOP-7853. multiple javax security configurations cause conflicts. + (Daryn via jitendra) + Release 0.20.205.0 - 2011.10.06 NEW FEATURES Modified: hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java (original) +++ hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java Thu Nov 24 02:07:57 2011 @@ -92,7 +92,7 @@ public class SecurityUtil { if (isOriginalTGT(t.getServer().getName())) return t; } - throw new IOException("Failed to find TGT from current Subject"); + throw new IOException("Failed to find TGT from current Subject:"+current); } // Original TGT must be of form "krbtgt/FOO@FOO". Verify this Modified: hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java Thu Nov 24 02:07:57 2011 @@ -93,18 +93,30 @@ public class UserGroupInformation { @Override public boolean commit() throws LoginException { + if (LOG.isDebugEnabled()) { + LOG.debug("hadoop login commit"); + } // if we already have a user, we are done. if (!subject.getPrincipals(User.class).isEmpty()) { + if (LOG.isDebugEnabled()) { + LOG.debug("using existing subject:"+subject.getPrincipals()); + } return true; } Principal user = null; // if we are using kerberos, try it out if (useKerberos) { user = getCanonicalUser(KerberosPrincipal.class); + if (LOG.isDebugEnabled()) { + LOG.debug("using kerberos user:"+user); + } } // if we don't have a kerberos user, use the OS user if (user == null) { user = getCanonicalUser(OS_PRINCIPAL_CLASS); + if (LOG.isDebugEnabled()) { + LOG.debug("using local user:"+user); + } } // if we found the user, add our principal if (user != null) { @@ -123,11 +135,17 @@ public class UserGroupInformation { @Override public boolean login() throws LoginException { + if (LOG.isDebugEnabled()) { + LOG.debug("hadoop login"); + } return true; } @Override public boolean logout() throws LoginException { + if (LOG.isDebugEnabled()) { + LOG.debug("hadoop logout"); + } return true; } } @@ -179,11 +197,6 @@ public class UserGroupInformation { if (!(groups instanceof TestingGroups)) { groups = Groups.getUserToGroupsMappingService(conf); } - // Set the configuration for JAAS to be the Hadoop configuration. - // This is done here rather than a static initializer to avoid a - // circular dependence. - javax.security.auth.login.Configuration.setConfiguration - (new HadoopConfiguration()); // give the configuration on how to translate Kerberos names try { KerberosName.setConfiguration(conf); @@ -356,6 +369,11 @@ public class UserGroupInformation { } } + private static LoginContext + newLoginContext(String appName, Subject subject) throws LoginException { + return new LoginContext(appName, subject, null, new HadoopConfiguration()); + } + private LoginContext getLogin() { return user.getLogin(); } @@ -407,9 +425,9 @@ public class UserGroupInformation { Subject subject = new Subject(); LoginContext login; if (isSecurityEnabled()) { - login = new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject); + login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject); } else { - login = new LoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, subject); + login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, subject); } login.login(); loginUser = new UserGroupInformation(subject); @@ -432,6 +450,9 @@ public class UserGroupInformation { } catch (LoginException le) { throw new IOException("failure to login", le); } + if (LOG.isDebugEnabled()) { + LOG.debug("UGI loginUser:"+loginUser); + } } return loginUser; } @@ -556,7 +577,7 @@ public class UserGroupInformation { } try { login = - new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); + newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); start = System.currentTimeMillis(); login.login(); metrics.addLoginSuccess(System.currentTimeMillis() - start); @@ -602,7 +623,7 @@ public class UserGroupInformation { //login and also update the subject field of this instance to //have the new credentials (pass it to the LoginContext constructor) login = - new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, + newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, getSubject()); LOG.info("Initiating re-login for " + getUserName()); login.login(); @@ -639,7 +660,7 @@ public class UserGroupInformation { Subject subject = new Subject(); LoginContext login = - new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); + newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); start = System.currentTimeMillis(); login.login(); @@ -713,7 +734,7 @@ public class UserGroupInformation { //login and also update the subject field of this instance to //have the new credentials (pass it to the LoginContext constructor) login = - new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, + newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject()); LOG.info("Initiating re-login for " + keytabPrincipal); start = System.currentTimeMillis(); @@ -976,11 +997,10 @@ public class UserGroupInformation { */ @Override public String toString() { - if (getRealUser() != null) { - return getUserName() + " via " + getRealUser().toString(); - } else { - return getUserName(); - } + String me = (getRealUser() != null) + ? getUserName() + " via " + getRealUser().toString() + : getUserName(); + return me + " (auth:"+getAuthenticationMethod()+")"; } /** @@ -1039,6 +1059,7 @@ public class UserGroupInformation { * @return the value from the run method */ public T doAs(PrivilegedAction action) { + logPriviledgedAction(subject, action); return Subject.doAs(subject, action); } @@ -1056,9 +1077,11 @@ public class UserGroupInformation { public T doAs(PrivilegedExceptionAction action ) throws IOException, InterruptedException { try { + logPriviledgedAction(subject, action); return Subject.doAs(subject, action); } catch (PrivilegedActionException pae) { Throwable cause = pae.getCause(); + LOG.error("PriviledgedActionException as:"+this+" cause:"+cause); if (cause instanceof IOException) { throw (IOException) cause; } else if (cause instanceof Error) { @@ -1073,6 +1096,14 @@ public class UserGroupInformation { } } + private void logPriviledgedAction(Subject subject, Object action) { + if (LOG.isDebugEnabled()) { + // would be nice if action included a descriptive toString() + String where = new Throwable().getStackTrace()[2].toString(); + LOG.debug("PriviledgedAction as:"+this+" from:"+where); + } + } + private void print() throws IOException { System.out.println("User: " + getUserName()); System.out.print("Group Ids: "); Modified: hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java (original) +++ hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java Thu Nov 24 02:07:57 2011 @@ -110,10 +110,6 @@ public class KerberosAuthenticator imple } } - static { - javax.security.auth.login.Configuration.setConfiguration(new KerberosConfiguration()); - } - private URL url; private HttpURLConnection conn; private Base64 base64; @@ -187,7 +183,8 @@ public class KerberosAuthenticator imple Subject subject = Subject.getSubject(context); if (subject == null) { subject = new Subject(); - LoginContext login = new LoginContext("", subject); + LoginContext login = new LoginContext("", subject, + null, new KerberosConfiguration()); login.login(); } Subject.doAs(subject, new PrivilegedExceptionAction() { Modified: hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java Thu Nov 24 02:07:57 2011 @@ -31,6 +31,9 @@ import java.security.PrivilegedException import java.util.ArrayList; import java.util.Collection; import java.util.List; + +import javax.security.auth.login.AppConfigurationEntry; + import junit.framework.Assert; import org.apache.hadoop.conf.Configuration; @@ -49,7 +52,22 @@ public class TestUserGroupInformation { final private static String[] GROUP_NAMES = new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME}; + // UGI should not use the default security conf, else it will collide + // with other classes that may change the default conf. Using this dummy + // class that simply throws an exception will ensure that the tests fail + // if UGI uses the static default config instead of its own config + private static class DummyLoginConfiguration extends + javax.security.auth.login.Configuration + { + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + throw new RuntimeException("UGI is not using its own security conf!"); + } + } + static { + javax.security.auth.login.Configuration.setConfiguration( + new DummyLoginConfiguration()); Configuration conf = new Configuration(); conf.set("hadoop.security.auth_to_local", "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +