Merged r1205704 from branch-0.20-security for HADOOP-7853.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security-205@1205707 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -126,6 +126,9 @@ Release 0.20.205.1 - unreleased
     HDFS-611. Heartbeats times from Datanodes increase when there are plenty of
     blocks to delete. (Zheng Shao via jitendra)
 
+    HADOOP-7853. multiple javax security configurations cause conflicts. 
+    (Daryn via jitendra)
+
 Release 0.20.205.0 - 2011.10.06
 
   NEW FEATURES

src/core/org/apache/hadoop/security/SecurityUtil.java

@@ -92,7 +92,7 @@ public class SecurityUtil {
       if (isOriginalTGT(t.getServer().getName()))
         return t;
     }
-    throw new IOException("Failed to find TGT from current Subject");
+    throw new IOException("Failed to find TGT from current Subject:"+current);
   }
   
   // Original TGT must be of form "krbtgt/FOO@FOO". Verify this

src/core/org/apache/hadoop/security/UserGroupInformation.java

@@ -93,18 +93,30 @@ public class UserGroupInformation {
 
     @Override
     public boolean commit() throws LoginException {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("hadoop login commit");
+      }
       // if we already have a user, we are done.
       if (!subject.getPrincipals(User.class).isEmpty()) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("using existing subject:"+subject.getPrincipals());
+        }
         return true;
       }
       Principal user = null;
       // if we are using kerberos, try it out
       if (useKerberos) {
         user = getCanonicalUser(KerberosPrincipal.class);
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("using kerberos user:"+user);
+        }
       }
       // if we don't have a kerberos user, use the OS user
       if (user == null) {
         user = getCanonicalUser(OS_PRINCIPAL_CLASS);
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("using local user:"+user);
+        }
       }
       // if we found the user, add our principal
       if (user != null) {
@@ -123,11 +135,17 @@ public class UserGroupInformation {
 
     @Override
     public boolean login() throws LoginException {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("hadoop login");
+      }
       return true;
     }
 
     @Override
     public boolean logout() throws LoginException {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("hadoop logout");
+      }
       return true;
     }
   }
@@ -179,11 +197,6 @@ public class UserGroupInformation {
     if (!(groups instanceof TestingGroups)) {
       groups = Groups.getUserToGroupsMappingService(conf);
     }
-    // Set the configuration for JAAS to be the Hadoop configuration. 
-    // This is done here rather than a static initializer to avoid a
-    // circular dependence.
-    javax.security.auth.login.Configuration.setConfiguration
-        (new HadoopConfiguration());
     // give the configuration on how to translate Kerberos names
     try {
       KerberosName.setConfiguration(conf);
@@ -356,6 +369,11 @@ public class UserGroupInformation {
     }
   }
   
+  private static LoginContext
+  newLoginContext(String appName, Subject subject) throws LoginException {
+    return new LoginContext(appName, subject, null, new HadoopConfiguration());
+  }
+  
   private LoginContext getLogin() {
     return user.getLogin();
   }
@@ -407,9 +425,9 @@ public class UserGroupInformation {
         Subject subject = new Subject();
         LoginContext login;
         if (isSecurityEnabled()) {
-          login = new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject);
+          login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject);
         } else {
-          login = new LoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, subject);
+          login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, subject);
         }
         login.login();
         loginUser = new UserGroupInformation(subject);
@@ -432,6 +450,9 @@ public class UserGroupInformation {
       } catch (LoginException le) {
         throw new IOException("failure to login", le);
       }
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("UGI loginUser:"+loginUser);
+      }
     }
     return loginUser;
   }
@@ -556,7 +577,7 @@ public class UserGroupInformation {
     }
     try {
       login = 
-        new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
+        newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
       start = System.currentTimeMillis();
       login.login();
       metrics.addLoginSuccess(System.currentTimeMillis() - start);
@@ -602,7 +623,7 @@ public class UserGroupInformation {
       //login and also update the subject field of this instance to 
       //have the new credentials (pass it to the LoginContext constructor)
       login = 
-        new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, 
+        newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, 
             getSubject());
       LOG.info("Initiating re-login for " + getUserName());
       login.login();
@@ -639,7 +660,7 @@ public class UserGroupInformation {
       Subject subject = new Subject();
       
       LoginContext login = 
-        new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); 
+        newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); 
        
       start = System.currentTimeMillis();
       login.login();
@@ -713,7 +734,7 @@ public class UserGroupInformation {
         //login and also update the subject field of this instance to 
         //have the new credentials (pass it to the LoginContext constructor)
         login = 
-          new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, 
+          newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, 
                            getSubject());
         LOG.info("Initiating re-login for " + keytabPrincipal);
         start = System.currentTimeMillis();
@@ -976,11 +997,10 @@ public class UserGroupInformation {
    */
   @Override
   public String toString() {
-    if (getRealUser() != null) {
-      return getUserName() + " via " +  getRealUser().toString();
-    } else {
-      return getUserName();
-    }
+    String me = (getRealUser() != null)
+      ? getUserName() + " via " +  getRealUser().toString()
+      : getUserName();
+    return me + " (auth:"+getAuthenticationMethod()+")";
   }
 
   /**
@@ -1039,6 +1059,7 @@ public class UserGroupInformation {
    * @return the value from the run method
    */
   public <T> T doAs(PrivilegedAction<T> action) {
+    logPriviledgedAction(subject, action);
     return Subject.doAs(subject, action);
   }
   
@@ -1056,9 +1077,11 @@ public class UserGroupInformation {
   public <T> T doAs(PrivilegedExceptionAction<T> action
                     ) throws IOException, InterruptedException {
     try {
+      logPriviledgedAction(subject, action);
       return Subject.doAs(subject, action);
     } catch (PrivilegedActionException pae) {
       Throwable cause = pae.getCause();
+      LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
       if (cause instanceof IOException) {
         throw (IOException) cause;
       } else if (cause instanceof Error) {
@@ -1073,6 +1096,14 @@ public class UserGroupInformation {
     }
   }
 
+  private void logPriviledgedAction(Subject subject, Object action) {
+    if (LOG.isDebugEnabled()) {
+      // would be nice if action included a descriptive toString()
+      String where = new Throwable().getStackTrace()[2].toString();
+      LOG.debug("PriviledgedAction as:"+this+" from:"+where);
+    }
+  }
+
   private void print() throws IOException {
     System.out.println("User: " + getUserName());
     System.out.print("Group Ids: ");

src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java

@@ -110,10 +110,6 @@ public class KerberosAuthenticator implements Authenticator {
     }
   }
 
-  static {
-    javax.security.auth.login.Configuration.setConfiguration(new KerberosConfiguration());
-  }
-
   private URL url;
   private HttpURLConnection conn;
   private Base64 base64;
@@ -187,7 +183,8 @@ public class KerberosAuthenticator implements Authenticator {
       Subject subject = Subject.getSubject(context);
       if (subject == null) {
         subject = new Subject();
-        LoginContext login = new LoginContext("", subject);
+        LoginContext login = new LoginContext("", subject,
+            null, new KerberosConfiguration());
         login.login();
       }
       Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

src/test/org/apache/hadoop/security/TestUserGroupInformation.java

@@ -31,6 +31,9 @@ import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+
+import javax.security.auth.login.AppConfigurationEntry;
+
 import junit.framework.Assert;
 
 import org.apache.hadoop.conf.Configuration;
@@ -49,7 +52,22 @@ public class TestUserGroupInformation {
   final private static String[] GROUP_NAMES = 
     new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
 
+  // UGI should not use the default security conf, else it will collide
+  // with other classes that may change the default conf.  Using this dummy
+  // class that simply throws an exception will ensure that the tests fail
+  // if UGI uses the static default config instead of its own config
+  private static class DummyLoginConfiguration extends
+    javax.security.auth.login.Configuration
+  {
+    @Override
+    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+      throw new RuntimeException("UGI is not using its own security conf!");
+    } 
+  }
+  
   static {
+    javax.security.auth.login.Configuration.setConfiguration(
+    		new DummyLoginConfiguration());
     Configuration conf = new Configuration();
     conf.set("hadoop.security.auth_to_local",
         "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +