Hi Lulynn,
I've commented in the JIRA, now that I see your email that gives me a bit
more of context on what you are trying to do.
If I understand correctly, you are trying to use this outside of Hadoop. If
that is the case you should set the <PREFIX>.kerberos.name.rules=DEFAULT
(or a custom name.rules if you have one) in your hadoop-auth
AuthenticationFilter configuration.
This is required because you are not initializing UGI before initializing
the filter.
Thanks.
On Mon, Jul 1, 2013 at 3:41 AM, lulynn_2008 <lulynn_2...@163.com> wrote:
> Hi All,
>
> I am trying to add kerberos support to a web servlet via hadoop
> authentication classes. This is to make this web servlet server to
> authenticate its client via kerberos. I assume this should work. Right?
>
> The whole design is to add AuthFilter at server side and
> AuthenticatedURL.injectToken(conn, currentToken) during create connection
> at client side. But the process failed at KerberosName.rules, I made a fix
> based on 2.0.4-alpha branch. Could you please help to review it and give
> some suggestions? I think with this fix, we can add kerberos support to any
> web servlet via hadoop authentication classes. I have opened HADOOP-9679 to
> trace this issue and applied the patch.
>
> Error:
> The process failed during AuthenticationFilter.doFilter, with following
> error:
> java.lang.NullPointerException
> at
> org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
> at
> java.security.AccessController.doPrivileged(AccessController.java:310)
> at javax.security.auth.Subject.doAs(Subject.java:573)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
>
>
> Root cause:
> this error happened because KerberosName.rules are not initialized. I
> found that this parameter only be initialized during initialize
> UserGroupInformation which is used for manager hadoop user and group. Then
> this parameter will be initialized during hadoop client(like oozie) access
> hadoop. But the servlet I am testing is not hadoop client, then current
> there is no place for initializing it. But I think we should make it work
> via value KerberosName.rules with default value "DEFAULT".
>
> FIX:
> Following is my draft fix based on hadoop-2.0.4-alpha branch, with this
> fix, my test web servlet can support kerberos now.
> ---
> a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> +++
> b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> @@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
> } else {
> String clientPrincipal =
> gssContext.getSrcName().toString();
> KerberosName kerberosName = new
> KerberosName(clientPrincipal);
> + if( !KerberosName.hasRulesBeenSet()){
> + LOG.warn("No rules applied to " +
> kerberosName.toString() + ". Using DEFAULT rules.");
> + KerberosName.setRules("DEFAULT");
> + }
> String userName = kerberosName.getShortName();
> token = new AuthenticationToken(userName,
> clientPrincipal, getType());
> response.setStatus(HttpServletResponse.SC_OK);
>
>
>
--
Alejandro
