Hadoop Common
  1. Hadoop Common
  2. HADOOP-7070

JAAS configuration should delegate unknown application names to pre-existing configuration

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 0.22.0, 0.23.0
    • Fix Version/s: 0.22.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      As reported here: https://issues.cloudera.org/browse/DISTRO-66 it is impossible to use secured Hadoop inside an application that relies on other JAAS configurations. This is because the static initializer of UserGroupInformation replaces the JAAS configuration, but we don't delegate unknown applications up to whatever Configuration was installed previously. The delegation technique seems to be used by JBoss's XMLLoginConfigImpl for example.

      1. hadoop-7070.2.txt
        5 kB
        Todd Lipcon
      2. hadoop-7070.txt
        5 kB
        Todd Lipcon
      3. hadoop-7070.txt
        6 kB
        Todd Lipcon

        Issue Links

          Activity

          Hide
          Todd Lipcon added a comment -

          This should fix it - I did a similar version of this patch for our 20 branch and it fixed the user's issue.

          Show
          Todd Lipcon added a comment - This should fix it - I did a similar version of this patch for our 20 branch and it fixed the user's issue.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12466675/hadoop-7070.txt
          against trunk revision 1050070.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/143//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/143//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/143//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12466675/hadoop-7070.txt against trunk revision 1050070. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/143//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/143//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/143//console This message is automatically generated.
          Hide
          Todd Lipcon added a comment -

          Same patch, simpler unit test.

          Show
          Todd Lipcon added a comment - Same patch, simpler unit test.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12466684/hadoop-7070.txt
          against trunk revision 1050070.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/144//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/144//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/144//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12466684/hadoop-7070.txt against trunk revision 1050070. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/144//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/144//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/144//console This message is automatically generated.
          Hide
          Owen O'Malley added a comment -

          Todd, this looks like the right direction. In the future, you should copy the issue into Hadoop's jira instead of just posting a link to Cloudera's jira.

          About the patch, it seems like if you are setting up this kind of chaining, you should have a way of unregistering the configuration when the app is unloaded. (Although I don't have any experience with Glassfish...)

          Show
          Owen O'Malley added a comment - Todd, this looks like the right direction. In the future, you should copy the issue into Hadoop's jira instead of just posting a link to Cloudera's jira. About the patch, it seems like if you are setting up this kind of chaining, you should have a way of unregistering the configuration when the app is unloaded. (Although I don't have any experience with Glassfish...)
          Hide
          Todd Lipcon added a comment -

          Hi Owen. I don't think there is any real way to hook into unloading here - there is no "static finalizer" concept, and I also don't know enough about J2EE to know if there are any other hooks available.

          The patch here addresses a critical bug and is simple. If we run into problems with unloading in the future we can address that separately?

          Show
          Todd Lipcon added a comment - Hi Owen. I don't think there is any real way to hook into unloading here - there is no "static finalizer" concept, and I also don't know enough about J2EE to know if there are any other hooks available. The patch here addresses a critical bug and is simple. If we run into problems with unloading in the future we can address that separately?
          Hide
          Owen O'Malley added a comment -

          How about a simple check to see if it is already a Hadoop configuration and skip the install in that case?

          Show
          Owen O'Malley added a comment - How about a simple check to see if it is already a Hadoop configuration and skip the install in that case?
          Hide
          Todd Lipcon added a comment -

          Sure, here's an updated patch.

          Show
          Todd Lipcon added a comment - Sure, here's an updated patch.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12466853/hadoop-7070.2.txt
          against trunk revision 1051659.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/147//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/147//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/147//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12466853/hadoop-7070.2.txt against trunk revision 1051659. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/147//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/147//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/147//console This message is automatically generated.
          Hide
          Todd Lipcon added a comment -

          Owen, do you think this looks good at this point?

          Show
          Todd Lipcon added a comment - Owen, do you think this looks good at this point?
          Hide
          Owen O'Malley added a comment -

          +1

          Show
          Owen O'Malley added a comment - +1
          Hide
          Todd Lipcon added a comment -

          Committed to trunk and 0.22

          Show
          Todd Lipcon added a comment - Committed to trunk and 0.22
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk #569 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/569/)

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk #569 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/569/ )

            People

            • Assignee:
              Todd Lipcon
              Reporter:
              Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development