[
https://issues.apache.org/jira/browse/HADOOP-16761?focusedWorklogId=658075&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-658075
]
ASF GitHub Bot logged work on HADOOP-16761:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 30/Sep/21 02:40
Start Date: 30/Sep/21 02:40
Worklog Time Spent: 10m
Work Description: jojochuang commented on a change in pull request #1769:
URL: https://github.com/apache/hadoop/pull/1769#discussion_r719014782
##########
File path:
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
##########
@@ -337,4 +350,93 @@ public void testCreateZoneAfterAuthTokenExpiry() throws
Exception {
return null;
});
}
+
+ private static class KerberosConfiguration
+ extends javax.security.auth.login.Configuration {
+ private String principal;
+ private String keytab;
+
+ public KerberosConfiguration(String principal, String keytab) {
+ this.principal = principal;
+ this.keytab = keytab;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", "true");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ options.put("ticketCache", ticketCache);
+ }
+ options.put("debug", "true");
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options),};
+ }
+ }
+
+ <T> T doAsWithExternalLogin(String principal, String keytab,
+ final Callable<T> callable) throws Exception {
+ LoginContext loginContext = null;
+ try {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+ Subject subject = new Subject(false, principals,
+ new HashSet<Object>(), new HashSet<Object>());
+ loginContext = new LoginContext("", subject, null,
+ new KerberosConfiguration(principal, keytab));
+ loginContext.login();
+ subject = loginContext.getSubject();
+ return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
+ @Override
+ public T run() throws Exception {
+ return callable.call();
+ }
+ });
+ } catch (PrivilegedActionException ex) {
+ throw ex.getException();
+ } finally {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+ }
+
+
+ @Test
+ public void testCreateZoneWithExternalLogin() throws Exception {
+ doAsWithExternalLogin(hdfsPrincipal, keytab, this::getCreateZoneCallable);
Review comment:
also, the test along doesn't fail without the change even after the fix
above, which means the test does not reproduce the issue.
##########
File path:
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
##########
@@ -337,4 +350,93 @@ public void testCreateZoneAfterAuthTokenExpiry() throws
Exception {
return null;
});
}
+
+ private static class KerberosConfiguration
+ extends javax.security.auth.login.Configuration {
+ private String principal;
+ private String keytab;
+
+ public KerberosConfiguration(String principal, String keytab) {
+ this.principal = principal;
+ this.keytab = keytab;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", "true");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ options.put("ticketCache", ticketCache);
+ }
+ options.put("debug", "true");
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options),};
+ }
+ }
+
+ <T> T doAsWithExternalLogin(String principal, String keytab,
+ final Callable<T> callable) throws Exception {
+ LoginContext loginContext = null;
+ try {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+ Subject subject = new Subject(false, principals,
+ new HashSet<Object>(), new HashSet<Object>());
+ loginContext = new LoginContext("", subject, null,
+ new KerberosConfiguration(principal, keytab));
+ loginContext.login();
+ subject = loginContext.getSubject();
+ return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
+ @Override
+ public T run() throws Exception {
+ return callable.call();
+ }
+ });
+ } catch (PrivilegedActionException ex) {
+ throw ex.getException();
+ } finally {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+ }
+
+
+ @Test
+ public void testCreateZoneWithExternalLogin() throws Exception {
+ doAsWithExternalLogin(hdfsPrincipal, keytab, this::getCreateZoneCallable);
Review comment:
this is incorrect. The callable never get called.
Suggest to change this::getCreateZoneCallable --> getCreateZoneCallable()
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 658075)
Remaining Estimate: 0h
Time Spent: 10m
> KMSClientProvider does not work with client using ticket logged in externally
> ------------------------------------------------------------------------------
>
> Key: HADOOP-16761
> URL: https://issues.apache.org/jira/browse/HADOOP-16761
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Xiaoyu Yao
> Assignee: Dongjoon Hyun
> Priority: Blocker
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This is a regression from HDFS-13682 that checks not only the kerberos
> credential but also enforce the login is non-external. This breaks client
> applications that need to access HDFS encrypted file using kerberos ticket
> that logged in external in ticket cache.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
