[hadoop] branch trunk updated: HDFS-17138 RBF: We changed the hadoop.security.auth_to_local configur… (#5921)

inigoiri Mon, 18 Sep 2023 09:40:43 -0700

This is an automated email from the ASF dual-hosted git repository.

inigoiri pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git



The following commit(s) were added to refs/heads/trunk by this push:
     new 60f3a2b1019 HDFS-17138 RBF: We changed the 
hadoop.security.auth_to_local configur… (#5921)
60f3a2b1019 is described below

commit 60f3a2b1019373599c25bc09704bafa0884e4a2d
Author: 章锡平 <40832063+zhangxipi...@users.noreply.github.com>
AuthorDate: Tue Sep 19 00:40:22 2023 +0800

    HDFS-17138 RBF: We changed the hadoop.security.auth_to_local configur… 
(#5921)
---
 .../AbstractDelegationTokenSecretManager.java      |  7 ++++-
 .../hadoop/hdfs/security/TestDelegationToken.java  | 32 ++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
index cafa5135e68..8378a47cedd 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
@@ -81,7 +81,12 @@ extends AbstractDelegationTokenIdentifier>
       = DelegationTokenSecretManagerMetrics.create();
 
   private String formatTokenId(TokenIdent id) {
-    return "(" + id + ")";
+    try {
+      return "(" + id + ")";
+    } catch (Exception e) {
+      LOG.warn("Exception in formatTokenId", e);
+    }
+    return "( SequenceNumber=" + id.getSequenceNumber() + " )";
   }
 
   /** 
diff --git 
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
 
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
index 077b10320fd..d905609a1cb 100644
--- 
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.security;
 
 
 
+import static 
org.apache.hadoop.security.authentication.util.KerberosName.setRules;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -29,6 +30,10 @@ import java.io.DataInputStream;
 import java.io.IOException;
 import java.net.URI;
 import java.security.PrivilegedExceptionAction;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -54,6 +59,7 @@ import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.security.token.Token;
+import 
org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
 import org.apache.hadoop.test.GenericTestUtils;
 import org.slf4j.event.Level;
 import org.junit.After;
@@ -376,4 +382,30 @@ public class TestDelegationToken {
         " for SomeUser with renewer JobTracker",
         dtId.toStringStable());
   }
+
+  @Test
+  public void testLogExpireTokensWhenChangeRules() throws IOException {
+    setRules("RULE:[2:$1@$0](SomeUser.*)s/.*/SomeUser/");
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(
+        new Text("SomeUser/h...@example.com"),
+        new Text("SomeUser/h...@example.com"),
+        new Text("SomeUser/h...@example.com"));
+    Set<DelegationTokenIdentifier> expiredTokens = new HashSet();
+    expiredTokens.add(dtId);
+    setRules("RULE:[2:$1@$0](OtherUser.*)s/.*/OtherUser/");
+    //rules was modified, causing the existing tokens
+    //(May be loaded from other storage systems like zookeeper) to fail to 
match the kerberos rules,
+    //return an exception that cannot be handled
+    new AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>(10 * 
1000, 10 * 1000,
+        10 * 1000, 10 * 1000) {
+      @Override
+      public DelegationTokenIdentifier createIdentifier() {
+        return null;
+      }
+      public void logExpireTokens(Collection<DelegationTokenIdentifier> 
expiredTokens)
+          throws IOException {
+        super.logExpireTokens(expiredTokens);
+      }
+    }.logExpireTokens(expiredTokens);
+  }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org

[hadoop] branch trunk updated: HDFS-17138 RBF: We changed the hadoop.security.auth_to_local configur… (#5921)

Reply via email to