Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11267

TestSecurityUtil fails when run with JDK8 because of empty principal names

    Details

    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      Running TestSecurityUtil on JDK8 will fail:

      java.lang.IllegalArgumentException: Empty nameString not allowed
      	at sun.security.krb5.PrincipalName.validateNameStrings(PrincipalName.java:171)
      	at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:393)
      	at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:460)
      	at javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:120)
      	at org.apache.hadoop.security.TestSecurityUtil.isOriginalTGTReturnsCorrectValues(TestSecurityUtil.java:57)
      

      In JDK8, PrincipalName checks that its name is not empty and throws an IllegalArgumentException if it is empty. This didn't happen in JDK6/7.

      1. HADOOP-11267.4.patch
        1 kB
        Stephen Chu
      2. HADOOP-11267.2.patch
        2 kB
        Stephen Chu
      3. HADOOP-11267.2.patch
        2 kB
        Stephen Chu
      4. HADOOP-11267.1.patch
        2 kB
        Stephen Chu

        Activity

        Hide
        schu Stephen Chu added a comment -

        Submitting a patch that catches the IllegalArgumentException and verifies that it is the one we expect.

        Ran the test successfully on JDK 6, 7, and 8.

        Show
        schu Stephen Chu added a comment - Submitting a patch that catches the IllegalArgumentException and verifies that it is the one we expect. Ran the test successfully on JDK 6, 7, and 8.
        Hide
        hadoopqa Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12679357/HADOOP-11267.1.patch
        against trunk revision 73e6012.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5029//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5029//console

        This message is automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12679357/HADOOP-11267.1.patch against trunk revision 73e6012. +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5029//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5029//console This message is automatically generated.
        Hide
        wheat9 Haohui Mai added a comment - - edited
        +    try {
        +      assertFalse(SecurityUtil.isTGSPrincipal
        +          (new KerberosPrincipal("/@")));
        +    } catch (IllegalArgumentException iae) {
        +      // Same as above. In recent JDK versions, an IllegalArgumentException
        +      // is thrown if the principal name is empty.
        +      GenericTestUtils.assertExceptionContains("Empty nameString not allowed", iae);
        +    }
        

        Maybe it makes more sense to remove the assertions instead of catching the Exception as the check does not offer much value.

        Show
        wheat9 Haohui Mai added a comment - - edited + try { + assertFalse(SecurityUtil.isTGSPrincipal + ( new KerberosPrincipal( "/@" ))); + } catch (IllegalArgumentException iae) { + // Same as above. In recent JDK versions, an IllegalArgumentException + // is thrown if the principal name is empty. + GenericTestUtils.assertExceptionContains( "Empty nameString not allowed" , iae); + } Maybe it makes more sense to remove the assertions instead of catching the Exception as the check does not offer much value.
        Hide
        schu Stephen Chu added a comment -

        Thanks for the review, Haohui Mai. That makes sense. Submitting a new patch that removes the assertions.

        Show
        schu Stephen Chu added a comment - Thanks for the review, Haohui Mai . That makes sense. Submitting a new patch that removes the assertions.
        Hide
        schu Stephen Chu added a comment -

        Arg, forgot to remove the unnecessary import. Will submit another patch.

        Show
        schu Stephen Chu added a comment - Arg, forgot to remove the unnecessary import. Will submit another patch.
        Hide
        hadoopqa Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12679605/HADOOP-11267.2.patch
        against trunk revision bc80251.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests in hadoop-common-project/hadoop-common:

        org.apache.hadoop.ha.TestZKFailoverControllerStress

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5035//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5035//console

        This message is automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12679605/HADOOP-11267.2.patch against trunk revision bc80251. +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in hadoop-common-project/hadoop-common: org.apache.hadoop.ha.TestZKFailoverControllerStress +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5035//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5035//console This message is automatically generated.
        Hide
        wheat9 Haohui Mai added a comment -
        +      assertFalse(SecurityUtil.isTGSPrincipal
        +          (new KerberosPrincipal("")));
        

        I should have explained more clear – I think we might just remove this line as this is no longer a valid use case for newer JDK.

        Show
        wheat9 Haohui Mai added a comment - + assertFalse(SecurityUtil.isTGSPrincipal + ( new KerberosPrincipal(""))); I should have explained more clear – I think we might just remove this line as this is no longer a valid use case for newer JDK.
        Hide
        schu Stephen Chu added a comment -

        Thanks for the clarification, Haohui Mai. Attaching new patch that removes those test cases.

        Show
        schu Stephen Chu added a comment - Thanks for the clarification, Haohui Mai . Attaching new patch that removes those test cases.
        Hide
        hadoopqa Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12679636/HADOOP-11267.4.patch
        against trunk revision bc80251.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5037//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5037//console

        This message is automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12679636/HADOOP-11267.4.patch against trunk revision bc80251. +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5037//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5037//console This message is automatically generated.
        Hide
        wheat9 Haohui Mai added a comment -

        +1. I'll commit it shortly.

        Show
        wheat9 Haohui Mai added a comment - +1. I'll commit it shortly.
        Hide
        wheat9 Haohui Mai added a comment -

        I've committed the patch to trunk and branch-2. Thanks Stephen Chu for the contribution.

        Show
        wheat9 Haohui Mai added a comment - I've committed the patch to trunk and branch-2. Thanks Stephen Chu for the contribution.
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-trunk-Commit #6458 (See https://builds.apache.org/job/Hadoop-trunk-Commit/6458/)
        HADOOP-11267. TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #6458 (See https://builds.apache.org/job/Hadoop-trunk-Commit/6458/ ) HADOOP-11267 . TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        schu Stephen Chu added a comment -

        Thanks a lot for the reviews and commit, Haohui Mai!

        Show
        schu Stephen Chu added a comment - Thanks a lot for the reviews and commit, Haohui Mai !
        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Yarn-trunk #735 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/735/)
        HADOOP-11267. TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a)

        • hadoop-common-project/hadoop-common/CHANGES.txt
        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Yarn-trunk #735 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/735/ ) HADOOP-11267 . TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a) hadoop-common-project/hadoop-common/CHANGES.txt hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java
        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Hdfs-trunk #1925 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1925/)
        HADOOP-11267. TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk #1925 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1925/ ) HADOOP-11267 . TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-Mapreduce-trunk #1949 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1949/)
        HADOOP-11267. TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk #1949 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1949/ ) HADOOP-11267 . TestSecurityUtil fails when run with JDK8 because of empty principal names. Contributed by Stephen Chu. (wheat9: rev 8549fa5dc95d3e94e49c9b92734aec0509693a2a) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        sjlee0 Sangjin Lee added a comment -

        Cherry-picked the fix to branch-2.6.

        Show
        sjlee0 Sangjin Lee added a comment - Cherry-picked the fix to branch-2.6.

          People

          • Assignee:
            schu Stephen Chu
            Reporter:
            schu Stephen Chu
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development