hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From x...@apache.org
Subject hadoop git commit: HDFS-13682. Cannot create encryption zone after KMS auth token expires.
Date Wed, 20 Jun 2018 22:59:26 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-3.1 a31a966a2 -> e8655b8c7


HDFS-13682. Cannot create encryption zone after KMS auth token expires.

(cherry picked from commit 32f867a6a907c05a312657139d295a92756d98ef)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/e8655b8c
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/e8655b8c
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/e8655b8c

Branch: refs/heads/branch-3.1
Commit: e8655b8c72b19efa8becf4ad1d188b9eed97c2ad
Parents: a31a966
Author: Xiao Chen <xiao@apache.org>
Authored: Wed Jun 20 15:58:01 2018 -0700
Committer: Xiao Chen <xiao@apache.org>
Committed: Wed Jun 20 15:59:23 2018 -0700

----------------------------------------------------------------------
 .../crypto/key/kms/KMSClientProvider.java       |  9 ++++--
 .../hadoop/security/UserGroupInformation.java   |  4 ++-
 .../hdfs/TestSecureEncryptionZoneWithKMS.java   | 34 ++++++++++++++++++--
 3 files changed, 41 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/e8655b8c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index 08787a5..edbf897 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -32,7 +32,9 @@ import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.ProviderUtils;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
 import org.apache.hadoop.security.ssl.SSLFactory;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
@@ -543,7 +545,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
         String requestMethod = conn.getRequestMethod();
         URL url = conn.getURL();
         conn = createConnection(url, requestMethod);
-        conn.setRequestProperty(CONTENT_TYPE, contentType);
+        if (contentType != null && !contentType.isEmpty()) {
+          conn.setRequestProperty(CONTENT_TYPE, contentType);
+        }
         return call(conn, jsonOutput, expectedResponse, klass,
             authRetryCount - 1);
       }
@@ -1087,8 +1091,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
       actualUgi = currentUgi.getRealUser();
     }
     if (UserGroupInformation.isSecurityEnabled() &&
-        !containsKmsDt(actualUgi) &&
-        !actualUgi.hasKerberosCredentials()) {
+        !containsKmsDt(actualUgi) && !actualUgi.shouldRelogin()) {
       // Use login user is only necessary when Kerberos is enabled
       // but the actual user does not have either
       // Kerberos credential or KMS delegation token for KMS operations

http://git-wip-us.apache.org/repos/asf/hadoop/blob/e8655b8c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index 99617f8..33a876f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -830,7 +830,9 @@ public class UserGroupInformation {
     return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
   }
 
-  private boolean shouldRelogin() {
+  @InterfaceAudience.Private
+  @InterfaceStability.Unstable
+  public boolean shouldRelogin() {
     return hasKerberosCredentials() && isHadoopLogin();
   }
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/e8655b8c/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
index 7c4763c..db97c02 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
@@ -107,6 +107,8 @@ public class TestSecureEncryptionZoneWithKMS {
   // MiniKMS
   private static MiniKMS miniKMS;
   private final String testKey = "test_key";
+  private static boolean testKeyCreated = false;
+  private static final long AUTH_TOKEN_VALIDITY = 1;
 
   // MiniDFS
   private MiniDFSCluster cluster;
@@ -128,7 +130,7 @@ public class TestSecureEncryptionZoneWithKMS {
   }
 
   @Rule
-  public Timeout timeout = new Timeout(30000);
+  public Timeout timeout = new Timeout(120000);
 
   @BeforeClass
   public static void init() throws Exception {
@@ -215,6 +217,9 @@ public class TestSecureEncryptionZoneWithKMS {
         "HTTP/localhost");
     kmsConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
     kmsConf.set("hadoop.kms.acl.GENERATE_EEK", "hdfs");
+    // set kms auth token expiration low for testCreateZoneAfterAuthTokenExpiry
+    kmsConf.setLong("hadoop.kms.authentication.token.validity",
+        AUTH_TOKEN_VALIDITY);
 
     Writer writer = new FileWriter(kmsFile);
     kmsConf.writeXml(writer);
@@ -260,7 +265,10 @@ public class TestSecureEncryptionZoneWithKMS {
     cluster.waitActive();
 
     // Create a test key
-    DFSTestUtil.createKey(testKey, cluster, conf);
+    if (!testKeyCreated) {
+      DFSTestUtil.createKey(testKey, cluster, conf);
+      testKeyCreated = true;
+    }
   }
 
   @After
@@ -307,4 +315,26 @@ public class TestSecureEncryptionZoneWithKMS {
           }
         });
   }
+
+  @Test
+  public void testCreateZoneAfterAuthTokenExpiry() throws Exception {
+    final UserGroupInformation ugi = UserGroupInformation
+        .loginUserFromKeytabAndReturnUGI(hdfsPrincipal, keytab);
+    LOG.info("Created ugi: {} ", ugi);
+
+    ugi.doAs((PrivilegedExceptionAction<Object>) () -> {
+      final Path zone = new Path("/expire1");
+      fsWrapper.mkdir(zone, FsPermission.getDirDefault(), true);
+      dfsAdmin.createEncryptionZone(zone, testKey, NO_TRASH);
+
+      final Path zone1 = new Path("/expire2");
+      fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true);
+      final long sleepInterval = (AUTH_TOKEN_VALIDITY + 1) * 1000;
+      LOG.info("Sleeping {} seconds to wait for kms auth token expiration",
+          sleepInterval);
+      Thread.sleep(sleepInterval);
+      dfsAdmin.createEncryptionZone(zone1, testKey, NO_TRASH);
+      return null;
+    });
+  }
 }
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org


Mime
View raw message