ACCUMULO-4421 Ensure that TraceServer launches the Kerberos ticket renewal thread
The previous method that TraceServer was using on SecurityUtil only performed the login and was relying on incorrect functionality in Hadoop's UGI to launch a renewal thread. This logic is incorrect. Refactored SecurityUtil a little to prevent other callers from making the same mistake in the future. Signed-off-by: Sean Busbey <bus...@cloudera.com> Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/2be85ade Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/2be85ade Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/2be85ade Branch: refs/heads/master Commit: 2be85ade34c413cc32db838e6125e582b829ef03 Parents: d66a8d0 Author: Josh Elser <els...@apache.org> Authored: Fri Aug 26 17:33:42 2016 -0400 Committer: Sean Busbey <bus...@cloudera.com> Committed: Fri Aug 26 19:08:56 2016 -0500 ---------------------------------------------------------------------- .../accumulo/server/security/SecurityUtil.java | 30 ++++++++++++++------ .../org/apache/accumulo/tracer/TraceServer.java | 13 +-------- 2 files changed, 23 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/2be85ade/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java ---------------------------------------------------------------------- diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java index 73f671b..38afa31 100644 --- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java +++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java @@ -40,17 +40,31 @@ public class SecurityUtil { * {@link #login(String, String)} */ public static void serverLogin(AccumuloConfiguration acuConf) { - String keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB); + serverLogin(acuConf, acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB), acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL)); + } + + /** + * Performs a Kerberos login using the given Kerberos principal and keytab if they are non-null and positive length Strings. This method automaticallys spawns + * a thread to renew the given ticket upon successful login using {@link Property#GENERAL_KERBEROS_RENEWAL_PERIOD} as the renewal period. This method does + * nothing if either {@code keyTab} or {@code principal} are null or of zero length. + * + * @param acuConf + * The Accumulo configuration + * @param keyTab + * The path to the Kerberos keytab file + * @param principal + * The Kerberos principal + */ + public static void serverLogin(AccumuloConfiguration acuConf, String keyTab, String principal) { if (keyTab == null || keyTab.length() == 0) return; - usingKerberos = true; - - String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL); - if (principalConfig == null || principalConfig.length() == 0) + if (principal == null || principal.length() == 0) return; - if (login(principalConfig, keyTab)) { + usingKerberos = true; + + if (login(principal, keyTab)) { try { startTicketRenewalThread(UserGroupInformation.getCurrentUser(), acuConf.getTimeInMillis(Property.GENERAL_KERBEROS_RENEWAL_PERIOD)); return; @@ -59,7 +73,7 @@ public class SecurityUtil { } } - throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab); + throw new RuntimeException("Failed to perform Kerberos login for " + principal + " using " + keyTab); } /** @@ -70,7 +84,7 @@ public class SecurityUtil { * replaced by the systems host name. * @return true if login succeeded, otherwise false */ - public static boolean login(String principalConfig, String keyTabPath) { + static boolean login(String principalConfig, String keyTabPath) { try { String principalName = getServerPrincipal(principalConfig); if (keyTabPath != null && principalName != null && keyTabPath.length() != 0 && principalName.length() != 0) { http://git-wip-us.apache.org/repos/asf/accumulo/blob/2be85ade/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java ---------------------------------------------------------------------- diff --git a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java index 2a06dc3..10601ba 100644 --- a/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java +++ b/server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java @@ -61,7 +61,6 @@ import org.apache.accumulo.tracer.thrift.RemoteSpan; import org.apache.accumulo.tracer.thrift.SpanReceiver.Iface; import org.apache.accumulo.tracer.thrift.SpanReceiver.Processor; import org.apache.hadoop.io.Text; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.htrace.Span; import org.apache.thrift.TByteArrayOutputStream; import org.apache.thrift.TException; @@ -334,17 +333,7 @@ public class TraceServer implements Watcher { return; log.info("Attempting to login as {} with {}", principalConfig, keyTab); - if (SecurityUtil.login(principalConfig, keyTab)) { - try { - // This spawns a thread to periodically renew the logged in (trace) user - UserGroupInformation.getLoginUser(); - return; - } catch (IOException io) { - log.error("Error starting up renewal thread. This shouldn't be happening.", io); - } - } - - throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using " + keyTab); + SecurityUtil.serverLogin(acuConf, keyTab, principalConfig); } } catch (IOException | ClassNotFoundException exception) { final String msg = String.format("Failed to retrieve trace user token information based on property %1s.", Property.TRACE_TOKEN_TYPE);
