HADOOP-13018. Make Kdiag check whether hadoop.token.files points to existent and valid files. Contributed by Ravi Prakash
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/abb9fa7f Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/abb9fa7f Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/abb9fa7f Branch: refs/heads/HADOOP-13345 Commit: abb9fa7fc69ec7b25f1c44e17c4c7dd17f5de16a Parents: eb0a483 Author: Steve Loughran <ste...@apache.org> Authored: Thu Nov 24 16:41:35 2016 +0000 Committer: Steve Loughran <ste...@apache.org> Committed: Thu Nov 24 16:41:59 2016 +0000 ---------------------------------------------------------------------- .../java/org/apache/hadoop/security/KDiag.java | 67 ++++++++++++++++++++ .../apache/hadoop/security/TestKDiagNoKDC.java | 8 +++ 2 files changed, 75 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/abb9fa7f/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java index 266bba0..542a502 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java @@ -38,6 +38,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.crypto.Cipher; + import java.io.Closeable; import java.io.File; import java.io.FileInputStream; @@ -61,6 +62,7 @@ import static org.apache.hadoop.security.UserGroupInformation.*; import static org.apache.hadoop.security.authentication.util.KerberosUtil.*; import static org.apache.hadoop.util.StringUtils.popOption; import static org.apache.hadoop.util.StringUtils.popOptionWithArgument; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES; /** * Kerberos diagnostics @@ -145,6 +147,7 @@ public class KDiag extends Configured implements Tool, Closeable { public static final String CAT_OS = "JAAS"; public static final String CAT_SASL = "SASL"; public static final String CAT_UGI = "UGI"; + public static final String CAT_TOKEN = "TOKEN"; public static final String ARG_KEYLEN = "--keylen"; public static final String ARG_KEYTAB = "--keytab"; @@ -371,6 +374,7 @@ public class KDiag extends Configured implements Tool, Closeable { try { UserGroupInformation.setConfiguration(conf); + validateHadoopTokenFiles(conf); validateKrb5File(); printDefaultRealm(); validateSasl(HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS); @@ -501,6 +505,47 @@ public class KDiag extends Configured implements Tool, Closeable { } /** + * Validate that hadoop.token.files (if specified) exist and are valid. + * @throws ClassNotFoundException + * @throws SecurityException + * @throws NoSuchMethodException + * @throws KerberosDiagsFailure + */ + private void validateHadoopTokenFiles(Configuration conf) + throws ClassNotFoundException, KerberosDiagsFailure, NoSuchMethodException, + SecurityException { + title("Locating Hadoop token files"); + + String tokenFileLocation = System.getProperty(HADOOP_TOKEN_FILES); + if(tokenFileLocation != null) { + println("Found " + HADOOP_TOKEN_FILES + " in system properties : " + + tokenFileLocation); + } + + if(conf.get(HADOOP_TOKEN_FILES) != null) { + println("Found " + HADOOP_TOKEN_FILES + " in hadoop configuration : " + + conf.get(HADOOP_TOKEN_FILES)); + if(System.getProperty(HADOOP_TOKEN_FILES) != null) { + println(HADOOP_TOKEN_FILES + " in the system properties overrides the" + + " one specified in hadoop configuration"); + } else { + tokenFileLocation = conf.get(HADOOP_TOKEN_FILES); + } + } + + if (tokenFileLocation != null) { + for (String tokenFileName: + StringUtils.getTrimmedStrings(tokenFileLocation)) { + if (tokenFileName.length() > 0) { + File tokenFile = new File(tokenFileName); + verifyFileIsValid(tokenFile, CAT_TOKEN, "token"); + verify(tokenFile, conf, CAT_TOKEN, "token"); + } + } + } + } + + /** * Locate the {@code krb5.conf} file and dump it. * * No-op on windows. @@ -929,6 +974,28 @@ public class KDiag extends Configured implements Tool, Closeable { } /** + * Verify that tokenFile contains valid Credentials. + * + * If not, an exception is raised, or, if {@link #nofail} is set, + * an error will be logged and the method return false. + * + */ + private boolean verify(File tokenFile, Configuration conf, String category, + String message) throws KerberosDiagsFailure { + try { + Credentials.readTokenStorageFile(tokenFile, conf); + } catch(Exception e) { + if (!nofail) { + fail(category, message); + } else { + error(category, message); + } + return false; + } + return true; + } + + /** * Print a message as an error * @param category error category * @param message format string http://git-wip-us.apache.org/repos/asf/hadoop/blob/abb9fa7f/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java index 9d4b87f..dbc40c5 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiagNoKDC.java @@ -34,6 +34,7 @@ import org.slf4j.LoggerFactory; import java.io.File; import java.util.Properties; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; import static org.apache.hadoop.security.KDiag.ARG_KEYLEN; import static org.apache.hadoop.security.KDiag.ARG_KEYTAB; @@ -44,6 +45,7 @@ import static org.apache.hadoop.security.KDiag.ARG_SECURE; import static org.apache.hadoop.security.KDiag.CAT_CONFIG; import static org.apache.hadoop.security.KDiag.CAT_KERBEROS; import static org.apache.hadoop.security.KDiag.CAT_LOGIN; +import static org.apache.hadoop.security.KDiag.CAT_TOKEN; import static org.apache.hadoop.security.KDiag.KerberosDiagsFailure; import static org.apache.hadoop.security.KDiag.exec; @@ -120,4 +122,10 @@ public class TestKDiagNoKDC extends Assert { assertEquals(-1, kdiag("usage")); } + @Test + public void testTokenFile() throws Throwable { + conf.set(HADOOP_TOKEN_FILES, "SomeNonExistentFile"); + kdiagFailure(CAT_TOKEN, ARG_KEYLEN, KEYLEN); + conf.unset(HADOOP_TOKEN_FILES); + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org