diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java index 1c75e43987e8c..c943cc395110f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java @@ -142,21 +142,21 @@ private enum AccessPolicy { public static final List WorldReadWriteACL; static { - List acls = new ArrayList(); + List acls = new ArrayList<>(); acls.add(ALL_READWRITE_ACCESS); - WorldReadWriteACL = new CopyOnWriteArrayList(acls); + WorldReadWriteACL = new CopyOnWriteArrayList<>(acls); } /** * the list of system ACLs */ - private final List systemACLs = new ArrayList(); + private final List systemACLs = new ArrayList<>(); /** * A list of digest ACLs which can be added to permissions * —and cleared later. */ - private final List digestACLs = new ArrayList(); + private final List digestACLs = new ArrayList<>(); /** * the default kerberos realm @@ -366,7 +366,7 @@ public List getSystemACLs() { * @return the client ACLs */ public List getClientACLs() { - List clientACLs = new ArrayList(systemACLs); + List clientACLs = new ArrayList<>(systemACLs); clientACLs.addAll(digestACLs); return clientACLs; } @@ -552,7 +552,7 @@ public Id parse(String idPair, String realm) { public List buildACLs(String principalList, String realm, int perms) throws IOException { List aclPairs = splitAclPairs(principalList, realm); - List ids = new ArrayList(aclPairs.size()); + List ids = new ArrayList<>(aclPairs.size()); for (String aclPair : aclPairs) { ACL newAcl = new ACL(); newAcl.setId(parse(aclPair, realm)); @@ -674,10 +674,14 @@ public static void clearJaasSystemProperties() { * Resolve the context of an entry. This is an effective test of * JAAS setup, because it will relay detected problems up * @param context context name + * @param raiseExceptionOnFailure should an error be raised + * if the context could not be found * @return the entry - * @throws RuntimeException if there is no context entry found + * @throws RuntimeException if there is no context entry found and + * {@code raiseExceptionOnFailure == true} */ - public static AppConfigurationEntry[] validateContext(String context) { + public static AppConfigurationEntry[] validateContext(String context, + boolean raiseExceptionOnFailure) { if (context == null) { throw new RuntimeException("Null context argument"); } @@ -689,11 +693,16 @@ public static AppConfigurationEntry[] validateContext(String context) { AppConfigurationEntry[] entries = configuration.getAppConfigurationEntry(context); if (entries == null) { - throw new RuntimeException( - String.format("Entry \"%s\" not found; " + - "JAAS config = %s", - context, - describeProperty(Environment.JAAS_CONF_KEY) )); + String message = String.format("Entry \"%s\" not found; " + + "JAAS config = %s", + context, + describeProperty(Environment.JAAS_CONF_KEY)); + if (raiseExceptionOnFailure) { + throw new RuntimeException(message); + } else { + LOG.error(message); + entries = new AppConfigurationEntry[0]; + } } return entries; } @@ -735,7 +744,7 @@ public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) { */ public static void setZKSaslClientProperties(String username, String context) { - RegistrySecurity.validateContext(context); + validateContext(context, false); enableZookeeperClientSASL(); System.setProperty(PROP_ZK_SASL_CLIENT_USERNAME, username); System.setProperty(PROP_ZK_SASL_CLIENT_CONTEXT, context); @@ -776,21 +785,6 @@ public static boolean isClientSASLEnabled() { ZookeeperConfigOptions.PROP_ZK_ENABLE_SASL_CLIENT, "true")); } - /** - * Log details about the current Hadoop user at INFO. - * Robust against IOEs when trying to get the current user - */ - public void logCurrentHadoopUser() { - try { - UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); - LOG.info("Current user = {}",currentUser); - UserGroupInformation realUser = currentUser.getRealUser(); - LOG.info("Real User = {}" , realUser); - } catch (IOException e) { - LOG.warn("Failed to get current user {}, {}", e); - } - } - /** * Stringify a list of ACLs for logging. Digest ACLs have their * digest values stripped for security. @@ -901,14 +895,8 @@ private static String describeProperty(String name, String def) { public static String getDefaultRealmInJVM() { try { return KerberosUtil.getDefaultRealm(); - // JDK7 - } catch (ClassNotFoundException ignored) { - // ignored - } catch (NoSuchMethodException ignored) { - // ignored - } catch (IllegalAccessException ignored) { - // ignored - } catch (InvocationTargetException ignored) { + } catch (ClassNotFoundException | NoSuchMethodException + | InvocationTargetException | IllegalAccessException ignored) { // ignored } return ""; @@ -922,7 +910,7 @@ public static String getDefaultRealmInJVM() { */ public ACL createACLForUser(UserGroupInformation ugi, int perms) { if (LOG.isDebugEnabled()) { - LOG.debug("Creating ACL For ", new UgiInfo(ugi)); + LOG.debug("Creating ACL For {}", new UgiInfo(ugi)); } if (!secureRegistry) { return ALL_READWRITE_ACCESS; @@ -979,7 +967,8 @@ public String toString() { builder.append(" hasKerberosCredentials=").append( ugi.hasKerberosCredentials()); builder.append(" isFromKeytab=").append(ugi.isFromKeytab()); - builder.append(" kerberos is enabled in Hadoop =").append(UserGroupInformation.isSecurityEnabled()); + builder.append(" kerberos is enabled in Hadoop =") + .append(UserGroupInformation.isSecurityEnabled()); return builder.toString(); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/server/services/MicroZookeeperService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/server/services/MicroZookeeperService.java index 88e9d67b79d72..8d11696f26afd 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/server/services/MicroZookeeperService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/server/services/MicroZookeeperService.java @@ -198,7 +198,7 @@ public boolean setupSecurity() throws IOException { String jaasContext = conf.getTrimmed(KEY_REGISTRY_ZKSERVICE_JAAS_CONTEXT); secureServer = StringUtils.isNotEmpty(jaasContext); if (secureServer) { - RegistrySecurity.validateContext(jaasContext); + RegistrySecurity.validateContext(jaasContext, true); RegistrySecurity.bindZKToServerJAASContext(jaasContext); // policy on failed auth System.setProperty(PROP_ZK_ALLOW_FAILED_SASL_CLIENTS, diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/AbstractSecureRegistryTest.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/AbstractSecureRegistryTest.java index 14a950d29347d..072061ccc33d5 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/AbstractSecureRegistryTest.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/AbstractSecureRegistryTest.java @@ -281,7 +281,7 @@ protected static MicroZookeeperService createSecureZKInstance(String name) System.setProperty( ZookeeperConfigOptions.PROP_ZK_SERVER_MAINTAIN_CONNECTION_DESPITE_SASL_FAILURE, "false"); - RegistrySecurity.validateContext(context); + RegistrySecurity.validateContext(context, true); conf.set(MicroZookeeperServiceKeys.KEY_REGISTRY_ZKSERVICE_JAAS_CONTEXT, context); MicroZookeeperService secureZK = new MicroZookeeperService(name);