Repository: incubator-atlas Updated Branches: refs/heads/master 29396c9df -> 169ab553c
ATLAS-1546: Hive hook should choose appropriate JAAS config when host uses kerberos ticket-cache Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/169ab553 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/169ab553 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/169ab553 Branch: refs/heads/master Commit: 169ab553c6aa5af753f6be6142d29e78c701cf05 Parents: 29396c9 Author: nixonrodrigues <[email protected]> Authored: Fri Feb 10 18:58:52 2017 +0530 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Feb 13 16:15:33 2017 -0800 ---------------------------------------------------------------------- .../security/InMemoryJAASConfiguration.java | 53 +++++++++++++++-- ...ConfigurationTicketBasedKafkaClientTest.java | 60 ++++++++++++++++++++ common/src/test/resources/atlas-jaas.properties | 7 ++- .../java/org/apache/atlas/hook/AtlasHook.java | 31 ++++++++++ release-log.txt | 1 + 5 files changed, 145 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/169ab553/common/src/main/java/org/apache/atlas/security/InMemoryJAASConfiguration.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/atlas/security/InMemoryJAASConfiguration.java b/common/src/main/java/org/apache/atlas/security/InMemoryJAASConfiguration.java index ff80eca..8be6658 100644 --- a/common/src/main/java/org/apache/atlas/security/InMemoryJAASConfiguration.java +++ b/common/src/main/java/org/apache/atlas/security/InMemoryJAASConfiguration.java @@ -127,12 +127,15 @@ public final class InMemoryJAASConfiguration extends Configuration { private static final String JAAS_CONFIG_LOGIN_MODULE_CONTROL_FLAG_PARAM = "loginModuleControlFlag"; private static final String JAAS_CONFIG_LOGIN_OPTIONS_PREFIX = "option"; private static final String JAAS_PRINCIPAL_PROP = "principal"; + private static final Map<String, String> configSectionRedirects = new HashMap<>(); private Configuration parent = null; private Map<String, List<AppConfigurationEntry>> applicationConfigEntryMap = new HashMap<>(); public static void init(String propFile) throws AtlasException { - LOG.debug("==> InMemoryJAASConfiguration.init( {} )", propFile); + if (LOG.isDebugEnabled()) { + LOG.debug("==> InMemoryJAASConfiguration.init({})", propFile); + } InputStream in = null; @@ -161,7 +164,9 @@ public final class InMemoryJAASConfiguration extends Configuration { } } - LOG.debug("<== InMemoryJAASConfiguration.init( {} )", propFile); + if (LOG.isDebugEnabled()) { + LOG.debug("<== InMemoryJAASConfiguration.init({})", propFile); + } } public static void init(org.apache.commons.configuration.Configuration atlasConfiguration) throws AtlasException { @@ -192,10 +197,26 @@ public final class InMemoryJAASConfiguration extends Configuration { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { - LOG.trace("==> InMemoryJAASConfiguration.getAppConfigurationEntry( {} )", name); + if (LOG.isDebugEnabled()) { + LOG.debug("==> InMemoryJAASConfiguration.getAppConfigurationEntry({})", name); + } AppConfigurationEntry[] ret = null; - List<AppConfigurationEntry> retList = applicationConfigEntryMap.get(name); + List<AppConfigurationEntry> retList = null; + String redirectedName = getConfigSectionRedirect(name); + + if (redirectedName != null) { + retList = applicationConfigEntryMap.get(redirectedName); + + if (LOG.isDebugEnabled()) { + LOG.debug("Redirected jaasConfigSection ({} -> {}): ", name, redirectedName, retList); + } + } + + if (retList == null || retList.size() == 0) { + retList = applicationConfigEntryMap.get(name); + } + if (retList == null || retList.size() == 0) { if (parent != null) { ret = parent.getAppConfigurationEntry(name); @@ -206,7 +227,9 @@ public final class InMemoryJAASConfiguration extends Configuration { ret = retList.toArray(ret); } - LOG.trace("==> InMemoryJAASConfiguration.getAppConfigurationEntry( {} ) : {}", name, ArrayUtils.toString(ret)); + if (LOG.isDebugEnabled()) { + LOG.debug("<== InMemoryJAASConfiguration.getAppConfigurationEntry({}): {}", name, ArrayUtils.toString(ret)); + } return ret; } @@ -344,10 +367,28 @@ public final class InMemoryJAASConfiguration extends Configuration { } } - LOG.debug("<== InMemoryJAASConfiguration.initialize()"); + LOG.debug("<== InMemoryJAASConfiguration.initialize({})", applicationConfigEntryMap); } private static boolean isNumeric(String str) { return str.matches("-?\\d+(\\.\\d+)?"); //match a number with optional '-' and decimal. } + + public static void setConfigSectionRedirect(String name, String redirectTo) { + if (LOG.isDebugEnabled()) { + LOG.debug("setConfigSectionRedirect({}, {})", name, redirectTo); + } + + if (name != null) { + if (redirectTo != null) { + configSectionRedirects.put(name, redirectTo); + } else { + configSectionRedirects.remove(name); + } + } + } + + private static String getConfigSectionRedirect(String name) { + return name != null ? configSectionRedirects.get(name) : null; + } } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/169ab553/common/src/test/java/org/apache/atlas/security/InMemoryJAASConfigurationTicketBasedKafkaClientTest.java ---------------------------------------------------------------------- diff --git a/common/src/test/java/org/apache/atlas/security/InMemoryJAASConfigurationTicketBasedKafkaClientTest.java b/common/src/test/java/org/apache/atlas/security/InMemoryJAASConfigurationTicketBasedKafkaClientTest.java new file mode 100644 index 0000000..3d8175f --- /dev/null +++ b/common/src/test/java/org/apache/atlas/security/InMemoryJAASConfigurationTicketBasedKafkaClientTest.java @@ -0,0 +1,60 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.atlas.security; + +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; + +import junit.framework.Assert; +import junit.framework.TestCase; +import org.testng.annotations.Test; + + +@Test +public class InMemoryJAASConfigurationTicketBasedKafkaClientTest extends TestCase { + + private static final String ATLAS_JAAS_PROP_FILE = "atlas-jaas.properties"; + + protected void setUp() throws Exception { + super.setUp(); + try { + InMemoryJAASConfiguration.init(ATLAS_JAAS_PROP_FILE); + InMemoryJAASConfiguration.setConfigSectionRedirect("KafkaClient", "ticketBased-KafkaClient"); + } catch (Throwable t) { + fail("InMemoryJAASConfiguration.init() is not expected to throw Exception:" + t); + } + } + + protected void tearDown() throws Exception { + super.tearDown(); + } + + + @Test + public void testGetAppConfigurationEntryStringForticketBasedKafkaClient() { + + AppConfigurationEntry[] entries = + Configuration.getConfiguration().getAppConfigurationEntry("KafkaClient"); + Assert.assertNotNull(entries); + Assert.assertEquals((String) entries[0].getOptions().get("useTicketCache"), "true"); + } + + +} + http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/169ab553/common/src/test/resources/atlas-jaas.properties ---------------------------------------------------------------------- diff --git a/common/src/test/resources/atlas-jaas.properties b/common/src/test/resources/atlas-jaas.properties index 90a5682..9412fae 100644 --- a/common/src/test/resources/atlas-jaas.properties +++ b/common/src/test/resources/atlas-jaas.properties @@ -54,4 +54,9 @@ atlas.jaas.myClient.1.option.useKeyTab = true atlas.jaas.myClient.1.option.storeKey = true atlas.jaas.myClient.1.option.serviceName = kafka atlas.jaas.myClient.1.option.keyTab = /etc/security/keytabs/kafka_client.keytab -atlas.jaas.myClient.1.option.principal = [email protected] \ No newline at end of file +atlas.jaas.myClient.1.option.principal = [email protected] + + +atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required +atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule +atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/169ab553/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java ---------------------------------------------------------------------- diff --git a/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java b/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java index 0534910..c8df08c 100644 --- a/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java +++ b/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java @@ -26,6 +26,7 @@ import org.apache.atlas.notification.NotificationException; import org.apache.atlas.notification.NotificationInterface; import org.apache.atlas.notification.NotificationModule; import org.apache.atlas.notification.hook.HookNotification; +import org.apache.atlas.security.InMemoryJAASConfiguration; import org.apache.atlas.typesystem.Referenceable; import org.apache.atlas.typesystem.json.InstanceSerialization; import org.apache.commons.configuration.Configuration; @@ -78,6 +79,12 @@ public abstract class AtlasHook { failedMessagesLogger.init(); } + if (!isLoginKeytabBased()) { + if (isLoginTicketBased()) { + InMemoryJAASConfiguration.setConfigSectionRedirect("KafkaClient", "ticketBased-KafkaClient"); + } + } + notificationRetryInterval = atlasProperties.getInt(ATLAS_NOTIFICATION_RETRY_INTERVAL, 1000); Injector injector = Guice.createInjector(new NotificationModule()); notifInterface = injector.getInstance(NotificationInterface.class); @@ -210,4 +217,28 @@ public abstract class AtlasHook { } } + private static boolean isLoginKeytabBased() { + boolean ret = false; + + try { + ret = UserGroupInformation.isLoginKeytabBased(); + } catch (Exception excp) { + LOG.error("error in determining whether to use ticket-cache or keytab for KafkaClient JAAS configuration", excp); + } + + return ret; + } + + private static boolean isLoginTicketBased() { + boolean ret = false; + + try { + ret = UserGroupInformation.isLoginTicketBased(); + } catch (Exception excp) { + LOG.error("error in determining whether to use ticket-cache or keytab for KafkaClient JAAS configuration", excp); + } + + return ret; + } + } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/169ab553/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 6c13d70..44f4658 100644 --- a/release-log.txt +++ b/release-log.txt @@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai) ALL CHANGES: +ATLAS-1546 Hive hook should choose appropriate JAAS config when host uses kerberos ticket-cache (nixonrodrigues,gss2002 via mneethiraj) ATLAS-1539 Integration tests in projects which use the typesystem test jar (e.g. webapp) can now be run successfully when invoked in the project directory (dkantor) ATLAS-1542 Atlas server fails to start if duplicate types are found during Typesystem bootstrap (svimal2106) ATLAS-1535 Some webapp tests are failing due to a stale Titan transaction (jnhagelberg)
