Author: mahadev
Date: Sun Jul 24 08:11:42 2011
New Revision: 1150294
URL: http://svn.apache.org/viewvc?rev=1150294&view=rev
Log:
HADOOP-6929. Backport changes to MR-279 (mahadev and owen)
Modified:
hadoop/common/branches/MR-279/common/build.xml
hadoop/common/branches/MR-279/common/src/java/core-default.xml
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/ipc/Client.java
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/AnnotatedSecurityInfo.java
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityInfo.java
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java
Modified: hadoop/common/branches/MR-279/common/build.xml
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/build.xml?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
--- hadoop/common/branches/MR-279/common/build.xml (original)
+++ hadoop/common/branches/MR-279/common/build.xml Sun Jul 24 08:11:42 2011
@@ -454,6 +454,11 @@
<property name="jar.properties.list" value="commons-logging.properties,
log4j.properties, hadoop-metrics.properties" />
<jar jarfile="${build.dir}/${final.name}.jar"
basedir="${build.classes}">
+ <service type="org.apache.hadoop.security.SecurityInfo">
+ <provider
+ classname="org.apache.hadoop.security.AnnotatedSecurityInfo"/>
+ </service>
+
<manifest>
<section name="org/apache/hadoop">
<attribute name="Implementation-Title" value="${ant.project.name}"/>
Modified: hadoop/common/branches/MR-279/common/src/java/core-default.xml
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/core-default.xml?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
--- hadoop/common/branches/MR-279/common/src/java/core-default.xml (original)
+++ hadoop/common/branches/MR-279/common/src/java/core-default.xml Sun Jul 24
08:11:42 2011
@@ -98,15 +98,6 @@
</property>
<property>
- <name>hadoop.security.info.class.name</name>
- <value>org.apache.hadoop.security.AnnotatedSecurityInfo</value>
- <description>
- Implementation of org.apache.hadoop.security.SecurityInfo interface to
- be used by RPC for a given protocol.
- </description>
-</property>
-
-<property>
<name>hadoop.rpc.protection</name>
<value>authentication</value>
<description>This field sets the quality of protection for secured sasl
Modified:
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
(original)
+++
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
Sun Jul 24 08:11:42 2011
@@ -216,8 +216,5 @@ public class CommonConfigurationKeysPubl
/** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
public static final String HADOOP_SECURITY_SERVICE_USER_NAME_KEY =
"hadoop.security.service.user.name.key";
- /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */
- public static final String HADOOP_SECURITY_INFO_CLASS_NAME =
- "hadoop.security.info.class.name";
}
Modified:
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/ipc/Client.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/ipc/Client.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/ipc/Client.java
(original)
+++
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/ipc/Client.java
Sun Jul 24 08:11:42 2011
@@ -58,10 +58,8 @@ import org.apache.hadoop.io.Writable;
import org.apache.hadoop.io.WritableUtils;
import org.apache.hadoop.io.DataOutputBuffer;
import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.AnnotatedSecurityInfo;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.SaslRpcClient;
-import org.apache.hadoop.security.SecurityInfo;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
@@ -257,8 +255,7 @@ public class Client {
this.useSasl = UserGroupInformation.isSecurityEnabled();
LOG.debug("Protocol is " + protocol + " useSasl is " + useSasl);
if (useSasl && protocol != null) {
- TokenInfo tokenInfo = SecurityUtil.getSecurityInfo(
- remoteId.conf).getTokenInfo(protocol);
+ TokenInfo tokenInfo = SecurityUtil.getTokenInfo(protocol,
remoteId.conf);
if (tokenInfo != null) {
TokenSelector<? extends TokenIdentifier> tokenSelector = null;
try {
@@ -273,10 +270,7 @@ public class Client {
.getHostAddress() + ":" + addr.getPort()),
ticket.getTokens());
}
- KerberosInfo krbInfo = SecurityUtil.getSecurityInfo(
- remoteId.conf).getKerborosInfo(protocol);
- LOG.debug("securityinfo class is " + SecurityUtil.getSecurityInfo(
- remoteId.conf).getClass().getCanonicalName());
+ KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol,
remoteId.conf);
LOG.debug("KerberosInfo object's class is " + krbInfo);
if (krbInfo != null) {
serverPrincipal = remoteId.getServerPrincipal();
@@ -1295,8 +1289,7 @@ public class Client {
if (!UserGroupInformation.isSecurityEnabled() || protocol == null) {
return null;
}
- KerberosInfo krbInfo = SecurityUtil.getSecurityInfo(
- conf).getKerborosInfo(protocol);
+ KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
if (krbInfo != null) {
String serverKey = krbInfo.serverPrincipal();
if (serverKey == null) {
Modified:
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/AnnotatedSecurityInfo.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/AnnotatedSecurityInfo.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/AnnotatedSecurityInfo.java
(original)
+++
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/AnnotatedSecurityInfo.java
Sun Jul 24 08:11:42 2011
@@ -18,6 +18,7 @@
package org.apache.hadoop.security;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.token.TokenInfo;
/**
@@ -26,12 +27,12 @@ import org.apache.hadoop.security.token.
public class AnnotatedSecurityInfo implements SecurityInfo {
@Override
- public KerberosInfo getKerborosInfo(Class<?> protocol) {
+ public KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf) {
return protocol.getAnnotation(KerberosInfo.class);
}
@Override
- public TokenInfo getTokenInfo(Class<?> protocol) {
+ public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
return protocol.getAnnotation(TokenInfo.class);
}
Modified:
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityInfo.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityInfo.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityInfo.java
(original)
+++
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityInfo.java
Sun Jul 24 08:11:42 2011
@@ -18,8 +18,13 @@
package org.apache.hadoop.security;
+import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.classification.InterfaceStability.Evolving;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.token.TokenInfo;
+@Evolving
+@LimitedPrivate({"MapReduce"})
/**
* Interface used by RPC to get the Security information for a given
* protocol.
@@ -29,15 +34,17 @@ public interface SecurityInfo {
/**
* Get the KerberosInfo for a given protocol.
* @param protocol interface class
+ * @param conf configuration object
* @return KerberosInfo
*/
- KerberosInfo getKerborosInfo(Class<?> protocol);
+ KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf);
/**
* Get the TokenInfo for a given protocol.
* @param protocol interface class
+ * @param conf configuration object
* @return TokenInfo instance
*/
- TokenInfo getTokenInfo(Class<?> protocol);
+ TokenInfo getTokenInfo(Class<?> protocol, Configuration conf);
}
Modified:
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityUtil.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityUtil.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityUtil.java
(original)
+++
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/SecurityUtil.java
Sun Jul 24 08:11:42 2011
@@ -22,6 +22,7 @@ import java.net.URI;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.AccessController;
+import java.util.ServiceLoader;
import java.util.Set;
import javax.security.auth.Subject;
@@ -33,8 +34,8 @@ import org.apache.commons.logging.LogFac
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.token.TokenInfo;
import sun.security.jgss.krb5.Krb5Util;
import sun.security.krb5.Credentials;
@@ -283,26 +284,63 @@ public class SecurityUtil {
return sb.toString();
}
- @SuppressWarnings("unchecked")
+ private static ServiceLoader<SecurityInfo> securityInfoProviders =
+ ServiceLoader.load(SecurityInfo.class);
+ private static SecurityInfo[] testProviders = new SecurityInfo[0];
+
/**
- * Construct the SecurityInfo instance from the given conf for a
- * protocol.
- * @param conf Configuration object with which the protocol is registered.
+ * Test setup method to register additional providers.
+ * @param providers a list of high priority providers to use
*/
- public static SecurityInfo getSecurityInfo(Configuration conf)
- throws IOException {
- try {
- Class<SecurityInfo> secInfoClass = (Class<SecurityInfo>)
- conf.getClass(
- CommonConfigurationKeysPublic.HADOOP_SECURITY_INFO_CLASS_NAME,
- AnnotatedSecurityInfo.class);
- SecurityInfo secInfo = secInfoClass.newInstance();
- return secInfo;
- } catch (Exception e) {
- throw new IOException("Can't create the SecurityInfo instance", e);
+ @InterfaceAudience.Private
+ public static void setSecurityInfoProviders(SecurityInfo... providers) {
+ testProviders = providers;
+ }
+
+ /**
+ * Look up the KerberosInfo for a given protocol. It searches all known
+ * SecurityInfo providers.
+ * @param protocol the protocol class to get the information for
+ * @return the KerberosInfo or null if it has no KerberosInfo defined
+ */
+ public static KerberosInfo getKerberosInfo(Class<?> protocol, Configuration
conf) {
+ for(SecurityInfo provider: testProviders) {
+ KerberosInfo result = provider.getKerberosInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
+ }
+ for(SecurityInfo provider: securityInfoProviders) {
+ KerberosInfo result = provider.getKerberosInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
}
+ return null;
+ }
+
+ /**
+ * Look up the TokenInfo for a given protocol. It searches all known
+ * SecurityInfo providers.
+ * @param protocol The protocol class to get the information for.
+ * @param conf configuration object
+ * @return the TokenInfo or null if it has no KerberosInfo defined
+ */
+ public static TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
+ for(SecurityInfo provider: testProviders) {
+ TokenInfo result = provider.getTokenInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
+ }
+ for(SecurityInfo provider: securityInfoProviders) {
+ TokenInfo result = provider.getTokenInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
+ }
+ return null;
}
-
/**
* Get the host name from the principal name of format <service>/host@realm.
Modified:
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
(original)
+++
hadoop/common/branches/MR-279/common/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Sun Jul 24 08:11:42 2011
@@ -41,8 +41,6 @@ import org.apache.hadoop.security.UserGr
@InterfaceStability.Evolving
public class ServiceAuthorizationManager {
private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
- private static final Log LOG = LogFactory
- .getLog(ServiceAuthorizationManager.class);
private Map<Class<?>, AccessControlList> protocolToAcl =
new IdentityHashMap<Class<?>, AccessControlList>();
@@ -86,13 +84,7 @@ public class ServiceAuthorizationManager
}
// get client principal key to verify (if available)
- KerberosInfo krbInfo;
- try {
- krbInfo = SecurityUtil.getSecurityInfo(
- conf).getKerborosInfo(protocol);
- } catch (IOException e1) {
- throw new AuthorizationException(e1);
- }
+ KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
String clientPrincipal = null;
if (krbInfo != null) {
String clientKey = krbInfo.clientPrincipal();
Modified:
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java
(original)
+++
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java
Sun Jul 24 08:11:42 2011
@@ -40,6 +40,8 @@ import org.apache.hadoop.ipc.TestSaslRPC
import org.apache.hadoop.ipc.TestSaslRPC.TestTokenSecretManager;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.SecurityInfo;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
@@ -129,6 +131,7 @@ public class TestAvroRpc extends TestCas
assertTrue(caught);
} finally {
+ clearSecure();
server.stop();
}
}
@@ -138,8 +141,13 @@ public class TestAvroRpc extends TestCas
conf.set("hadoop.rpc.socket.factory.class.default", "");
//Avro doesn't work with security annotations on protocol.
//Avro works ONLY with custom security context
- conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_INFO_CLASS_NAME,
- CustomSecurityInfo.class.getName());
+ SecurityUtil.setSecurityInfoProviders(new SecurityInfo[] {
+ new CustomSecurityInfo()
+ });
+ }
+
+ private void clearSecure() {
+ SecurityUtil.setSecurityInfoProviders(new SecurityInfo[0]);
}
private void addToken(TestTokenSecretManager sm,
@@ -191,6 +199,7 @@ public class TestAvroRpc extends TestCas
assertEquals(3, intResult);
} finally {
+ clearSecure();
server.stop();
}
}
Modified:
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java?rev=1150294&r1=1150293&r2=1150294&view=diff
==============================================================================
---
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java
(original)
+++
hadoop/common/branches/MR-279/common/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java
Sun Jul 24 08:11:42 2011
@@ -191,10 +191,10 @@ public class TestSaslRPC {
}
}
- public static class CustomSecurityInfo implements SecurityInfo {
+ public static class CustomSecurityInfo implements SecurityInfo {
@Override
- public KerberosInfo getKerborosInfo(Class<?> protocol) {
+ public KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf)
{
return new KerberosInfo() {
@Override
public Class<? extends Annotation> annotationType() {
@@ -212,7 +212,7 @@ public class TestSaslRPC {
}
@Override
- public TokenInfo getTokenInfo(Class<?> protocol) {
+ public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
return new TokenInfo() {
@Override
public Class<? extends TokenSelector<? extends
@@ -233,19 +233,24 @@ public class TestSaslRPC {
final Server server = RPC.getServer(TestSaslProtocol.class,
new TestSaslImpl(), ADDRESS, 0, 5, true, conf, sm);
- doDigestRpc(server, sm, conf);
+ doDigestRpc(server, sm);
}
@Test
public void testDigestRpcWithoutAnnotation() throws Exception {
TestTokenSecretManager sm = new TestTokenSecretManager();
Configuration conf1 = new Configuration(conf);
- conf1.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_INFO_CLASS_NAME,
- CustomSecurityInfo.class.getName());
- final Server server = RPC.getServer(TestSaslProtocol.class,
- new TestSaslImpl(), ADDRESS, 0, 5, true, conf1, sm);
+ try {
+ SecurityUtil.setSecurityInfoProviders(new SecurityInfo[] {
+ new CustomSecurityInfo()
+ });
+ final Server server = RPC.getServer(TestSaslProtocol.class,
+ new TestSaslImpl(), ADDRESS, 0, 5, true, conf, sm);
- doDigestRpc(server, sm, conf1);
+ doDigestRpc(server, sm);
+ } finally {
+ SecurityUtil.setSecurityInfoProviders(new SecurityInfo[0]);
+ }
}
@Test
@@ -254,7 +259,7 @@ public class TestSaslRPC {
new TestSaslImpl(), ADDRESS, 0, 5, true, conf, null);
server.disableSecurity();
TestTokenSecretManager sm = new TestTokenSecretManager();
- doDigestRpc(server, sm, conf);
+ doDigestRpc(server, sm);
}
@Test
@@ -265,7 +270,7 @@ public class TestSaslRPC {
boolean succeeded = false;
try {
- doDigestRpc(server, sm, conf);
+ doDigestRpc(server, sm);
} catch (RemoteException e) {
LOG.info("LOGGING MESSAGE: " + e.getLocalizedMessage());
assertTrue(ERROR_MESSAGE.equals(e.getLocalizedMessage()));
@@ -275,9 +280,8 @@ public class TestSaslRPC {
assertTrue(succeeded);
}
- private void doDigestRpc(Server server, TestTokenSecretManager sm,
- Configuration config)
- throws Exception {
+ private void doDigestRpc(Server server, TestTokenSecretManager sm
+ ) throws Exception {
server.start();
final UserGroupInformation current = UserGroupInformation.getCurrentUser();
@@ -295,7 +299,7 @@ public class TestSaslRPC {
TestSaslProtocol proxy = null;
try {
proxy = (TestSaslProtocol) RPC.getProxy(TestSaslProtocol.class,
- TestSaslProtocol.versionID, addr, config);
+ TestSaslProtocol.versionID, addr, conf);
//QOP must be auth
Assert.assertEquals(SaslRpcServer.SASL_PROPS.get(Sasl.QOP), "auth");
proxy.ping();