Repository: accumulo Updated Branches: refs/heads/master 97ff25db2 -> 59c6a8e19
ACCUMULO-4421 Check if the Trace User is expected to use Kerberos before attempting to login to Kerberos as the trace user. Signed-off-by: Josh Elser <els...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/d66a8d08 Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/d66a8d08 Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/d66a8d08 Branch: refs/heads/master Commit: d66a8d08627e98e9bbdd2bd0b1ab4f4658a84d9f Parents: 40d5a72 Author: Sean Busbey <bus...@cloudera.com> Authored: Thu Aug 25 14:47:38 2016 -0500 Committer: Sean Busbey <bus...@cloudera.com> Committed: Fri Aug 26 19:08:30 2016 -0500 ---------------------------------------------------------------------- .../org/apache/accumulo/tracer/TraceServer.java | 61 +++++++++++++------- 1 file changed, 41 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/d66a8d08/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java ---------------------------------------------------------------------- diff --git a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java index 4b07dcc..2a06dc3 100644 --- a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java +++ b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java @@ -36,6 +36,7 @@ import org.apache.accumulo.core.client.IteratorSetting; import org.apache.accumulo.core.client.MutationsRejectedException; import org.apache.accumulo.core.client.security.tokens.AuthenticationToken; import org.apache.accumulo.core.client.security.tokens.AuthenticationToken.Properties; +import org.apache.accumulo.core.client.security.tokens.KerberosToken; import org.apache.accumulo.core.client.security.tokens.PasswordToken; import org.apache.accumulo.core.conf.AccumuloConfiguration; import org.apache.accumulo.core.conf.Property; @@ -306,30 +307,50 @@ public class TraceServer implements Watcher { } private static void loginTracer(AccumuloConfiguration acuConf) { - Map<String,String> loginMap = acuConf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX); - String keyTab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab"); - if (keyTab == null || keyTab.length() == 0) { - keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB); - } - if (keyTab == null || keyTab.length() == 0) - return; + try { + Class<? extends AuthenticationToken> traceTokenType = AccumuloVFSClassLoader.getClassLoader().loadClass(acuConf.get(Property.TRACE_TOKEN_TYPE)) + .asSubclass(AuthenticationToken.class); + + if (!(KerberosToken.class.isAssignableFrom(traceTokenType))) { + // We're not using Kerberos to talk to Accumulo, but we might still need it for talking to HDFS/ZK for + // instance information. + log.info("Handling login under the assumption that Accumulo users are not using Kerberos."); + SecurityUtil.serverLogin(acuConf); + } else { + // We're using Kerberos to talk to Accumulo, so check for trace user specific auth details. + // We presume this same user will have the needed access for the service to interact with HDFS/ZK for + // instance information. + log.info("Handling login under the assumption that Accumulo users are using Kerberos."); + Map<String,String> loginMap = acuConf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX); + String keyTab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab"); + if (keyTab == null || keyTab.length() == 0) { + keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB); + } + if (keyTab == null || keyTab.length() == 0) + return; - String principalConfig = acuConf.get(Property.TRACE_USER); - if (principalConfig == null || principalConfig.length() == 0) - return; + String principalConfig = acuConf.get(Property.TRACE_USER); + if (principalConfig == null || principalConfig.length() == 0) + return; - log.info("Attempting to login as {} with {}", principalConfig, keyTab); - if (SecurityUtil.login(principalConfig, keyTab)) { - try { - // This spawns a thread to periodically renew the logged in (trace) user - UserGroupInformation.getLoginUser(); - return; - } catch (IOException io) { - log.error("Error starting up renewal thread. This shouldn't be happening.", io); + log.info("Attempting to login as {} with {}", principalConfig, keyTab); + if (SecurityUtil.login(principalConfig, keyTab)) { + try { + // This spawns a thread to periodically renew the logged in (trace) user + UserGroupInformation.getLoginUser(); + return; + } catch (IOException io) { + log.error("Error starting up renewal thread. This shouldn't be happening.", io); + } + } + + throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab); } + } catch (IOException | ClassNotFoundException exception) { + final String msg = String.format("Failed to retrieve trace user token information based on property %1s.", Property.TRACE_TOKEN_TYPE); + log.error(msg, exception); + throw new RuntimeException(msg, exception); } - - throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab); } public static void main(String[] args) throws Exception {
