Hi All,
I am trying to add kerberos support to a web servlet via hadoop authentication
classes. This is to make this web servlet server to authenticate its client via
kerberos. I assume this should work. Right?
The whole design is to add AuthFilter at server side and
AuthenticatedURL.injectToken(conn, currentToken) during create connection at
client side. But the process failed at KerberosName.rules, I made a fix based
on 2.0.4-alpha branch. Could you please help to review it and give some
suggestions? I think with this fix, we can add kerberos support to any web
servlet via hadoop authentication classes. I have opened HADOOP-9679 to trace
this issue and applied the patch.
Error:
The process failed during AuthenticationFilter.doFilter, with following error:
java.lang.NullPointerException
at
org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
at
java.security.AccessController.doPrivileged(AccessController.java:310)
at javax.security.auth.Subject.doAs(Subject.java:573)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
at
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
Root cause:
this error happened because KerberosName.rules are not initialized. I found
that this parameter only be initialized during initialize UserGroupInformation
which is used for manager hadoop user and group. Then this parameter will be
initialized during hadoop client(like oozie) access hadoop. But the servlet I
am testing is not hadoop client, then current there is no place for
initializing it. But I think we should make it work via value
KerberosName.rules with default value "DEFAULT".
FIX:
Following is my draft fix based on hadoop-2.0.4-alpha branch, with this fix, my
test web servlet can support kerberos now.
---
a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++
b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@@ -308,6 +308,10 @@ public AuthenticationToken run() throws Exception {
} else {
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
+ if( !KerberosName.hasRulesBeenSet()){
+ LOG.warn("No rules applied to " + kerberosName.toString()
+ ". Using DEFAULT rules.");
+ KerberosName.setRules("DEFAULT");
+ }
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal,
getType());
response.setStatus(HttpServletResponse.SC_OK);
