hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ji...@apache.org
Subject [05/10] git commit: HADOOP-10982
Date Wed, 17 Sep 2014 20:17:52 GMT
HADOOP-10982


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d9a86031
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d9a86031
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d9a86031

Branch: refs/heads/HDFS-6584
Commit: d9a86031a077184d429dd5463e7da156df112011
Parents: 0a495be
Author: Alejandro Abdelnur <tucu@apache.org>
Authored: Tue Sep 16 23:07:01 2014 -0700
Committer: Alejandro Abdelnur <tucu@apache.org>
Committed: Wed Sep 17 11:08:00 2014 -0700

----------------------------------------------------------------------
 .../crypto/key/kms/KMSClientProvider.java       |  3 ++
 .../hadoop-kms/src/site/apt/index.apt.vm        | 26 +++++++++-
 .../hadoop/crypto/key/kms/server/TestKMS.java   | 54 ++++++++++++++++----
 3 files changed, 72 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/d9a86031/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index 899b6c4..a97463a 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -45,6 +45,7 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
+import java.lang.reflect.UndeclaredThrowableException;
 import java.net.HttpURLConnection;
 import java.net.SocketTimeoutException;
 import java.net.URI;
@@ -400,6 +401,8 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
       });
     } catch (IOException ex) {
       throw ex;
+    } catch (UndeclaredThrowableException ex) {
+      throw new IOException(ex.getUndeclaredThrowable());
     } catch (Exception ex) {
       throw new IOException(ex);
     }

http://git-wip-us.apache.org/repos/asf/hadoop/blob/d9a86031/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
index 5fded92..682f479 100644
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@@ -602,7 +602,31 @@ $ keytool -genkey -alias tomcat -keyalg RSA
 
 *** HTTP Kerberos Principals Configuration
 
-  TBD
+  When KMS instances are behind a load-balancer or VIP, clients will use the
+  hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the
+  URL is used to construct the Kerberos service name of the server,
+  <<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have have
a
+  Kerberos service name with the load-balancer or VIP hostname.
+
+  In order to be able to access directly a specific KMS instance, the KMS
+  instance must also have Kebero service name with its own hostname. This is
+  require for monitoring and admin purposes.
+
+  Both Kerberos service principal credentials (for the load-balancer/VIP
+  hostname and for the actual KMS instance hostname) must be in the keytab file
+  configured for authentication. And the principal name specified in the
+  configuration must be '*'. For example:
+
++---+
+  <property>
+    <name>hadoop.kms.authentication.kerberos.principal</name>
+    <value>*</value>
+  </property>
++---+
+
+  <<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must
+  be configured to support multiple hostnames (see Java 7
+  <<<keytool>> SAN extension support for details on how to do this).
 
 *** HTTP Authentication Signature
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/d9a86031/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
index cdb3c7f..42afe19 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@@ -32,6 +32,7 @@ import org.apache.hadoop.minikdc.MiniKdc;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.junit.AfterClass;
@@ -209,6 +210,7 @@ public class TestKMS {
     keytab = new File(kdcDir, "keytab");
     List<String> principals = new ArrayList<String>();
     principals.add("HTTP/localhost");
+    principals.add("HTTP/127.0.0.1");
     principals.add("client");
     principals.add("hdfs");
     principals.add("otheradmin");
@@ -251,8 +253,8 @@ public class TestKMS {
     }
   }
 
-  public void testStartStop(final boolean ssl, final boolean kerberos)
-      throws Exception {
+  public void testStartStop(final boolean ssl, final boolean kerberos,
+      final boolean multipleServerPrincipals) throws Exception {
     Configuration conf = new Configuration();
     if (kerberos) {
       conf.set("hadoop.security.authentication", "kerberos");
@@ -278,7 +280,12 @@ public class TestKMS {
       conf.set("hadoop.kms.authentication.type", "kerberos");
       conf.set("hadoop.kms.authentication.kerberos.keytab",
           keytab.getAbsolutePath());
-      conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
+      if (multipleServerPrincipals) {
+        conf.set("hadoop.kms.authentication.kerberos.principal", "*");
+      } else {
+        conf.set("hadoop.kms.authentication.kerberos.principal",
+            "HTTP/localhost");
+      }
       conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
     }
 
@@ -291,21 +298,42 @@ public class TestKMS {
         URL url = getKMSUrl();
         Assert.assertEquals(keystore != null,
             url.getProtocol().equals("https"));
-        final URI uri = createKMSUri(getKMSUrl());
 
         if (kerberos) {
           for (String user : new String[]{"client", "client/host"}) {
             doAs(user, new PrivilegedExceptionAction<Void>() {
               @Override
               public Void run() throws Exception {
-                final KeyProvider kp = new KMSClientProvider(uri, conf);
+                URI uri = createKMSUri(getKMSUrl());
+                KeyProvider kp = new KMSClientProvider(uri, conf);
                 // getKeys() empty
                 Assert.assertTrue(kp.getKeys().isEmpty());
+
+                if (!ssl) {
+                  String url = getKMSUrl().toString();
+                  url = url.replace("localhost", "127.0.0.1");
+                  uri = createKMSUri(new URL(url));
+                  if (multipleServerPrincipals) {
+                    kp = new KMSClientProvider(uri, conf);
+                    // getKeys() empty
+                    Assert.assertTrue(kp.getKeys().isEmpty());
+                  } else {
+                    kp = new KMSClientProvider(uri, conf);
+                    try {
+                      kp.getKeys().isEmpty();
+                      Assert.fail();
+                    } catch (IOException ex) {
+                      Assert.assertEquals(AuthenticationException.class,
+                          ex.getCause().getClass());
+                    }
+                  }
+                }
                 return null;
               }
             });
           }
         } else {
+          URI uri = createKMSUri(getKMSUrl());
           KeyProvider kp = new KMSClientProvider(uri, conf);
           // getKeys() empty
           Assert.assertTrue(kp.getKeys().isEmpty());
@@ -317,22 +345,27 @@ public class TestKMS {
 
   @Test
   public void testStartStopHttpPseudo() throws Exception {
-    testStartStop(false, false);
+    testStartStop(false, false, false);
   }
 
   @Test
   public void testStartStopHttpsPseudo() throws Exception {
-    testStartStop(true, false);
+    testStartStop(true, false, false);
   }
 
   @Test
   public void testStartStopHttpKerberos() throws Exception {
-    testStartStop(false, true);
+    testStartStop(false, true, false);
   }
 
   @Test
   public void testStartStopHttpsKerberos() throws Exception {
-    testStartStop(true, true);
+    testStartStop(true, true, false);
+  }
+
+  @Test
+  public void testStartStopHttpsKerberosMultiplePrincipals() throws Exception {
+    testStartStop(false, true, true);
   }
 
   @Test
@@ -1340,7 +1373,8 @@ public class TestKMS {
           KeyProvider kp = new KMSClientProvider(uri, conf);
           kp.createKey("kA", new KeyProvider.Options(conf));
         } catch (IOException ex) {
-          System.out.println(ex.getMessage());
+          Assert.assertEquals(AuthenticationException.class,
+              ex.getCause().getClass());
         }
 
         doAs("client", new PrivilegedExceptionAction<Void>() {


Mime
View raw message