Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop >> mail # dev >> KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler


+
lulynn_2008 2013-07-01, 10:41
Copy link to this message
-
Re: KerberosName.rules are null during KerberosName.getShortName() in KerberosAuthenticationHandler
Hi Lulynn,

I've commented in the JIRA, now that I see your email that gives me a bit
more of context on what you are trying to do.

If I understand correctly, you are trying to use this outside of Hadoop. If
that is the case you should set the <PREFIX>.kerberos.name.rules=DEFAULT
(or a custom name.rules if you have one) in your hadoop-auth
AuthenticationFilter configuration.

This is required because you are not initializing UGI before initializing
the filter.

Thanks.
On Mon, Jul 1, 2013 at 3:41 AM, lulynn_2008 <[EMAIL PROTECTED]> wrote:

>  Hi All,
>
> I am trying to add kerberos support to a web servlet via hadoop
> authentication classes. This is to make this web servlet server to
> authenticate its client via kerberos. I assume this should work. Right?
>
> The whole design is to add AuthFilter at server side and
> AuthenticatedURL.injectToken(conn, currentToken) during create connection
> at client side.  But the process failed at KerberosName.rules, I made a fix
> based on 2.0.4-alpha branch. Could you please help to review it and give
> some suggestions? I think with this fix, we can add kerberos support to any
> web servlet via hadoop authentication classes. I have opened HADOOP-9679 to
> trace this issue and applied the patch.
>
> Error:
> The process failed during AuthenticationFilter.doFilter,  with following
> error:
> java.lang.NullPointerException
>         at
> org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
>         at
> java.security.AccessController.doPrivileged(AccessController.java:310)
>         at javax.security.auth.Subject.doAs(Subject.java:573)
>         at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
>         at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
>
>
> Root cause:
> this error happened because KerberosName.rules are not initialized. I
> found that this parameter only be initialized during initialize
> UserGroupInformation which is used for manager hadoop user and group. Then
> this parameter will be initialized during hadoop client(like oozie) access
> hadoop. But the servlet I am testing is not hadoop client, then current
> there is no place for initializing it. But I think we should make it work
> via value KerberosName.rules with default value "DEFAULT".
>
> FIX:
> Following is my draft fix based on hadoop-2.0.4-alpha branch, with this
> fix, my test web servlet can support kerberos now.
> ---
> a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> +++
> b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> @@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
>                } else {
>                  String clientPrincipal > gssContext.getSrcName().toString();
>                  KerberosName kerberosName = new
> KerberosName(clientPrincipal);
> +                if( !KerberosName.hasRulesBeenSet()){
> +                    LOG.warn("No rules applied to " +
> kerberosName.toString() + ". Using DEFAULT rules.");
> +                    KerberosName.setRules("DEFAULT");
> +                }
>                  String userName = kerberosName.getShortName();
>                  token = new AuthenticationToken(userName,
> clientPrincipal, getType());
>                  response.setStatus(HttpServletResponse.SC_OK);
>
>
>
--
Alejandro