hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lulynn_2008 <lulynn_2...@163.com>
Subject KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler
Date Mon, 01 Jul 2013 10:41:00 GMT
 Hi All,

I am trying to add kerberos support to a web servlet via hadoop authentication classes. This
is to make this web servlet server to authenticate its client via kerberos. I assume this
should work. Right?

The whole design is to add AuthFilter at server side and AuthenticatedURL.injectToken(conn,
currentToken) during create connection at client side.  But the process failed at KerberosName.rules,
I made a fix based on 2.0.4-alpha branch. Could you please help to review it and give some
suggestions? I think with this fix, we can add kerberos support to any web servlet via hadoop
authentication classes. I have opened HADOOP-9679 to trace this issue and applied the patch.

The process failed during AuthenticationFilter.doFilter,  with following error:
        at org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
        at java.security.AccessController.doPrivileged(AccessController.java:310)
        at javax.security.auth.Subject.doAs(Subject.java:573)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)

Root cause:
this error happened because KerberosName.rules are not initialized. I found that this parameter
only be initialized during initialize UserGroupInformation which is used for manager hadoop
user and group. Then this parameter will be initialized during hadoop client(like oozie) access
hadoop. But the servlet I am testing is not hadoop client, then current there is no place
for initializing it. But I think we should make it work via value KerberosName.rules with
default value "DEFAULT".

Following is my draft fix based on hadoop-2.0.4-alpha branch, with this fix, my test web servlet
can support kerberos now.
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
               } else {
                 String clientPrincipal = gssContext.getSrcName().toString();
                 KerberosName kerberosName = new KerberosName(clientPrincipal);
+                if( !KerberosName.hasRulesBeenSet()){
+                    LOG.warn("No rules applied to " + kerberosName.toString() + ". Using
DEFAULT rules.");
+                    KerberosName.setRules("DEFAULT");
+                }
                 String userName = kerberosName.getShortName();
                 token = new AuthenticationToken(userName, clientPrincipal, getType());

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message