[prev in list] [next in list] [prev in thread] [next in thread]
List: hadoop-commits
Subject: [hadoop] branch branch-3.3 updated: HADOOP-17159. Make UGI support forceful relogin from keytab igno
From: liuml07 () apache ! org
Date: 2020-08-27 6:58:18
Message-ID: 159851149822.2722.9746736971309669941 () gitbox ! apache ! org
[Download RAW message or body]
This is an automated email from the ASF dual-hosted git repository.
liuml07 pushed a commit to branch branch-3.3
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.3 by this push:
new fcb80c1 HADOOP-17159. Make UGI support forceful relogin from keytab \
ignoring the last login time (#2249) fcb80c1 is described below
commit fcb80c1ade5162b323b7138984f19af673a29ebd
Author: sguggilam <sandeepbits.g@gmail.com>
AuthorDate: Wed Aug 26 23:45:21 2020 -0700
HADOOP-17159. Make UGI support forceful relogin from keytab ignoring the last \
login time (#2249)
Contributed by Sandeep Guggilam.
Signed-off-by: Mingliang Liu <liuml07@apache.org>
Signed-off-by: Steve Loughran <stevel@apache.org>
---
.../hadoop/security/UserGroupInformation.java | 36 ++++++++++++++++++----
.../hadoop/security/TestUGILoginFromKeytab.java | 36 ++++++++++++++++++++++
2 files changed, 66 insertions(+), 6 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java \
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index d37da72..dcee9f4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -1233,7 +1233,29 @@ public class UserGroupInformation {
reloginFromKeytab(false);
}
+ /**
+ * Force re-Login a user in from a keytab file irrespective of the last login
+ * time. Loads a user identity from a keytab file and logs them in. They
+ * become the currently logged-in user. This method assumes that
+ * {@link #loginUserFromKeytab(String, String)} had happened already. The
+ * Subject field of this UserGroupInformation object is updated to have the
+ * new credentials.
+ *
+ * @throws IOException
+ * @throws KerberosAuthException on a failure
+ */
+ @InterfaceAudience.Public
+ @InterfaceStability.Evolving
+ public void forceReloginFromKeytab() throws IOException {
+ reloginFromKeytab(false, true);
+ }
+
private void reloginFromKeytab(boolean checkTGT) throws IOException {
+ reloginFromKeytab(checkTGT, false);
+ }
+
+ private void reloginFromKeytab(boolean checkTGT, boolean ignoreLastLoginTime)
+ throws IOException {
if (!shouldRelogin() || !isFromKeytab()) {
return;
}
@@ -1248,7 +1270,7 @@ public class UserGroupInformation {
return;
}
}
- relogin(login);
+ relogin(login, ignoreLastLoginTime);
}
/**
@@ -1269,25 +1291,27 @@ public class UserGroupInformation {
if (login == null) {
throw new KerberosAuthException(MUST_FIRST_LOGIN);
}
- relogin(login);
+ relogin(login, false);
}
- private void relogin(HadoopLoginContext login) throws IOException {
+ private void relogin(HadoopLoginContext login, boolean ignoreLastLoginTime)
+ throws IOException {
// ensure the relogin is atomic to avoid leaving credentials in an
// inconsistent state. prevents other ugi instances, SASL, and SPNEGO
// from accessing or altering credentials during the relogin.
synchronized(login.getSubjectLock()) {
// another racing thread may have beat us to the relogin.
if (login == getLogin()) {
- unprotectedRelogin(login);
+ unprotectedRelogin(login, ignoreLastLoginTime);
}
}
}
- private void unprotectedRelogin(HadoopLoginContext login) throws IOException {
+ private void unprotectedRelogin(HadoopLoginContext login,
+ boolean ignoreLastLoginTime) throws IOException {
assert Thread.holdsLock(login.getSubjectLock());
long now = Time.now();
- if (!hasSufficientTimeElapsed(now)) {
+ if (!hasSufficientTimeElapsed(now) && !ignoreLastLoginTime) {
return;
}
// register most recent relogin attempt
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java \
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java
index d233234..db0095f 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java
@@ -158,6 +158,42 @@ public class TestUGILoginFromKeytab {
Assert.assertNotSame(login1, login2);
}
+ /**
+ * Force re-login from keytab using the MiniKDC and verify the UGI can
+ * successfully relogin from keytab as well.
+ */
+ @Test
+ public void testUGIForceReLoginFromKeytab() throws Exception {
+ // Set this to false as we are testing force re-login anyways
+ UserGroupInformation.setShouldRenewImmediatelyForTests(false);
+ String principal = "foo";
+ File keytab = new File(workDir, "foo.keytab");
+ kdc.createPrincipal(keytab, principal);
+
+ UserGroupInformation.loginUserFromKeytab(principal, keytab.getPath());
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ Assert.assertTrue("UGI should be configured to login from keytab",
+ ugi.isFromKeytab());
+
+ // Verify relogin from keytab.
+ User user = getUser(ugi.getSubject());
+ final long firstLogin = user.getLastLogin();
+ final LoginContext login1 = user.getLogin();
+ Assert.assertNotNull(login1);
+
+ // Sleep for 2 secs to have a difference between first and second login
+ Thread.sleep(2000);
+
+ // Force relogin from keytab
+ ugi.forceReloginFromKeytab();
+ final long secondLogin = user.getLastLogin();
+ final LoginContext login2 = user.getLogin();
+ Assert.assertTrue("User should have been able to relogin from keytab",
+ secondLogin > firstLogin);
+ Assert.assertNotNull(login2);
+ Assert.assertNotSame(login1, login2);
+ }
+
@Test
public void testGetUGIFromKnownSubject() throws Exception {
KerberosPrincipal principal = new KerberosPrincipal("user");
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic