jojochuang commented on a change in pull request #1769:
URL: https://github.com/apache/hadoop/pull/1769#discussion_r719014782
##########
File path:
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
##########
@@ -337,4 +350,93 @@ public void testCreateZoneAfterAuthTokenExpiry() throws
Exception {
return null;
});
}
+
+ private static class KerberosConfiguration
+ extends javax.security.auth.login.Configuration {
+ private String principal;
+ private String keytab;
+
+ public KerberosConfiguration(String principal, String keytab) {
+ this.principal = principal;
+ this.keytab = keytab;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", "true");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ options.put("ticketCache", ticketCache);
+ }
+ options.put("debug", "true");
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options),};
+ }
+ }
+
+ <T> T doAsWithExternalLogin(String principal, String keytab,
+ final Callable<T> callable) throws Exception {
+ LoginContext loginContext = null;
+ try {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+ Subject subject = new Subject(false, principals,
+ new HashSet<Object>(), new HashSet<Object>());
+ loginContext = new LoginContext("", subject, null,
+ new KerberosConfiguration(principal, keytab));
+ loginContext.login();
+ subject = loginContext.getSubject();
+ return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
+ @Override
+ public T run() throws Exception {
+ return callable.call();
+ }
+ });
+ } catch (PrivilegedActionException ex) {
+ throw ex.getException();
+ } finally {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+ }
+
+
+ @Test
+ public void testCreateZoneWithExternalLogin() throws Exception {
+ doAsWithExternalLogin(hdfsPrincipal, keytab, this::getCreateZoneCallable);
Review comment:
also, the test along doesn't fail without the change even after the fix
above, which means the test does not reproduce the issue.
##########
File path:
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
##########
@@ -337,4 +350,93 @@ public void testCreateZoneAfterAuthTokenExpiry() throws
Exception {
return null;
});
}
+
+ private static class KerberosConfiguration
+ extends javax.security.auth.login.Configuration {
+ private String principal;
+ private String keytab;
+
+ public KerberosConfiguration(String principal, String keytab) {
+ this.principal = principal;
+ this.keytab = keytab;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", "true");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ options.put("ticketCache", ticketCache);
+ }
+ options.put("debug", "true");
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options),};
+ }
+ }
+
+ <T> T doAsWithExternalLogin(String principal, String keytab,
+ final Callable<T> callable) throws Exception {
+ LoginContext loginContext = null;
+ try {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+ Subject subject = new Subject(false, principals,
+ new HashSet<Object>(), new HashSet<Object>());
+ loginContext = new LoginContext("", subject, null,
+ new KerberosConfiguration(principal, keytab));
+ loginContext.login();
+ subject = loginContext.getSubject();
+ return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
+ @Override
+ public T run() throws Exception {
+ return callable.call();
+ }
+ });
+ } catch (PrivilegedActionException ex) {
+ throw ex.getException();
+ } finally {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+ }
+
+
+ @Test
+ public void testCreateZoneWithExternalLogin() throws Exception {
+ doAsWithExternalLogin(hdfsPrincipal, keytab, this::getCreateZoneCallable);
Review comment:
this is incorrect. The callable never get called.
Suggest to change this::getCreateZoneCallable --> getCreateZoneCallable()
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
