You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by at...@apache.org on 2011/09/21 18:09:44 UTC
svn commit: r1173739 - in
/hadoop/common/trunk/hadoop-common-project/hadoop-common: ./
src/main/docs/src/documentation/content/xdocs/
src/main/java/org/apache/hadoop/security/ src/main/resources/
src/test/java/org/apache/hadoop/security/
Author: atm
Date: Wed Sep 21 16:09:44 2011
New Revision: 1173739
URL: http://svn.apache.org/viewvc?rev=1173739&view=rev
Log:
HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)
Modified:
hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1173739&r1=1173738&r2=1173739&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Wed Sep 21 16:09:44 2011
@@ -23,6 +23,9 @@ Trunk (unreleased changes)
HADOOP-7641. Add Apache License to template config files (Eric Yang via atm)
+ HADOOP-7621. alfredo config should be in a file not readable by users
+ (Alejandro Abdelnur via atm)
+
Release 0.23.0 - Unreleased
INCOMPATIBLE CHANGES
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml?rev=1173739&r1=1173738&r2=1173739&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml Wed Sep 21 16:09:44 2011
@@ -82,10 +82,12 @@
<code>36000</code>.
</p>
- <p><code>hadoop.http.authentication.signature.secret</code>: The signature secret for
- signing the authentication tokens. If not set a random secret is generated at
+ <p><code>hadoop.http.authentication.signature.secret.file</code>: The signature secret
+ file for signing the authentication tokens. If not set a random secret is generated at
startup time. The same secret should be used for all nodes in the cluster, JobTracker,
- NameNode, DataNode and TastTracker. The default value is a <code>hadoop</code> value.
+ NameNode, DataNode and TastTracker. The default value is
+ <code>${user.home}/hadoop-http-auth-signature-secret</code>.
+ IMPORTANT: This file should be readable only by the Unix user running the daemons.
</p>
<p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java?rev=1173739&r1=1173738&r2=1173739&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java Wed Sep 21 16:09:44 2011
@@ -22,6 +22,9 @@ import org.apache.hadoop.conf.Configurat
import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.Reader;
import java.util.HashMap;
import java.util.Map;
@@ -40,8 +43,10 @@ import java.util.Map;
*/
public class AuthenticationFilterInitializer extends FilterInitializer {
- private static final String PREFIX = "hadoop.http.authentication.";
+ static final String PREFIX = "hadoop.http.authentication.";
+ static final String SIGNATURE_SECRET_FILE = AuthenticationFilter.SIGNATURE_SECRET + ".file";
+
/**
* Initializes Alfredo AuthenticationFilter.
* <p/>
@@ -67,6 +72,25 @@ public class AuthenticationFilterInitial
}
}
+ String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE);
+ if (signatureSecretFile == null) {
+ throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE);
+ }
+
+ try {
+ StringBuilder secret = new StringBuilder();
+ Reader reader = new FileReader(signatureSecretFile);
+ int c = reader.read();
+ while (c > -1) {
+ secret.append((char)c);
+ c = reader.read();
+ }
+ reader.close();
+ filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
+ } catch (IOException ex) {
+ throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);
+ }
+
container.addFilter("authentication",
AuthenticationFilter.class.getName(),
filterConfig);
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml?rev=1173739&r1=1173738&r2=1173739&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml Wed Sep 21 16:09:44 2011
@@ -808,8 +808,8 @@
</property>
<property>
- <name>hadoop.http.authentication.signature.secret</name>
- <value>hadoop</value>
+ <name>hadoop.http.authentication.signature.secret.file</name>
+ <value>${user.home}/hadoop-http-auth-signature-secret</value>
<description>
The signature secret for signing the authentication tokens.
If not set a random secret is generated at startup time.
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java?rev=1173739&r1=1173738&r2=1173739&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java Wed Sep 21 16:09:44 2011
@@ -25,14 +25,28 @@ import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.Writer;
import java.util.Map;
public class TestAuthenticationFilter extends TestCase {
@SuppressWarnings("unchecked")
- public void testConfiguration() {
+ public void testConfiguration() throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.http.authentication.foo", "bar");
+
+ File testDir = new File(System.getProperty("test.build.data",
+ "target/test-dir"));
+ testDir.mkdirs();
+ File secretFile = new File(testDir, "http-secret.txt");
+ Writer writer = new FileWriter(new File(testDir, "http-secret.txt"));
+ writer.write("hadoop");
+ writer.close();
+ conf.set(AuthenticationFilterInitializer.PREFIX +
+ AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE,
+ secretFile.getAbsolutePath());
FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer(