Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # dev >> KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler


Copy link to this message
-
Re: KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler
Hi Lulynn,

I've commented in the JIRA, now that I see your email that gives me a bit
more of context on what you are trying to do.

If I understand correctly, you are trying to use this outside of Hadoop. If
that is the case you should set the <PREFIX>.kerberos.name.rules=DEFAULT
(or a custom name.rules if you have one) in your hadoop-auth
AuthenticationFilter configuration.

This is required because you are not initializing UGI before initializing
the filter.

Thanks.
On Mon, Jul 1, 2013 at 3:41 AM, lulynn_2008 <[EMAIL PROTECTED]> wrote:

>  Hi All,
>
> I am trying to add kerberos support to a web servlet via hadoop
> authentication classes. This is to make this web servlet server to
> authenticate its client via kerberos. I assume this should work. Right?
>
> The whole design is to add AuthFilter at server side and
> AuthenticatedURL.injectToken(conn, currentToken) during create connection
> at client side.  But the process failed at KerberosName.rules, I made a fix
> based on 2.0.4-alpha branch. Could you please help to review it and give
> some suggestions? I think with this fix, we can add kerberos support to any
> web servlet via hadoop authentication classes. I have opened HADOOP-9679 to
> trace this issue and applied the patch.
>
> Error:
> The process failed during AuthenticationFilter.doFilter,  with following
> error:
> java.lang.NullPointerException
>         at
> org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
>         at
> java.security.AccessController.doPrivileged(AccessController.java:310)
>         at javax.security.auth.Subject.doAs(Subject.java:573)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
>         at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
>
>
> Root cause:
> this error happened because KerberosName.rules are not initialized. I
> found that this parameter only be initialized during initialize
> UserGroupInformation which is used for manager hadoop user and group. Then
> this parameter will be initialized during hadoop client(like oozie) access
> hadoop. But the servlet I am testing is not hadoop client, then current
> there is no place for initializing it. But I think we should make it work
> via value KerberosName.rules with default value "DEFAULT".
>
> FIX:
> Following is my draft fix based on hadoop-2.0.4-alpha branch, with this
> fix, my test web servlet can support kerberos now.
> ---
> a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> +++
> b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> @@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
>                } else {
>                  String clientPrincipal > gssContext.getSrcName().toString();
>                  KerberosName kerberosName = new
> KerberosName(clientPrincipal);
> +                if( !KerberosName.hasRulesBeenSet()){
> +                    LOG.warn("No rules applied to " +
> kerberosName.toString() + ". Using DEFAULT rules.");
> +                    KerberosName.setRules("DEFAULT");
> +                }
>                  String userName = kerberosName.getShortName();
>                  token = new AuthenticationToken(userName,
> clientPrincipal, getType());
>                  response.setStatus(HttpServletResponse.SC_OK);
>
>
>
--
Alejandro
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB