HAWQ-762. Login to kerberos if credentials are no longer valid
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/8261c13e Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/8261c13e Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/8261c13e Branch: refs/heads/2.1.0.0-incubating Commit: 8261c13ef73de9109ec5340304471871f544fa17 Parents: 7f36b35 Author: Kavinder Dhaliwal <[email protected]> Authored: Fri Jan 6 11:56:29 2017 -0800 Committer: Kavinder Dhaliwal <[email protected]> Committed: Wed Jan 18 14:06:32 2017 -0800 ---------------------------------------------------------------------- .../hawq/pxf/service/utilities/SecuredHDFS.java | 11 +++-- .../pxf/service/utilities/SecuredHDFSTest.java | 45 ++++++++++---------- 2 files changed, 31 insertions(+), 25 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8261c13e/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java ---------------------------------------------------------------------- diff --git a/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java b/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java index f442a6d..1e1bcd3 100644 --- a/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java +++ b/pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java @@ -53,6 +53,14 @@ public class SecuredHDFS { public static void verifyToken(ProtocolData protData, ServletContext context) { try { if (UserGroupInformation.isSecurityEnabled()) { + /* + * HAWQ-1215: The verify token method validates that the token sent from + * Hawq to PXF is valid. However, this token is for a user other than + * 'pxf'. The following line ensures that before attempting any secure communication + * PXF tries to relogin in the case that its own ticket is about to expire + * #reloginFromKeytab is a no-op if the ticket is not near expiring + */ + UserGroupInformation.getLoginUser().reloginFromKeytab(); Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(); String tokenString = protData.getToken(); token.decodeFromUrlString(tokenString); @@ -103,9 +111,6 @@ public class SecuredHDFS { LOG.debug("user " + userGroupInformation.getUserName() + " (" + userGroupInformation.getShortUserName() + ") authenticated"); - - // re-login if necessary - userGroupInformation.checkTGTAndReloginFromKeytab(); } catch (IOException e) { throw new SecurityException("Failed to verify delegation token " + e, e); http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8261c13e/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java ---------------------------------------------------------------------- diff --git a/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java b/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java index 4944a35..9aecce0 100644 --- a/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java +++ b/pxf/pxf-service/src/test/java/org/apache/hawq/pxf/service/utilities/SecuredHDFSTest.java @@ -29,24 +29,25 @@ import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; import javax.servlet.ServletContext; -import java.util.HashMap; -import java.util.Map; +import java.io.IOException; import static org.junit.Assert.*; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @RunWith(PowerMockRunner.class) @PrepareForTest({UserGroupInformation.class}) public class SecuredHDFSTest { - Map<String, String> parameters; ProtocolData mockProtocolData; ServletContext mockContext; @Test - public void invalidTokenThrows() { + public void invalidTokenThrows() throws IOException { when(UserGroupInformation.isSecurityEnabled()).thenReturn(true); + UserGroupInformation ugi = mock(UserGroupInformation.class); + when(UserGroupInformation.getLoginUser()).thenReturn(ugi); when(mockProtocolData.getToken()).thenReturn("This is odd"); try { @@ -57,30 +58,30 @@ public class SecuredHDFSTest { } } + @Test + public void loggedOutUser() throws IOException { + when(UserGroupInformation.isSecurityEnabled()).thenReturn(true); + UserGroupInformation ugi = mock(UserGroupInformation.class); + when(UserGroupInformation.getLoginUser()).thenReturn(ugi); + when(mockProtocolData.getToken()).thenReturn("This is odd"); + + try { + SecuredHDFS.verifyToken(mockProtocolData, mockContext); + fail("invalid X-GP-TOKEN should throw"); + } catch (SecurityException e) { + verify(ugi).reloginFromKeytab(); + assertEquals("Failed to verify delegation token java.io.EOFException", e.getMessage()); + } + } + /* * setUp function called before each test */ @Before public void setUp() { - parameters = new HashMap<>(); - - parameters.put("X-GP-ALIGNMENT", "all"); - parameters.put("X-GP-SEGMENT-ID", "-44"); - parameters.put("X-GP-SEGMENT-COUNT", "2"); - parameters.put("X-GP-HAS-FILTER", "0"); - parameters.put("X-GP-FORMAT", "TEXT"); - parameters.put("X-GP-URL-HOST", "my://bags"); - parameters.put("X-GP-URL-PORT", "-8020"); - parameters.put("X-GP-ATTRS", "-1"); - parameters.put("X-GP-ACCESSOR", "are"); - parameters.put("X-GP-RESOLVER", "packed"); - parameters.put("X-GP-DATA-DIR", "i'm/ready/to/go"); - parameters.put("X-GP-FRAGMENT-METADATA", "U29tZXRoaW5nIGluIHRoZSB3YXk="); - parameters.put("X-GP-I'M-STANDING-HERE", "outside-your-door"); - - mockProtocolData = mock(ProtocolData.class); + mockProtocolData = mock(ProtocolData.class); mockContext = mock(ServletContext.class); PowerMockito.mockStatic(UserGroupInformation.class); } -} +} \ No newline at end of file
