HADOOP-10982

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java

@@ -45,6 +45,7 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
+import java.lang.reflect.UndeclaredThrowableException;
 import java.net.HttpURLConnection;
 import java.net.SocketTimeoutException;
 import java.net.URI;
@@ -400,6 +401,8 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
       });
     } catch (IOException ex) {
       throw ex;
+    } catch (UndeclaredThrowableException ex) {
+      throw new IOException(ex.getUndeclaredThrowable());
     } catch (Exception ex) {
       throw new IOException(ex);
     }

hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm

@@ -602,7 +602,31 @@ $ keytool -genkey -alias tomcat -keyalg RSA
 
 *** HTTP Kerberos Principals Configuration
 
-  TBD
+  When KMS instances are behind a load-balancer or VIP, clients will use the
+  hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the
+  URL is used to construct the Kerberos service name of the server,
+  <<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have have a
+  Kerberos service name with the load-balancer or VIP hostname.
+
+  In order to be able to access directly a specific KMS instance, the KMS
+  instance must also have Kebero service name with its own hostname. This is
+  require for monitoring and admin purposes.
+
+  Both Kerberos service principal credentials (for the load-balancer/VIP
+  hostname and for the actual KMS instance hostname) must be in the keytab file
+  configured for authentication. And the principal name specified in the
+  configuration must be '*'. For example:
+
++---+
+  <property>
+    <name>hadoop.kms.authentication.kerberos.principal</name>
+    <value>*</value>
+  </property>
++---+
+
+  <<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must
+  be configured to support multiple hostnames (see Java 7
+  <<<keytool>> SAN extension support for details on how to do this).
 
 *** HTTP Authentication Signature
 

hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java

@@ -32,6 +32,7 @@ import org.apache.hadoop.minikdc.MiniKdc;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.junit.AfterClass;
@@ -209,6 +210,7 @@ public class TestKMS {
     keytab = new File(kdcDir, "keytab");
     List<String> principals = new ArrayList<String>();
     principals.add("HTTP/localhost");
+    principals.add("HTTP/127.0.0.1");
     principals.add("client");
     principals.add("hdfs");
     principals.add("otheradmin");
@@ -251,8 +253,8 @@ public class TestKMS {
     }
   }
 
-  public void testStartStop(final boolean ssl, final boolean kerberos)
-      throws Exception {
+  public void testStartStop(final boolean ssl, final boolean kerberos,
+      final boolean multipleServerPrincipals) throws Exception {
     Configuration conf = new Configuration();
     if (kerberos) {
       conf.set("hadoop.security.authentication", "kerberos");
@@ -278,7 +280,12 @@ public class TestKMS {
       conf.set("hadoop.kms.authentication.type", "kerberos");
       conf.set("hadoop.kms.authentication.kerberos.keytab",
           keytab.getAbsolutePath());
-      conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
+      if (multipleServerPrincipals) {
+        conf.set("hadoop.kms.authentication.kerberos.principal", "*");
+      } else {
+        conf.set("hadoop.kms.authentication.kerberos.principal",
+            "HTTP/localhost");
+      }
       conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
     }
 
@@ -291,21 +298,42 @@ public class TestKMS {
         URL url = getKMSUrl();
         Assert.assertEquals(keystore != null,
             url.getProtocol().equals("https"));
-        final URI uri = createKMSUri(getKMSUrl());
 
         if (kerberos) {
           for (String user : new String[]{"client", "client/host"}) {
             doAs(user, new PrivilegedExceptionAction<Void>() {
               @Override
               public Void run() throws Exception {
-                final KeyProvider kp = new KMSClientProvider(uri, conf);
+                URI uri = createKMSUri(getKMSUrl());
+                KeyProvider kp = new KMSClientProvider(uri, conf);
                 // getKeys() empty
                 Assert.assertTrue(kp.getKeys().isEmpty());
+
+                if (!ssl) {
+                  String url = getKMSUrl().toString();
+                  url = url.replace("localhost", "127.0.0.1");
+                  uri = createKMSUri(new URL(url));
+                  if (multipleServerPrincipals) {
+                    kp = new KMSClientProvider(uri, conf);
+                    // getKeys() empty
+                    Assert.assertTrue(kp.getKeys().isEmpty());
+                  } else {
+                    kp = new KMSClientProvider(uri, conf);
+                    try {
+                      kp.getKeys().isEmpty();
+                      Assert.fail();
+                    } catch (IOException ex) {
+                      Assert.assertEquals(AuthenticationException.class,
+                          ex.getCause().getClass());
+                    }
+                  }
+                }
                 return null;
               }
             });
           }
         } else {
+          URI uri = createKMSUri(getKMSUrl());
           KeyProvider kp = new KMSClientProvider(uri, conf);
           // getKeys() empty
           Assert.assertTrue(kp.getKeys().isEmpty());
@@ -317,22 +345,27 @@ public class TestKMS {
 
   @Test
   public void testStartStopHttpPseudo() throws Exception {
-    testStartStop(false, false);
+    testStartStop(false, false, false);
   }
 
   @Test
   public void testStartStopHttpsPseudo() throws Exception {
-    testStartStop(true, false);
+    testStartStop(true, false, false);
   }
 
   @Test
   public void testStartStopHttpKerberos() throws Exception {
-    testStartStop(false, true);
+    testStartStop(false, true, false);
   }
 
   @Test
   public void testStartStopHttpsKerberos() throws Exception {
-    testStartStop(true, true);
+    testStartStop(true, true, false);
+  }
+
+  @Test
+  public void testStartStopHttpsKerberosMultiplePrincipals() throws Exception {
+    testStartStop(false, true, true);
   }
 
   @Test
@@ -1340,7 +1373,8 @@ public class TestKMS {
           KeyProvider kp = new KMSClientProvider(uri, conf);
           kp.createKey("kA", new KeyProvider.Options(conf));
         } catch (IOException ex) {
-          System.out.println(ex.getMessage());
+          Assert.assertEquals(AuthenticationException.class,
+              ex.getCause().getClass());
         }
 
         doAs("client", new PrivilegedExceptionAction<Void>() {