From common-commits-return-77344-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Wed Jan 3 22:31:45 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 5390C18077A for ; Wed, 3 Jan 2018 22:31:45 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 43513160C3C; Wed, 3 Jan 2018 21:31:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 91A58160C1B for ; Wed, 3 Jan 2018 22:31:44 +0100 (CET) Received: (qmail 27395 invoked by uid 500); 3 Jan 2018 21:31:36 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 27009 invoked by uid 99); 3 Jan 2018 21:31:36 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018 21:31:35 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 5F66BF182A; Wed, 3 Jan 2018 21:31:34 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: haibochen@apache.org To: common-commits@hadoop.apache.org Date: Wed, 03 Jan 2018 21:31:50 -0000 Message-Id: <68cf448622d54c239aba2cc04a4d8be1@git.apache.org> In-Reply-To: <12c5c30e4a7d498b9fb6473f70f072a6@git.apache.org> References: <12c5c30e4a7d498b9fb6473f70f072a6@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [18/50] [abbrv] hadoop git commit: HADOOP-15143. NPE due to Invalid KerberosTicket in UGI. Contributed by Mukul Kumar Singh. HADOOP-15143. NPE due to Invalid KerberosTicket in UGI. Contributed by Mukul Kumar Singh. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d31c9d8c Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d31c9d8c Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d31c9d8c Branch: refs/heads/YARN-1011 Commit: d31c9d8c495794a803fb20729b5ed6b374e23eb4 Parents: 52babbb Author: Jitendra Pandey Authored: Wed Dec 27 23:17:07 2017 -0800 Committer: Jitendra Pandey Committed: Wed Dec 27 23:17:07 2017 -0800 ---------------------------------------------------------------------- .../hadoop/security/UserGroupInformation.java | 5 +- .../security/TestFixKerberosTicketOrder.java | 77 ++++++++++++++++++++ 2 files changed, 81 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/d31c9d8c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index f7aea31..726e811 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1253,7 +1253,10 @@ public class UserGroupInformation { Object cred = iter.next(); if (cred instanceof KerberosTicket) { KerberosTicket ticket = (KerberosTicket) cred; - if (!ticket.getServer().getName().startsWith("krbtgt")) { + if (ticket.isDestroyed() || ticket.getServer() == null) { + LOG.warn("Ticket is already destroyed, remove it."); + iter.remove(); + } else if (!ticket.getServer().getName().startsWith("krbtgt")) { LOG.warn( "The first kerberos ticket is not TGT" + "(the server principal is {}), remove and destroy it.", http://git-wip-us.apache.org/repos/asf/hadoop/blob/d31c9d8c/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java index 4b75a36..cbea393 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestFixKerberosTicketOrder.java @@ -155,4 +155,81 @@ public class TestFixKerberosTicketOrder extends KerberosSecurityTestcase { .filter(t -> t.getServer().getName().startsWith(server2Protocol)) .findAny().isPresent()); } + + @Test + public void testWithDestroyedTGT() throws Exception { + UserGroupInformation ugi = + UserGroupInformation.loginUserFromKeytabAndReturnUGI(clientPrincipal, + keytabFile.getCanonicalPath()); + ugi.doAs(new PrivilegedExceptionAction() { + + @Override + public Void run() throws Exception { + SaslClient client = Sasl.createSaslClient( + new String[] {AuthMethod.KERBEROS.getMechanismName()}, + clientPrincipal, server1Protocol, host, props, null); + client.evaluateChallenge(new byte[0]); + client.dispose(); + return null; + } + }); + + Subject subject = ugi.getSubject(); + + // mark the ticket as destroyed + for (KerberosTicket ticket : subject + .getPrivateCredentials(KerberosTicket.class)) { + if (ticket.getServer().getName().startsWith("krbtgt")) { + ticket.destroy(); + break; + } + } + + ugi.fixKerberosTicketOrder(); + + // verify that after fixing, the tgt ticket should be removed + assertFalse("The first ticket is not tgt", + subject.getPrivateCredentials().stream() + .filter(c -> c instanceof KerberosTicket) + .map(c -> ((KerberosTicket) c).getServer().getName()).findFirst() + .isPresent()); + + + // should fail as we send a service ticket instead of tgt to KDC. + intercept(SaslException.class, + () -> ugi.doAs(new PrivilegedExceptionAction() { + + @Override + public Void run() throws Exception { + SaslClient client = Sasl.createSaslClient( + new String[] {AuthMethod.KERBEROS.getMechanismName()}, + clientPrincipal, server2Protocol, host, props, null); + client.evaluateChallenge(new byte[0]); + client.dispose(); + return null; + } + })); + + // relogin to get a new ticket + ugi.reloginFromKeytab(); + + // make sure we can get new service ticket after the relogin. + ugi.doAs(new PrivilegedExceptionAction() { + + @Override + public Void run() throws Exception { + SaslClient client = Sasl.createSaslClient( + new String[] {AuthMethod.KERBEROS.getMechanismName()}, + clientPrincipal, server2Protocol, host, props, null); + client.evaluateChallenge(new byte[0]); + client.dispose(); + return null; + } + }); + + assertTrue("No service ticket for " + server2Protocol + " found", + subject.getPrivateCredentials(KerberosTicket.class).stream() + .filter(t -> t.getServer().getName().startsWith(server2Protocol)) + .findAny().isPresent()); + } } \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org