Repository: hadoop Updated Branches: refs/heads/branch-2 401d1e6e8 -> d590c1785
HADOOP-12682. Fix TestKMS#testKMSRestart* failure. Contributed by Wei-Chiu Chuang. (cherry picked from commit ab725cff66e8a047e9437e42ac49ac8685ee7a94) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d590c178 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d590c178 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d590c178 Branch: refs/heads/branch-2 Commit: d590c17851fa91544dd77f9e6346ce7e8c1da31f Parents: 401d1e6 Author: Xiaoyu Yao <x...@apache.org> Authored: Wed Dec 30 10:29:26 2015 -0800 Committer: Xiaoyu Yao <x...@apache.org> Committed: Wed Dec 30 10:43:44 2015 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 ++ .../hadoop/security/UserGroupInformation.java | 36 ++++++++++++++++++++ .../hadoop/crypto/key/kms/server/TestKMS.java | 21 ++---------- 3 files changed, 42 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/d590c178/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 6a3e711..367c127 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -908,6 +908,9 @@ Release 2.8.0 - UNRELEASED HADOOP-12559. KMS connection failures should trigger TGT renewal. (Zhe Zhang via xyao) + HADOOP-12682. Fix TestKMS#testKMSRestart* failure. + (Wei-Chiu Chuang via xyao) + Release 2.7.3 - UNRELEASED INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/d590c178/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 0c82173..7d8a88e 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -963,6 +963,42 @@ public class UserGroupInformation { LOG.info("Login successful for user " + keytabPrincipal + " using keytab file " + keytabFile); } + + /** + * Log the current user out who previously logged in using keytab. + * This method assumes that the user logged in by calling + * {@link #loginUserFromKeytab(String, String)}. + * + * @throws IOException if a failure occurred in logout, or if the user did + * not log in by invoking loginUserFromKeyTab() before. + */ + @InterfaceAudience.Public + @InterfaceStability.Evolving + public void logoutUserFromKeytab() throws IOException { + if (!isSecurityEnabled() || + user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS) { + return; + } + LoginContext login = getLogin(); + if (login == null || keytabFile == null) { + throw new IOException("loginUserFromKeytab must be done first"); + } + + try { + if (LOG.isDebugEnabled()) { + LOG.debug("Initiating logout for " + getUserName()); + } + synchronized (UserGroupInformation.class) { + login.logout(); + } + } catch (LoginException le) { + throw new IOException("Logout failure for " + user + " from keytab " + + keytabFile, le); + } + + LOG.info("Logout successful for user " + keytabPrincipal + + " using keytab file " + keytabFile); + } /** * Re-login a user from keytab if TGT is expired or is close to expiry. http://git-wip-us.apache.org/repos/asf/hadoop/blob/d590c178/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index c5a990b..7131b7c 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -44,10 +44,8 @@ import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; -import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.AppConfigurationEntry; -import javax.security.auth.login.LoginContext; import java.io.File; import java.io.FileWriter; @@ -59,16 +57,13 @@ import java.net.ServerSocket; import java.net.SocketTimeoutException; import java.net.URI; import java.net.URL; -import java.security.Principal; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Date; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Properties; -import java.util.Set; import java.util.UUID; import java.util.concurrent.Callable; @@ -250,22 +245,12 @@ public class TestKMS { private <T> T doAs(String user, final PrivilegedExceptionAction<T> action) throws Exception { - Set<Principal> principals = new HashSet<Principal>(); - principals.add(new KerberosPrincipal(user)); - - //client login - Subject subject = new Subject(false, principals, - new HashSet<Object>(), new HashSet<Object>()); - LoginContext loginContext = new LoginContext("", subject, null, - KerberosConfiguration.createClientConfig(user, keytab)); + UserGroupInformation.loginUserFromKeytab(user, keytab.getAbsolutePath()); + UserGroupInformation ugi = UserGroupInformation.getLoginUser(); try { - loginContext.login(); - subject = loginContext.getSubject(); - UserGroupInformation ugi = - UserGroupInformation.getUGIFromSubject(subject); return ugi.doAs(action); } finally { - loginContext.logout(); + ugi.logoutUserFromKeytab(); } }
