hadoop-hdfs-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject svn commit: r907550 - in /hadoop/hdfs/trunk: ./ src/java/org/apache/hadoop/hdfs/ src/java/org/apache/hadoop/hdfs/security/token/ src/java/org/apache/hadoop/hdfs/server/namenode/ src/test/hdfs/org/apache/hadoop/hdfs/security/ src/test/hdfs/org/apache/ha...
Date Mon, 08 Feb 2010 05:00:32 GMT
Author: ddas
Date: Mon Feb  8 05:00:29 2010
New Revision: 907550

URL: http://svn.apache.org/viewvc?rev=907550&view=rev
Log:
HDFS-935. Adds a real user component in Delegation token. Contributed by Jitendra Nath Pandey.

Modified:
    hadoop/hdfs/trunk/CHANGES.txt
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
    hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java
    hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java

Modified: hadoop/hdfs/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/CHANGES.txt?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/CHANGES.txt (original)
+++ hadoop/hdfs/trunk/CHANGES.txt Mon Feb  8 05:00:29 2010
@@ -18,6 +18,9 @@
     HDFS-933. Adds Delegation token based authentication in the NameNode.
     (Kan Zhang via ddas)
 
+    HDFS-935. Adds a real user component in Delegation token.
+    (Jitendra Nath Pandey via ddas)
+
   IMPROVEMENTS
     
     HDFS-703. Replace current fault injection implementation with one

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java Mon Feb  8 05:00:29
2010
@@ -90,11 +90,11 @@
 
   //Delegation token related keys
   public static final String  DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_KEY = "dfs.namenode.delegation.key.update-interval";
-  public static final long    DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT = 86400;
+  public static final long    DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT = 24*60*60*1000;
// 1 day
   public static final String  DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY = "dfs.namenode.delegation.token.renew-interval";
-  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT = 86400;
+  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT = 24*60*60*1000;
 // 1 day
   public static final String  DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY = "dfs.namenode.delegation.token.max-lifetime";
-  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT = 604800;
+  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT = 7*24*60*60*1000;
// 7 days
 
   //Following keys have no defaults
   public static final String  DFS_DATANODE_DATA_DIR_KEY = "dfs.datanode.data.dir";

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
(original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
Mon Feb  8 05:00:29 2010
@@ -23,10 +23,8 @@
 import java.io.IOException;
 
 import org.apache.hadoop.io.Text;
-import org.apache.hadoop.io.Writable;
-import org.apache.hadoop.io.WritableFactories;
-import org.apache.hadoop.io.WritableFactory;
 import org.apache.hadoop.io.WritableUtils;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.TokenIdentifier;
 
 public class DelegationTokenIdentifier extends TokenIdentifier {
@@ -34,18 +32,24 @@
 
   private Text owner;
   private Text renewer;
+  private Text realUser;
   private long issueDate;
   private long maxDate;
   private int sequenceNumber;
   private int masterKeyId = 0;
   
   public DelegationTokenIdentifier() {
-    this(new Text(), new Text());
+    this(new Text(), new Text(), new Text());
   }
   
-  public DelegationTokenIdentifier(Text owner, Text renewer) {
+  public DelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
     this.owner = owner;
     this.renewer = renewer;
+    if (realUser == null) {
+      this.realUser = new Text();
+    } else {
+      this.realUser = realUser;
+    }
     issueDate = 0;
     maxDate = 0;
   }
@@ -60,10 +64,20 @@
    * 
    * @return the username or owner
    */
-  public Text getUsername() {
-    return owner;
+  public UserGroupInformation getUser() {
+    if ( (owner == null) || ("".equals(owner.toString()))) {
+      return null;
+    }
+    if ((realUser == null) || ("".equals(realUser.toString()))
+        || realUser.equals(owner)) {
+      return UserGroupInformation.createRemoteUser(owner.toString());
+    } else {
+      UserGroupInformation realUgi = UserGroupInformation
+          .createRemoteUser(realUser.toString());
+      return UserGroupInformation.createProxyUser(owner.toString(), realUgi);
+    }
   }
-  
+
   public Text getRenewer() {
     return renewer;
   }
@@ -116,7 +130,8 @@
           && this.maxDate == that.maxDate
           && this.masterKeyId == that.masterKeyId
           && isEqual(this.owner, that.owner) 
-          && isEqual(this.renewer, that.renewer);
+          && isEqual(this.renewer, that.renewer)
+          && isEqual(this.realUser, that.realUser);
     }
     return false;
   }
@@ -129,6 +144,7 @@
   public void readFields(DataInput in) throws IOException {
     owner.readFields(in);
     renewer.readFields(in);
+    realUser.readFields(in);
     issueDate = WritableUtils.readVLong(in);
     maxDate = WritableUtils.readVLong(in);
     sequenceNumber = WritableUtils.readVInt(in);
@@ -138,6 +154,7 @@
   public void write(DataOutput out) throws IOException {
     owner.write(out);
     renewer.write(out);
+    realUser.write(out);
     WritableUtils.writeVLong(out, issueDate);
     WritableUtils.writeVLong(out, maxDate);
     WritableUtils.writeVInt(out, sequenceNumber);

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
(original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
Mon Feb  8 05:00:29 2010
@@ -242,11 +242,11 @@
       LOG.warn("Renewer is null: Invalid Identifier");
       return false;
     }
-    if (id.getUsername() == null) {
+    if (id.getUser() == null) {
       LOG.warn("owner is null: Invalid Identifier");
       return false;
     }
-    String owner = id.getUsername().toString();
+    String owner = id.getUser().getUserName();
     String renewer = id.getRenewer().toString();
     if (!canceller.equals(owner) && !canceller.equals(renewer)) {
       LOG.warn(canceller + " is not authorized to cancel the token");
@@ -314,10 +314,6 @@
       LOG.debug("Stopping expired delegation token remover thread");
     running = false;
     tokenRemoverThread.interrupt();
-    try {
-      tokenRemoverThread.join();
-    } catch (InterruptedException e) {
-    }
   }
   
   private class ExpiredTokenRemover extends Thread {
@@ -344,12 +340,14 @@
             removeExpiredToken();
             lastTokenCacheCleanup = now;
           }
-          Thread.sleep(5000); // 5 seconds
-        }
-      } catch (InterruptedException ie) {
-        LOG
+          try {
+            Thread.sleep(5000); // 5 seconds
+          } catch (InterruptedException ie) {
+            LOG
             .error("InterruptedExcpetion recieved for ExpiredTokenRemover thread "
                 + ie);
+          }
+        }
       } catch (Throwable t) {
         LOG.error("ExpiredTokenRemover thread received unexpected exception. "
             + t);

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java Mon
Feb  8 05:00:29 2010
@@ -471,6 +471,7 @@
       if (replthread != null) replthread.interrupt();
       if (dnthread != null) dnthread.interrupt();
       if (smmthread != null) smmthread.interrupt();
+      if (dtSecretManager != null) dtSecretManager.stopThreads();
     } catch (Exception e) {
       LOG.warn("Exception shutting down FSNamesystem", e);
     } finally {
@@ -4328,10 +4329,10 @@
         DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT),
         conf.getLong(
             DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY,
-            DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT),
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT),
         conf.getLong(
             DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY,
-            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT),
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT),
         DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL);
   }
 
@@ -4341,9 +4342,15 @@
 
   public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
       throws IOException {
-    String user = UserGroupInformation.getCurrentUser().getShortUserName();
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    String user = ugi.getUserName();
     Text owner = new Text(user);
-    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, renewer);
+    Text realUser = null;
+    if (ugi.getRealUser() != null) {
+      realUser = new Text(ugi.getRealUser().getUserName());
+    }
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner,
+        renewer, realUser);
     return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
   }
 

Modified: hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java
(original)
+++ hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java
Mon Feb  8 05:00:29 2010
@@ -92,7 +92,7 @@
     final InetSocketAddress addr = NetUtils.getConnectAddress(server);
     String user = current.getUserName();
     Text owner = new Text(user);
-    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner);
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
     Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
         dtId, sm);
     Text host = new Text(addr.getAddress().getHostAddress() + ":"

Modified: hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java?rev=907550&r1=907549&r2=907550&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java (original)
+++ hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java Mon
Feb  8 05:00:29 2010
@@ -22,6 +22,8 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
 
 import junit.framework.Assert;
 
@@ -44,6 +46,10 @@
 public class TestDelegationToken {
   private MiniDFSCluster cluster;
   Configuration config;
+  final private static String GROUP1_NAME = "group1";
+  final private static String GROUP2_NAME = "group2";
+  final private static String[] GROUP_NAMES = new String[] { GROUP1_NAME,
+      GROUP2_NAME };
   
   @Before
   public void setUp() throws Exception {
@@ -67,7 +73,7 @@
     DelegationTokenSecretManager dtSecretManager = cluster.getNamesystem()
         .getDelegationTokenSecretManager();
     DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
-        owner), new Text(renewer));
+        owner), new Text(renewer), null);
     return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
   }
   
@@ -126,5 +132,32 @@
     Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
     Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
   }
+ 
+  @Test
+  public void testDelegationTokenWithRealUser() throws IOException {
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "RealUser", GROUP_NAMES);
+    final UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
+        "proxyUser", ugi);
+    try {
+      Token<DelegationTokenIdentifier> token = proxyUgi
+          .doAs(new PrivilegedExceptionAction<Token<DelegationTokenIdentifier>>()
{
+            public Token<DelegationTokenIdentifier> run() throws IOException {
+              DistributedFileSystem dfs = (DistributedFileSystem) cluster
+                  .getFileSystem();
+              return dfs.getDelegationToken(new Text("RenewerUser"));
+            }
+          });
+      DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+      byte[] tokenId = token.getIdentifier();
+      identifier.readFields(new DataInputStream(new ByteArrayInputStream(
+          tokenId)));
+      Assert.assertEquals(identifier.getUser().getUserName(), "proxyUser");
+      Assert.assertEquals(identifier.getUser().getRealUser().getUserName(),
+          "RealUser");
+    } catch (InterruptedException e) {
+      //Do Nothing
+    }
+  }
   
 }



Mime
View raw message