HADOOP-6620. NPE if renewer is passed as null in getDelegationToken. Contributed by Jitendra Pandey.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@953896 13f79535-47bb-0310-9956-ffa450edef68

Author: jghoman

CHANGES.txt

@@ -81,6 +81,9 @@ Trunk (unreleased changes)
     HADOOP-6603. Provide workaround for issue with Kerberos not resolving 
     cross-realm principal (Kan Zhang and Jitendra Pandey via jghoman)
 
+    HADOOP-6620. NPE if renewer is passed as null in getDelegationToken.
+    (Jitendra Pandey via jghoman)
+
 Release 0.21.0 - Unreleased
 
   INCOMPATIBLE CHANGES

src/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java

@@ -49,8 +49,16 @@ public AbstractDelegationTokenIdentifier() {
   }
 
   public AbstractDelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
-    this.owner = owner;
-    this.renewer = renewer;
+    if (owner == null) {
+      this.owner = new Text();
+    } else {
+      this.owner = owner;
+    }
+    if (renewer == null) {
+      this.renewer = new Text();
+    } else {
+      this.renewer = renewer;
+    }
     if (realUser == null) {
       this.realUser = new Text();
     } else {
@@ -170,4 +178,14 @@ public void write(DataOutput out) throws IOException {
     WritableUtils.writeVInt(out, sequenceNumber);
     WritableUtils.writeVInt(out, masterKeyId);
   }
+  
+  public String toString() {
+    StringBuilder buffer = new StringBuilder();
+    buffer
+        .append("owner=" + owner + ", renewer=" + renewer + ", realUser="
+            + realUser + ", issueDate=" + issueDate + ", maxDate=" + maxDate
+            + ", sequenceNumber=" + sequenceNumber + ", masterKeyId="
+            + masterKeyId);
+    return buffer.toString();
+  }
 }

src/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java

@@ -178,6 +178,7 @@ private synchronized void removeExpiredKeys() {
 
   @Override
   protected synchronized byte[] createPassword(TokenIdent identifier) {
+    LOG.info("Creating password for identifier: "+identifier);
     int sequenceNum;
     long now = System.currentTimeMillis();
     sequenceNum = ++delegationTokenSequenceNumber;
@@ -220,12 +221,13 @@ public synchronized long renewToken(Token<TokenIdent> token,
     DataInputStream in = new DataInputStream(buf);
     TokenIdent id = createIdentifier();
     id.readFields(in);
-
+    LOG.info("Token renewal requested for identifier: "+id);
+    
     if (id.getMaxDate() < now) {
       throw new InvalidToken("User " + renewer + 
                              " tried to renew an expired token");
     }
-    if (id.getRenewer() == null) {
+    if ((id.getRenewer() == null) || ("".equals(id.getRenewer().toString()))) {
       throw new AccessControlException("User " + renewer + 
                                        " tried to renew a token without " +
                                        "a renewer");
@@ -271,13 +273,16 @@ public synchronized TokenIdent cancelToken(Token<TokenIdent> token,
     DataInputStream in = new DataInputStream(buf);
     TokenIdent id = createIdentifier();
     id.readFields(in);
+    LOG.info("Token cancelation requested for identifier: "+id);
+    
     if (id.getUser() == null) {
       throw new InvalidToken("Token with no owner");
     }
     String owner = id.getUser().getUserName();
     Text renewer = id.getRenewer();
     if (!canceller.equals(owner)
-        && (renewer == null || !canceller.equals(renewer.toString()))) {
+        && (renewer == null || "".equals(renewer.toString()) || !canceller
+            .equals(renewer.toString()))) {
       throw new AccessControlException(canceller
           + " is not authorized to cancel the token");
     }

src/test/core/org/apache/hadoop/security/token/delegation/TestDelegationToken.java

@@ -365,4 +365,24 @@ public void run() {
       dtSecretManager.stopThreads();
     }
   }
+  
+  @Test 
+  public void testDelegationTokenNullRenewer() throws Exception {
+    TestDelegationTokenSecretManager dtSecretManager = 
+      new TestDelegationTokenSecretManager(24*60*60*1000,
+        10*1000,1*1000,3600000);
+    dtSecretManager.startThreads();
+    TestDelegationTokenIdentifier dtId = new TestDelegationTokenIdentifier(new Text(
+        "theuser"), null, null);
+    Token<TestDelegationTokenIdentifier> token = new Token<TestDelegationTokenIdentifier>(
+        dtId, dtSecretManager);
+    Assert.assertTrue(token != null);
+    try {
+      dtSecretManager.renewToken(token, "");
+      Assert.fail("Renewal must not succeed");
+    } catch (IOException e) {
+      //PASS
+    }
+  }
+
 }