Ctest created HADOOP-16958:
------------------------------
Summary: Adding guard checking or exception handling when
`hadoop.security.authorization` is enabled but the input PolicyProvider for
ZKFCRpcServer is `NULL`
Key: HADOOP-16958
URL: https://issues.apache.org/jira/browse/HADOOP-16958
Project: Hadoop Common
Issue Type: Bug
Components: common, ha
Affects Versions: 3.2.1
Reporter: Ctest
During initialization, ZKFCRpcServer refreshes the service authorization ACL
for the service handled by this server if config hadoop.security.authorization
is enabled, by calling refreshServiceAcl with the input PolicyProvider and
Configuration.
{code:java}
ZKFCRpcServer(Configuration conf,
InetSocketAddress bindAddr,
ZKFailoverController zkfc,
PolicyProvider policy) throws IOException {
this.server = ...
// set service-level authorization security policy
if (conf.getBoolean(
CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
server.refreshServiceAcl(conf, policy);
}
}{code}
refreshServiceAcl calls
ServiceAuthorizationManager#refreshWithLoadedConfiguration which directly gets
services from the provider with provider.getServices(). When the provider is
NULL, the code throws NPE without an informative message. In addition, the
default value of config `hadoop.security.authorization.policyprovider` (which
controls PolicyProvider here) is NULL and the only usage of ZKFCRpcServer
initializer provides only an abstract method getPolicyProvider which does not
enforce that PolicyProvider should not be NULL.
The suggestion here is to either add a guard check or exception handling with
an informative logging message on ZKFCRpcServer to handle input PolicyProvider
being NULL.
I am very happy to provide a patch for it if the issue is confirmed :)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
