storm-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject [1/2] storm git commit: Merge branch 'storm1596' of https://github.com/kishorvpatil/incubator-storm into STORM-1596
Date Thu, 03 Mar 2016 20:25:11 GMT
Repository: storm
Updated Branches:
  refs/heads/1.x-branch 3a6e3e47c -> 66ce7cee9


Merge branch 'storm1596' of https://github.com/kishorvpatil/incubator-storm into STORM-1596

STORM-1596: Do not use single Kerberos TGT instance between multiple threads.


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/51889ae6
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/51889ae6
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/51889ae6

Branch: refs/heads/1.x-branch
Commit: 51889ae618bef14b77e6e9f621f4941b0095e9cd
Parents: 3a6e3e4
Author: Robert (Bobby) Evans <evans@yahoo-inc.com>
Authored: Thu Mar 3 13:41:32 2016 -0600
Committer: Robert (Bobby) Evans <evans@yahoo-inc.com>
Committed: Thu Mar 3 13:53:15 2016 -0600

----------------------------------------------------------------------
 .../apache/storm/security/auth/AuthUtils.java   | 40 ++++++++++++
 .../storm/security/auth/kerberos/AutoTGT.java   | 64 +++++++++-----------
 .../auth/kerberos/AutoTGTKrb5LoginModule.java   |  8 ++-
 .../security/auth/auto_login_module_test.clj    | 24 +++++++-
 4 files changed, 96 insertions(+), 40 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/51889ae6/storm-core/src/jvm/org/apache/storm/security/auth/AuthUtils.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/AuthUtils.java b/storm-core/src/jvm/org/apache/storm/security/auth/AuthUtils.java
index 86e1148..72b7d7c 100644
--- a/storm-core/src/jvm/org/apache/storm/security/auth/AuthUtils.java
+++ b/storm-core/src/jvm/org/apache/storm/security/auth/AuthUtils.java
@@ -17,10 +17,16 @@
  */
 package org.apache.storm.security.auth;
 
+import javax.security.auth.kerberos.KerberosTicket;
 import org.apache.storm.Config;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.Subject;
+import javax.xml.bind.DatatypeConverter;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
 import java.security.URIParameter;
 import java.security.MessageDigest;
 
@@ -345,4 +351,38 @@ public class AuthUtils {
             throw new RuntimeException(e);
         }
     }
+
+    public static byte[] serializeKerberosTicket(KerberosTicket tgt) throws Exception {
+        ByteArrayOutputStream bao = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(bao);
+        out.writeObject(tgt);
+        out.flush();
+        out.close();
+        return bao.toByteArray();
+    }
+
+    public static KerberosTicket deserializeKerberosTicket(byte[] tgtBytes) {
+        KerberosTicket ret;
+        try {
+
+            ByteArrayInputStream bin = new ByteArrayInputStream(tgtBytes);
+            ObjectInputStream in = new ObjectInputStream(bin);
+            ret = (KerberosTicket)in.readObject();
+            in.close();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+        return ret;
+    }
+
+    public static KerberosTicket cloneKerberosTicket(KerberosTicket kerberosTicket) {
+        if(kerberosTicket != null) {
+            try {
+                return (deserializeKerberosTicket(serializeKerberosTicket(kerberosTicket)));
+            } catch (Exception e) {
+                throw new RuntimeException("Failed to clone KerberosTicket TGT!!", e);
+            }
+        }
+        return null;
+    }
 }

http://git-wip-us.apache.org/repos/asf/storm/blob/51889ae6/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
index 2590ce4..c3f8560 100644
--- a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
@@ -24,10 +24,6 @@ import org.apache.storm.security.auth.AuthUtils;
 
 import java.util.Map;
 import java.util.Set;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
 import java.lang.reflect.Method;
 import java.lang.reflect.Constructor;
 import java.security.Principal;
@@ -110,12 +106,9 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
 
     public static void saveTGT(KerberosTicket tgt, Map<String, String> credentials)
{
         try {
-            ByteArrayOutputStream bao = new ByteArrayOutputStream();
-            ObjectOutputStream out = new ObjectOutputStream(bao);
-            out.writeObject(tgt);
-            out.flush();
-            out.close();
-            credentials.put("TGT", DatatypeConverter.printBase64Binary(bao.toByteArray()));
+
+            byte[] bytes = AuthUtils.serializeKerberosTicket(tgt);
+            credentials.put("TGT", DatatypeConverter.printBase64Binary(bytes));
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -123,15 +116,8 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
 
     public static KerberosTicket getTGT(Map<String, String> credentials) {
         KerberosTicket ret = null;
-        if (credentials != null && credentials.containsKey("TGT")) {
-            try {
-                ByteArrayInputStream bin = new ByteArrayInputStream(DatatypeConverter.parseBase64Binary(credentials.get("TGT")));
-                ObjectInputStream in = new ObjectInputStream(bin);
-                ret = (KerberosTicket)in.readObject();
-                in.close();
-            } catch (Exception e) {
-                throw new RuntimeException(e);
-            }
+        if (credentials != null && credentials.containsKey("TGT") && credentials.get("TGT")
!= null) {
+            ret = AuthUtils.deserializeKerberosTicket(DatatypeConverter.parseBase64Binary(credentials.get("TGT")));
         }
         return ret;
     }
@@ -150,23 +136,7 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
     private void populateSubjectWithTGT(Subject subject, Map<String, String> credentials)
{
         KerberosTicket tgt = getTGT(credentials);
         if (tgt != null) {
-            Set<Object> creds = subject.getPrivateCredentials();
-            synchronized(creds) {
-                Iterator<Object> iterator = creds.iterator();
-                while (iterator.hasNext()) {
-                    Object o = iterator.next();
-                    if (o instanceof KerberosTicket) {
-                        KerberosTicket t = (KerberosTicket)o;
-                        iterator.remove();
-                        try {
-                            t.destroy();
-                        } catch (DestroyFailedException  e) {
-                            LOG.warn("Failed to destroy ticket ", e);
-                        }
-                    }
-                }
-                creds.add(tgt);
-            }
+            clearCredentials(subject, tgt);
             subject.getPrincipals().add(tgt.getClient());
             kerbTicket.set(tgt);
         } else {
@@ -174,6 +144,28 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
         }
     }
 
+    public static void clearCredentials(Subject subject, KerberosTicket tgt) {
+        Set<Object> creds = subject.getPrivateCredentials();
+        synchronized(creds) {
+            Iterator<Object> iterator = creds.iterator();
+            while (iterator.hasNext()) {
+                Object o = iterator.next();
+                if (o instanceof KerberosTicket) {
+                    KerberosTicket t = (KerberosTicket)o;
+                    iterator.remove();
+                    try {
+                        t.destroy();
+                    } catch (DestroyFailedException e) {
+                        LOG.warn("Failed to destory ticket ", e);
+                    }
+                }
+            }
+            if(tgt != null) {
+                creds.add(tgt);
+            }
+        }
+    }
+
     /**
      * Hadoop does not just go off of a TGT, it needs a bit more.  This
      * should fill in the rest.

http://git-wip-us.apache.org/repos/asf/storm/blob/51889ae6/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGTKrb5LoginModule.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGTKrb5LoginModule.java
b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGTKrb5LoginModule.java
index fd01297..c2b37e3 100644
--- a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGTKrb5LoginModule.java
+++ b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGTKrb5LoginModule.java
@@ -21,6 +21,7 @@ package org.apache.storm.security.auth.kerberos;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import org.apache.storm.security.auth.AuthUtils;
 import java.security.Principal;
 import java.util.Map;
 import javax.security.auth.Subject;
@@ -79,7 +80,10 @@ public class AutoTGTKrb5LoginModule implements LoginModule {
             throw new LoginException("Authentication failed because the Subject is invalid.");
         }
         // Let us add the kerbClientPrinc and kerbTicket
-        subject.getPrivateCredentials().add(kerbTicket);
+        // We need to clone the ticket because java.security.auth.kerberos assumes TGT is
unique for each subject
+        // So, sharing TGT with multiple subjects can cause expired TGT to never refresh.
+        KerberosTicket kerbTicketCopy = AuthUtils.cloneKerberosTicket(kerbTicket);
+        subject.getPrivateCredentials().add(kerbTicketCopy);
         subject.getPrincipals().add(getKerbTicketClient());
         LOG.debug("Commit Succeeded.");
         return true;
@@ -96,7 +100,7 @@ public class AutoTGTKrb5LoginModule implements LoginModule {
     public boolean logout() throws LoginException {
         if (subject != null && !subject.isReadOnly() && kerbTicket != null)
{
             subject.getPrincipals().remove(kerbTicket.getClient());
-            subject.getPrivateCredentials().remove(kerbTicket);
+            AutoTGT.clearCredentials(subject, null);
         }
         kerbTicket = null;
         return true;

http://git-wip-us.apache.org/repos/asf/storm/blob/51889ae6/storm-core/test/clj/org/apache/storm/security/auth/auto_login_module_test.clj
----------------------------------------------------------------------
diff --git a/storm-core/test/clj/org/apache/storm/security/auth/auto_login_module_test.clj
b/storm-core/test/clj/org/apache/storm/security/auth/auto_login_module_test.clj
index d976c79..518bb74 100644
--- a/storm-core/test/clj/org/apache/storm/security/auth/auto_login_module_test.clj
+++ b/storm-core/test/clj/org/apache/storm/security/auth/auto_login_module_test.clj
@@ -19,8 +19,12 @@
   (:import [org.apache.storm.security.auth.kerberos AutoTGT
             AutoTGTKrb5LoginModule AutoTGTKrb5LoginModuleTest])
   (:import [javax.security.auth Subject Subject])
-  (:import [javax.security.auth.kerberos KerberosTicket])
+  (:import [javax.security.auth.kerberos KerberosTicket KerberosPrincipal])
   (:import [org.mockito Mockito])
+  (:import [java.text SimpleDateFormat])
+  (:import [java.util Date])
+  (:import [java.util Arrays])
+  (:import [java.net InetAddress])
   )
 
 (deftest login-module-no-subj-no-tgt-test
@@ -82,7 +86,23 @@
     (let [login-module (AutoTGTKrb5LoginModuleTest.)
           _ (set! (. login-module client) (Mockito/mock
                                             java.security.Principal))
-          ticket (Mockito/mock KerberosTicket)]
+          endTime (.parse (java.text.SimpleDateFormat. "ddMMyyyy") "31122030")
+          asn1Enc (byte-array 10)
+          _ (Arrays/fill asn1Enc (byte 122))
+          sessionKey (byte-array 10)
+          _ (Arrays/fill sessionKey (byte 123))
+          ticket (KerberosTicket.
+                   asn1Enc
+                   (KerberosPrincipal. "client/localhost@local.com")
+                   (KerberosPrincipal. "server/localhost@local.com")
+                   sessionKey
+                   234
+                   (boolean-array (map even? (range 3 10)))
+                   (Date.)
+                   (Date.)
+                   endTime,
+                   endTime,
+                   (into-array InetAddress [(InetAddress/getByName "localhost")]))]
       (.initialize login-module (Subject.) nil nil nil)
       (.setKerbTicket login-module ticket)
       (is (.login login-module))


Mime
View raw message