OOZIE-1726 Oozie does not support _HOST when configuring kerberos security (venkatnrangan via bzhang)

Author: bowenzhangusa

core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java

@@ -41,6 +41,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.InetAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.PrivilegedExceptionAction;
@@ -164,7 +165,9 @@ private void kerberosInit(Configuration serviceConf) throws ServiceException {
                 if (keytabFile.length() == 0) {
                     throw new ServiceException(ErrorCode.E0026, KERBEROS_KEYTAB);
                 }
-                String principal = ConfigurationService.get(serviceConf, KERBEROS_PRINCIPAL);
+                String principal = SecurityUtil.getServerPrincipal(
+                        serviceConf.get(KERBEROS_PRINCIPAL, "oozie/localhost@LOCALHOST"),
+                        InetAddress.getLocalHost().getCanonicalHostName());
                 if (principal.length() == 0) {
                     throw new ServiceException(ErrorCode.E0026, KERBEROS_PRINCIPAL);
                 }

core/src/main/java/org/apache/oozie/servlet/AuthFilter.java

@@ -21,6 +21,7 @@
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.oozie.service.Services;
+import org.apache.hadoop.security.SecurityUtil;
 
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -32,6 +33,8 @@
 import java.io.IOException;
 import java.util.Map;
 import java.util.Properties;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import org.apache.oozie.service.JobsConcurrencyService;
 import org.apache.oozie.util.ZKUtils;
 
@@ -41,6 +44,7 @@
  */
 public class AuthFilter extends AuthenticationFilter {
     public static final String OOZIE_PREFIX = "oozie.authentication.";
+    private static final String KERBEROS_PRINCIPAL_CONFIG = "kerberos.principal";
 
     private HttpServlet optionsServlet;
     private ZKUtils zkUtils = null;
@@ -105,7 +109,19 @@ protected Properties getConfiguration(String configPrefix, FilterConfig filterCo
             if (name.startsWith(OOZIE_PREFIX)) {
                 String value = conf.get(name);
                 name = name.substring(OOZIE_PREFIX.length());
-                props.setProperty(name, value);
+                if (name.equals(KERBEROS_PRINCIPAL_CONFIG)) {
+                    String hostName = "localhost";
+                    String principal = value;
+                    try {
+                        hostName = InetAddress.getLocalHost().getCanonicalHostName();
+                        principal = SecurityUtil.getServerPrincipal(value, hostName);
+                    } catch (IOException ioe) {
+                       // ignore.
+                    }
+                    props.setProperty(name, principal);
+                 } else {
+                    props.setProperty(name, value);
+                }
             }
         }
 

release-log.txt

@@ -1,5 +1,6 @@
 -- Oozie 4.2.0 release (trunk - unreleased)
 
+OOZIE-1726 Oozie does not support _HOST when configuring kerberos security (venkatnrangan via bzhang)
 OOZIE-2197 ooziedb.cmd command failed due to classpath being too long on windows (me.venkatr via bzhang)
 OOZIE-2182 SLA alert commands are not in sync with doc (puru)
 OOZIE-2191 Upgrade jackson version for hadoop-2 profile (ryota)