[03/35] hadoop git commit: HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed
by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/c75105f0
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/c75105f0
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/c75105f0
Branch: refs/heads/HDFS-7240
Commit: c75105f07b4cdbc2773435fc1125446233113c15
Parents: e99a1e7
Author: Xiao Chen
Authored: Fri Mar 2 16:45:07 2018 -0800
Committer: Xiao Chen
Committed: Fri Mar 2 16:46:04 2018 -0800
--
.../hdfs/server/namenode/NameNodeRpcServer.java | 22 +-
...estDFSInotifyEventInputStreamKerberized.java | 223 +++
.../hadoop/hdfs/qjournal/MiniQJMHACluster.java | 21 +-
3 files changed, 260 insertions(+), 6 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/c75105f0/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 121d17c..9494263 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -34,6 +34,7 @@ import static org.apache.hadoop.util.Time.now;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
@@ -189,6 +190,7 @@ import org.apache.hadoop.ipc.RefreshResponse;
import org.apache.hadoop.net.Node;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -2253,6 +2255,24 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// guaranteed to have been written by this NameNode.)
boolean readInProgress = syncTxid > 0;
+// doas the NN login user for the actual operations to get edits.
+// Notably this is necessary when polling from the remote edits via https.
+// We have validated the client is a superuser from the NN RPC, so this
+// running as the login user here is safe.
+EventBatchList ret = SecurityUtil.doAsLoginUser(
+new PrivilegedExceptionAction() {
+ @Override
+ public EventBatchList run() throws IOException {
+return getEventBatchList(syncTxid, txid, log, readInProgress,
+maxEventsPerRPC);
+ }
+});
+return ret;
+ }
+
+ private EventBatchList getEventBatchList(long syncTxid, long txid,
+ FSEditLog log, boolean readInProgress, int maxEventsPerRPC)
+ throws IOException {
List batches = Lists.newArrayList();
int totalEvents = 0;
long maxSeenTxid = -1;
@@ -2271,7 +2291,7 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// and are using QJM -- the edit log will be closed and this exception
// will result
LOG.info("NN is transitioning from active to standby and FSEditLog " +
- "is closed -- could not read edits");
+ "is closed -- could not read edits");
return new EventBatchList(batches, firstSeenTxid, maxSeenTxid, syncTxid);
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/c75105f0/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
new file mode 100644
index 000..ace7c3b
--- /dev/null
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you
hadoop git commit: HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Repository: hadoop
Updated Branches:
refs/heads/branch-2 c24505053 -> 0882725c8
HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed
by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/0882725c
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/0882725c
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/0882725c
Branch: refs/heads/branch-2
Commit: 0882725c889f6d77dd7feae986a84bf63cc5f053
Parents: c245050
Author: Xiao Chen
Authored: Mon Mar 5 09:38:04 2018 -0800
Committer: Xiao Chen
Committed: Mon Mar 5 09:44:42 2018 -0800
--
.../hdfs/server/namenode/NameNodeRpcServer.java | 32
.../hadoop/hdfs/qjournal/MiniQJMHACluster.java | 19 +---
2 files changed, 41 insertions(+), 10 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/0882725c/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 89571f4..e6d03bb 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -33,6 +33,7 @@ import static org.apache.hadoop.util.Time.now;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
@@ -175,6 +176,7 @@ import org.apache.hadoop.ipc.RefreshResponse;
import org.apache.hadoop.net.Node;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -2113,15 +2115,15 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
}
@Override // ClientProtocol
- public EventBatchList getEditsFromTxid(long txid) throws IOException {
+ public EventBatchList getEditsFromTxid(final long txid) throws IOException {
checkNNStartup();
namesystem.checkOperation(OperationCategory.READ); // only active
namesystem.checkSuperuserPrivilege();
-int maxEventsPerRPC = nn.getConf().getInt(
+final int maxEventsPerRPC = nn.getConf().getInt(
DFSConfigKeys.DFS_NAMENODE_INOTIFY_MAX_EVENTS_PER_RPC_KEY,
DFSConfigKeys.DFS_NAMENODE_INOTIFY_MAX_EVENTS_PER_RPC_DEFAULT);
-FSEditLog log = namesystem.getFSImage().getEditLog();
-long syncTxid = log.getSyncTxId();
+final FSEditLog log = namesystem.getFSImage().getEditLog();
+final long syncTxid = log.getSyncTxId();
// If we haven't synced anything yet, we can only read finalized
// segments since we can't reliably determine which txns in in-progress
// segments have actually been committed (e.g. written to a quorum of JNs).
@@ -2130,8 +2132,26 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// journals. (In-progress segments written by old writers are already
// discarded for us, so if we read any in-progress segments they are
// guaranteed to have been written by this NameNode.)
-boolean readInProgress = syncTxid > 0;
+final boolean readInProgress = syncTxid > 0;
+
+// doas the NN login user for the actual operations to get edits.
+// Notably this is necessary when polling from the remote edits via https.
+// We have validated the client is a superuser from the NN RPC, so this
+// running as the login user here is safe.
+EventBatchList ret = SecurityUtil.doAsLoginUser(
+new PrivilegedExceptionAction() {
+ @Override
+ public EventBatchList run() throws IOException {
+return getEventBatchList(syncTxid, txid, log, readInProgress,
+maxEventsPerRPC);
+ }
+});
+return ret;
+ }
+ private EventBatchList getEventBatchList(long syncTxid, long txid,
+ FSEditLog log, boolean readInProgress, int maxEventsPerRPC)
+ throws IOException {
List batches = Lists.newArrayList();
int totalEvents = 0;
long maxSeenTxid = -1;
@@ -2150,7 +2170,7 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// and are using QJM -- the edit log will be
hadoop git commit: HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Repository: hadoop
Updated Branches:
refs/heads/branch-3.0 8b9a7b2e4 -> d28db463c
HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed
by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
(cherry picked from commit c75105f07b4cdbc2773435fc1125446233113c15)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d28db463
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d28db463
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d28db463
Branch: refs/heads/branch-3.0
Commit: d28db463c2af75f23a7d0b264a14e6ee5936a353
Parents: 8b9a7b2
Author: Xiao Chen
Authored: Fri Mar 2 16:45:07 2018 -0800
Committer: Xiao Chen
Committed: Fri Mar 2 16:47:36 2018 -0800
--
.../hdfs/server/namenode/NameNodeRpcServer.java | 22 +-
...estDFSInotifyEventInputStreamKerberized.java | 223 +++
.../hadoop/hdfs/qjournal/MiniQJMHACluster.java | 21 +-
3 files changed, 260 insertions(+), 6 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d28db463/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 432df34..17f57b2 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -34,6 +34,7 @@ import static org.apache.hadoop.util.Time.now;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
@@ -187,6 +188,7 @@ import org.apache.hadoop.ipc.RefreshResponse;
import org.apache.hadoop.net.Node;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -,6 +2224,24 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// guaranteed to have been written by this NameNode.)
boolean readInProgress = syncTxid > 0;
+// doas the NN login user for the actual operations to get edits.
+// Notably this is necessary when polling from the remote edits via https.
+// We have validated the client is a superuser from the NN RPC, so this
+// running as the login user here is safe.
+EventBatchList ret = SecurityUtil.doAsLoginUser(
+new PrivilegedExceptionAction() {
+ @Override
+ public EventBatchList run() throws IOException {
+return getEventBatchList(syncTxid, txid, log, readInProgress,
+maxEventsPerRPC);
+ }
+});
+return ret;
+ }
+
+ private EventBatchList getEventBatchList(long syncTxid, long txid,
+ FSEditLog log, boolean readInProgress, int maxEventsPerRPC)
+ throws IOException {
List batches = Lists.newArrayList();
int totalEvents = 0;
long maxSeenTxid = -1;
@@ -2240,7 +2260,7 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// and are using QJM -- the edit log will be closed and this exception
// will result
LOG.info("NN is transitioning from active to standby and FSEditLog " +
- "is closed -- could not read edits");
+ "is closed -- could not read edits");
return new EventBatchList(batches, firstSeenTxid, maxSeenTxid, syncTxid);
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d28db463/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
new file mode 100644
index 000..ace7c3b
--- /dev/null
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for ad
hadoop git commit: HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Repository: hadoop
Updated Branches:
refs/heads/branch-3.1 162e99c69 -> d35baf157
HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed
by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
(cherry picked from commit c75105f07b4cdbc2773435fc1125446233113c15)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d35baf15
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d35baf15
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d35baf15
Branch: refs/heads/branch-3.1
Commit: d35baf157eddd64a3fe8cf2674cf771c6f9fee2a
Parents: 162e99c
Author: Xiao Chen
Authored: Fri Mar 2 16:45:07 2018 -0800
Committer: Xiao Chen
Committed: Fri Mar 2 16:47:19 2018 -0800
--
.../hdfs/server/namenode/NameNodeRpcServer.java | 22 +-
...estDFSInotifyEventInputStreamKerberized.java | 223 +++
.../hadoop/hdfs/qjournal/MiniQJMHACluster.java | 21 +-
3 files changed, 260 insertions(+), 6 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d35baf15/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 121d17c..9494263 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -34,6 +34,7 @@ import static org.apache.hadoop.util.Time.now;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
@@ -189,6 +190,7 @@ import org.apache.hadoop.ipc.RefreshResponse;
import org.apache.hadoop.net.Node;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -2253,6 +2255,24 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// guaranteed to have been written by this NameNode.)
boolean readInProgress = syncTxid > 0;
+// doas the NN login user for the actual operations to get edits.
+// Notably this is necessary when polling from the remote edits via https.
+// We have validated the client is a superuser from the NN RPC, so this
+// running as the login user here is safe.
+EventBatchList ret = SecurityUtil.doAsLoginUser(
+new PrivilegedExceptionAction() {
+ @Override
+ public EventBatchList run() throws IOException {
+return getEventBatchList(syncTxid, txid, log, readInProgress,
+maxEventsPerRPC);
+ }
+});
+return ret;
+ }
+
+ private EventBatchList getEventBatchList(long syncTxid, long txid,
+ FSEditLog log, boolean readInProgress, int maxEventsPerRPC)
+ throws IOException {
List batches = Lists.newArrayList();
int totalEvents = 0;
long maxSeenTxid = -1;
@@ -2271,7 +2291,7 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// and are using QJM -- the edit log will be closed and this exception
// will result
LOG.info("NN is transitioning from active to standby and FSEditLog " +
- "is closed -- could not read edits");
+ "is closed -- could not read edits");
return new EventBatchList(batches, firstSeenTxid, maxSeenTxid, syncTxid);
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d35baf15/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
new file mode 100644
index 000..ace7c3b
--- /dev/null
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for ad
hadoop git commit: HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Repository: hadoop
Updated Branches:
refs/heads/trunk e99a1e776 -> c75105f07
HDFS-13040. Kerberized inotify client fails despite kinit properly. Contributed
by Istvan Fajth, Wei-Chiu Chuang, Xiao Chen.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/c75105f0
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/c75105f0
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/c75105f0
Branch: refs/heads/trunk
Commit: c75105f07b4cdbc2773435fc1125446233113c15
Parents: e99a1e7
Author: Xiao Chen
Authored: Fri Mar 2 16:45:07 2018 -0800
Committer: Xiao Chen
Committed: Fri Mar 2 16:46:04 2018 -0800
--
.../hdfs/server/namenode/NameNodeRpcServer.java | 22 +-
...estDFSInotifyEventInputStreamKerberized.java | 223 +++
.../hadoop/hdfs/qjournal/MiniQJMHACluster.java | 21 +-
3 files changed, 260 insertions(+), 6 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/hadoop/blob/c75105f0/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
index 121d17c..9494263 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeRpcServer.java
@@ -34,6 +34,7 @@ import static org.apache.hadoop.util.Time.now;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
@@ -189,6 +190,7 @@ import org.apache.hadoop.ipc.RefreshResponse;
import org.apache.hadoop.net.Node;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -2253,6 +2255,24 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// guaranteed to have been written by this NameNode.)
boolean readInProgress = syncTxid > 0;
+// doas the NN login user for the actual operations to get edits.
+// Notably this is necessary when polling from the remote edits via https.
+// We have validated the client is a superuser from the NN RPC, so this
+// running as the login user here is safe.
+EventBatchList ret = SecurityUtil.doAsLoginUser(
+new PrivilegedExceptionAction() {
+ @Override
+ public EventBatchList run() throws IOException {
+return getEventBatchList(syncTxid, txid, log, readInProgress,
+maxEventsPerRPC);
+ }
+});
+return ret;
+ }
+
+ private EventBatchList getEventBatchList(long syncTxid, long txid,
+ FSEditLog log, boolean readInProgress, int maxEventsPerRPC)
+ throws IOException {
List batches = Lists.newArrayList();
int totalEvents = 0;
long maxSeenTxid = -1;
@@ -2271,7 +2291,7 @@ public class NameNodeRpcServer implements
NamenodeProtocols {
// and are using QJM -- the edit log will be closed and this exception
// will result
LOG.info("NN is transitioning from active to standby and FSEditLog " +
- "is closed -- could not read edits");
+ "is closed -- could not read edits");
return new EventBatchList(batches, firstSeenTxid, maxSeenTxid, syncTxid);
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/c75105f0/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
--
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
new file mode 100644
index 000..ace7c3b
--- /dev/null
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestDFSInotifyEventInputStreamKerberized.java
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this f
