Repository: hadoop Updated Branches: refs/heads/branch-2.7 1569cc62c -> b1258ad58
HADOOP-15959. Revert "HADOOP-12751. While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple" Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/b1258ad5 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/b1258ad5 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/b1258ad5 Branch: refs/heads/branch-2.7 Commit: b1258ad5824600af402e791885456e6e7a659810 Parents: 1569cc6 Author: Steve Loughran <ste...@apache.org> Authored: Fri Nov 30 14:21:32 2018 +0000 Committer: Steve Loughran <ste...@apache.org> Committed: Fri Nov 30 14:21:32 2018 +0000 ---------------------------------------------------------------------- .../authentication/util/KerberosName.java | 9 ++-- .../TestKerberosAuthenticationHandler.java | 7 +++- .../authentication/util/TestKerberosName.java | 17 ++++++-- hadoop-common-project/hadoop-common/CHANGES.txt | 3 -- .../security/TestUserGroupInformation.java | 27 ++++-------- .../src/test/resources/azure-auth-keys.xml | 44 ++++++++++++++++++++ 6 files changed, 76 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/b1258ad5/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java index 645fbc6..0bc1109 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java @@ -323,8 +323,8 @@ public class KerberosName { } } if (result != null && nonSimplePattern.matcher(result).find()) { - LOG.info("Non-simple name {} after auth_to_local rule {}", - result, this); + throw new NoMatchingRule("Non-simple name " + result + + " after auth_to_local rule " + this); } if (toLowerCase && result != null) { result = result.toLowerCase(Locale.ENGLISH); @@ -377,7 +377,7 @@ public class KerberosName { /** * Get the translation of the principal name into an operating system * user name. - * @return the user name + * @return the short name * @throws IOException throws if something is wrong with the rules */ public String getShortName() throws IOException { @@ -397,8 +397,7 @@ public class KerberosName { return result; } } - LOG.info("No auth_to_local rules applied to {}", this); - return toString(); + throw new NoMatchingRule("No rules applied to " + toString()); } /** http://git-wip-us.apache.org/repos/asf/hadoop/blob/b1258ad5/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java index e3444ef..408563f 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java @@ -109,7 +109,12 @@ public class TestKerberosAuthenticationHandler kn = new KerberosName("bar@BAR"); Assert.assertEquals("bar", kn.getShortName()); kn = new KerberosName("bar@FOO"); - Assert.assertEquals("bar@FOO", kn.getShortName()); + try { + kn.getShortName(); + Assert.fail(); + } + catch (Exception ex) { + } } @Test(timeout=60000) http://git-wip-us.apache.org/repos/asf/hadoop/blob/b1258ad5/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java index f85b3e1..354917e 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java @@ -72,14 +72,23 @@ public class TestKerberosName { } } + private void checkBadTranslation(String from) { + System.out.println("Checking bad translation for " + from); + KerberosName nm = new KerberosName(from); + try { + nm.getShortName(); + Assert.fail("didn't get exception for " + from); + } catch (IOException ie) { + // PASS + } + } + @Test public void testAntiPatterns() throws Exception { checkBadName("owen/owen/o...@foo.com"); checkBadName("owen@foo/bar.com"); - - // no rules applied, these should pass - checkTranslation("f...@acme.com", "f...@acme.com"); - checkTranslation("root/j...@foo.com", "root/j...@foo.com"); + checkBadTranslation("f...@acme.com"); + checkBadTranslation("root/j...@foo.com"); } @Test http://git-wip-us.apache.org/repos/asf/hadoop/blob/b1258ad5/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index b69a3cf..fbcb8ec 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -99,9 +99,6 @@ Release 2.7.6 - 2018-04-16 HADOOP-14842. Hadoop 2.8.2 release build process get stuck due to java issue. Contributed by Junping Du. - HADOOP-12751. While using kerberos Hadoop incorrectly assumes names with - '@' to be non-simple. (Bolke de Bruin via stevel). - HADOOP-13375. o.a.h.security.TestGroupsCaching.testBackgroundRefreshCounters seems flaky. (Weiwei Yang via Mingliang Liu, shv) http://git-wip-us.apache.org/repos/asf/hadoop/blob/b1258ad5/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index ea91af3..735f9a1 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -281,15 +281,10 @@ public class TestUserGroupInformation { UserGroupInformation.setConfiguration(conf); testConstructorSuccess("user1", "user1"); testConstructorSuccess("user4@OTHER.REALM", "other-user4"); - - // pass through test, no transformation - testConstructorSuccess("user2@DEFAULT.REALM", "user2@DEFAULT.REALM"); - testConstructorSuccess("user3/cron@DEFAULT.REALM", "user3/cron@DEFAULT.REALM"); - testConstructorSuccess("user5/cron@OTHER.REALM", "user5/cron@OTHER.REALM"); - - // failures - testConstructorFailures("us...@example.com@OTHER.REALM"); - testConstructorFailures("us...@example.com@DEFAULT.REALM"); + // failure test + testConstructorFailures("user2@DEFAULT.REALM"); + testConstructorFailures("user3/cron@DEFAULT.REALM"); + testConstructorFailures("user5/cron@OTHER.REALM"); testConstructorFailures(null); testConstructorFailures(""); } @@ -303,13 +298,10 @@ public class TestUserGroupInformation { testConstructorSuccess("user1", "user1"); testConstructorSuccess("user2@DEFAULT.REALM", "user2"); - testConstructorSuccess("user3/cron@DEFAULT.REALM", "user3"); - - // no rules applied, local name remains the same - testConstructorSuccess("user4@OTHER.REALM", "user4@OTHER.REALM"); - testConstructorSuccess("user5/cron@OTHER.REALM", "user5/cron@OTHER.REALM"); - + testConstructorSuccess("user3/cron@DEFAULT.REALM", "user3"); // failure test + testConstructorFailures("user4@OTHER.REALM"); + testConstructorFailures("user5/cron@OTHER.REALM"); testConstructorFailures(null); testConstructorFailures(""); } @@ -350,9 +342,8 @@ public class TestUserGroupInformation { } catch (IllegalArgumentException e) { String expect = (userName == null || userName.isEmpty()) ? "Null user" : "Illegal principal name "+userName; - String expect2 = "Malformed Kerberos name: "+userName; - assertTrue("Did not find "+ expect + " or " + expect2 + " in " + e, - e.toString().contains(expect) || e.toString().contains(expect2)); + assertTrue("Did not find "+ expect + " in " + e, + e.toString().contains(expect)); } } http://git-wip-us.apache.org/repos/asf/hadoop/blob/b1258ad5/hadoop-tools/hadoop-azure/src/test/resources/azure-auth-keys.xml ---------------------------------------------------------------------- diff --git a/hadoop-tools/hadoop-azure/src/test/resources/azure-auth-keys.xml b/hadoop-tools/hadoop-azure/src/test/resources/azure-auth-keys.xml new file mode 100644 index 0000000..02206db --- /dev/null +++ b/hadoop-tools/hadoop-azure/src/test/resources/azure-auth-keys.xml @@ -0,0 +1,44 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<configuration> + + <include xmlns="http://www.w3.org/2001/XInclude" + href="//users/stevel/.ssh/auth-keys.xml" > + <fallback/> + </include> + + <include xmlns="http://www.w3.org/2001/XInclude" + href="file:///users/stevel/.ssh/auth-keys.xml"> + <fallback/> + </include> +<!-- + <property> + <name>fs.azure.secure.mode</name> + <value>true</value> + </property> + <property> + <name>fs.azure.authorization</name> + <value>true</value> + </property> + --> + + +</configuration> --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org