Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: stevel@apache.org
To: common-commits@hadoop.apache.org
Message-Id: <fdf02706ed8a4c4c877d9e12dd7eaa90@git.apache.org>
Subject: hadoop git commit: HADOOP-13018. Make Kdiag check whether
 hadoop.token.files points to existent and valid files. Contributed by Ravi
 Prakash
Date: Thu, 24 Nov 2016 16:42:22 +0000 (UTC)
archived-at: Thu, 24 Nov 2016 16:42:24 -0000

Repository: hadoop
Updated Branches:
  refs/heads/branch-2 c28dc5e5a -> 89614f535


HADOOP-13018. Make Kdiag check whether hadoop.token.files points to existent and valid files. Contributed by Ravi Prakash


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/89614f53
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/89614f53
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/89614f53

Branch: refs/heads/branch-2
Commit: 89614f5355d2ca5d9f7458e7226fa206a509999b
Parents: c28dc5e
Author: Steve Loughran <stevel@apache.org>
Authored: Thu Nov 24 16:41:35 2016 +0000
Committer: Steve Loughran <stevel@apache.org>
Committed: Thu Nov 24 16:41:35 2016 +0000

----------------------------------------------------------------------
 .../java/org/apache/hadoop/security/KDiag.java  | 67 ++++++++++++++++++++
 .../apache/hadoop/security/TestKDiagNoKDC.java  |  8 +++
 2 files changed, 75 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/89614f53/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java
index 6cef962..2567a90 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java
@@ -37,6 +37,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.crypto.Cipher;
+
 import java.io.Closeable;
 import java.io.File;
 import java.io.FileInputStream;
@@ -60,6 +61,7 @@ import static org.apache.hadoop.security.UserGroupInformation.*;
 import static org.apache.hadoop.security.authentication.util.KerberosUtil.*;
 import static org.apache.hadoop.util.StringUtils.popOption;
 import static org.apache.hadoop.util.StringUtils.popOptionWithArgument;
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES;
 
 /**
  * Kerberos diagnostics
@@ -144,6 +146,7 @@ public class KDiag extends Configured implements Tool, Closeable {
   public static final String CAT_OS = "JAAS";
   public static final String CAT_SASL = "SASL";
   public static final String CAT_UGI = "UGI";
+  public static final String CAT_TOKEN = "TOKEN";
 
   public static final String ARG_KEYLEN = "--keylen";
   public static final String ARG_KEYTAB = "--keytab";
@@ -370,6 +373,7 @@ public class KDiag extends Configured implements Tool, Closeable {
 
     try {
       UserGroupInformation.setConfiguration(conf);
+      validateHadoopTokenFiles(conf);
       validateKrb5File();
       printDefaultRealm();
       validateSasl(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS);
@@ -500,6 +504,47 @@ public class KDiag extends Configured implements Tool, Closeable {
   }
 
   /**
+   * Validate that hadoop.token.files (if specified) exist and are valid.
+   * @throws ClassNotFoundException
+   * @throws SecurityException
+   * @throws NoSuchMethodException
+   * @throws KerberosDiagsFailure
+   */
+  private void validateHadoopTokenFiles(Configuration conf)
+    throws ClassNotFoundException, KerberosDiagsFailure, NoSuchMethodException,
+    SecurityException {
+    title("Locating Hadoop token files");
+
+    String tokenFileLocation = System.getProperty(HADOOP_TOKEN_FILES);
+    if(tokenFileLocation != null) {
+      println("Found " + HADOOP_TOKEN_FILES + " in system properties : "
+          + tokenFileLocation);
+    }
+
+    if(conf.get(HADOOP_TOKEN_FILES) != null) {
+      println("Found " + HADOOP_TOKEN_FILES + " in hadoop configuration : "
+          + conf.get(HADOOP_TOKEN_FILES));
+      if(System.getProperty(HADOOP_TOKEN_FILES) != null) {
+        println(HADOOP_TOKEN_FILES + " in the system properties overrides the"
+            + " one specified in hadoop configuration");
+      } else {
+        tokenFileLocation = conf.get(HADOOP_TOKEN_FILES);
+      }
+    }
+
+    if (tokenFileLocation != null) {
+      for (String tokenFileName:
+          StringUtils.getTrimmedStrings(tokenFileLocation)) {
+        if (tokenFileName.length() > 0) {
+          File tokenFile = new File(tokenFileName);
+          verifyFileIsValid(tokenFile, CAT_TOKEN, "token");
+          verify(tokenFile, conf, CAT_TOKEN, "token");
+        }
+      }
+    }
+  }
+
+  /**
    * Locate the {@code krb5.conf} file and dump it.
    *
    * No-op on windows.
@@ -919,6 +964,28 @@ public class KDiag extends Configured implements Tool, Closeable {
   }
 
   /**
+   * Verify that tokenFile contains valid Credentials.
+   *
+   * If not, an exception is raised, or, if {@link #nofail} is set,
+   * an error will be logged and the method return false.
+   *
+   */
+  private boolean verify(File tokenFile, Configuration conf, String category,
+      String message) throws KerberosDiagsFailure {
+    try {
+      Credentials.readTokenStorageFile(tokenFile, conf);
+    } catch(Exception e) {
+      if (!nofail) {
+        fail(category, message);
+      } else {
+        error(category, message);
+      }
+      return false;
+    }
+    return true;
+  }
+
+  /**
    * Print a message as an error
    * @param category error category
    * @param message format string

http://git-wip-us.apache.org/repos/asf/hadoop/blob/89614f53/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java
index 9d4b87f..dbc40c5 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java
@@ -34,6 +34,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.util.Properties;
 
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES;
 import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
 import static org.apache.hadoop.security.KDiag.ARG_KEYLEN;
 import static org.apache.hadoop.security.KDiag.ARG_KEYTAB;
@@ -44,6 +45,7 @@ import static org.apache.hadoop.security.KDiag.ARG_SECURE;
 import static org.apache.hadoop.security.KDiag.CAT_CONFIG;
 import static org.apache.hadoop.security.KDiag.CAT_KERBEROS;
 import static org.apache.hadoop.security.KDiag.CAT_LOGIN;
+import static org.apache.hadoop.security.KDiag.CAT_TOKEN;
 import static org.apache.hadoop.security.KDiag.KerberosDiagsFailure;
 import static org.apache.hadoop.security.KDiag.exec;
 
@@ -120,4 +122,10 @@ public class TestKDiagNoKDC extends Assert {
     assertEquals(-1, kdiag("usage"));
   }
 
+  @Test
+  public void testTokenFile() throws Throwable {
+    conf.set(HADOOP_TOKEN_FILES, "SomeNonExistentFile");
+    kdiagFailure(CAT_TOKEN, ARG_KEYLEN, KEYLEN);
+    conf.unset(HADOOP_TOKEN_FILES);
+  }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org