You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 04:59:21 UTC
svn commit: r1077280 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
test/org/apache/hadoop/hdfs/security/TestDelegationToken.java
Author: omalley
Date: Fri Mar 4 03:59:21 2011
New Revision: 1077280
URL: http://svn.apache.org/viewvc?rev=1077280&view=rev
Log:
commit cabec11b043c33fb67d046f98fdee549d7360418
Author: Devaraj Das <dd...@yahoo-inc.com>
Date: Wed Mar 3 19:14:35 2010 -0800
HDFS:1020 from https://issues.apache.org/jira/secure/attachment/12437838/HDFS-1020-y20.2.patch
+++ b/YAHOO-CHANGES.txt
+ HDFS-1020. Changes the check for renewer from short name to long name
+ in the cancel/renew delegation token methods. (jitendra via ddas)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java?rev=1077280&r1=1077279&r2=1077280&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java Fri Mar 4 03:59:21 2011
@@ -4979,7 +4979,7 @@ public class FSNamesystem implements FSC
throw new IOException(
"Delegation Token can be renewed only with kerberos or web authentication");
}
- String renewer = UserGroupInformation.getCurrentUser().getShortUserName();
+ String renewer = UserGroupInformation.getCurrentUser().getUserName();
long expiryTime = dtSecretManager.renewToken(token, renewer);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
@@ -4999,7 +4999,7 @@ public class FSNamesystem implements FSC
if (isInSafeMode()) {
throw new SafeModeException("Cannot cancel delegation token", safeMode);
}
- String canceller = UserGroupInformation.getCurrentUser().getShortUserName();
+ String canceller = UserGroupInformation.getCurrentUser().getUserName();
DelegationTokenIdentifier id = dtSecretManager
.cancelToken(token, canceller);
logCancelDelegationToken(id);
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java?rev=1077280&r1=1077279&r2=1077280&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java Fri Mar 4 03:59:21 2011
@@ -22,6 +22,8 @@ package org.apache.hadoop.hdfs.security;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
import junit.framework.Assert;
@@ -32,6 +34,7 @@ import org.apache.hadoop.hdfs.Distribute
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
@@ -149,5 +152,63 @@ public class TestDelegationToken {
Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
dtSecretManager.renewToken(token, "JobTracker");
}
+
+ @Test
+ public void testDelegationTokenWithDoAs() throws Exception {
+ final DistributedFileSystem dfs = (DistributedFileSystem) cluster.getFileSystem();
+ final Token<DelegationTokenIdentifier> token = dfs.getDelegationToken(new Text(
+ "JobTracker/foo.com@FOO.COM"));
+ final UserGroupInformation longUgi = UserGroupInformation
+ .createRemoteUser("JobTracker/foo.com@FOO.COM");
+ final UserGroupInformation shortUgi = UserGroupInformation
+ .createRemoteUser("JobTracker");
+ longUgi.doAs(new PrivilegedExceptionAction<Object>() {
+ public Object run() throws IOException {
+ final DistributedFileSystem dfs = (DistributedFileSystem) cluster
+ .getFileSystem();
+ try {
+ //try renew with long name
+ dfs.renewDelegationToken(token);
+ } catch (IOException e) {
+ Assert.fail("Could not renew delegation token for user "+longUgi);
+ }
+ return null;
+ }
+ });
+ shortUgi.doAs(new PrivilegedExceptionAction<Object>() {
+ public Object run() throws IOException {
+ final DistributedFileSystem dfs = (DistributedFileSystem) cluster
+ .getFileSystem();
+ try {
+ //try renew with long name
+ dfs.renewDelegationToken(token);
+ Assert.fail("Should not renew delegation token for short user name");
+ } catch (IOException e) {
+ //PASS
+ }
+ try {
+ //try cancel with long name
+ dfs.cancelDelegationToken(token);
+ Assert.fail("Should not cancel delegation token for short user name");
+ } catch (IOException e) {
+ //PASS
+ }
+ return null;
+ }
+ });
+ longUgi.doAs(new PrivilegedExceptionAction<Object>() {
+ public Object run() throws IOException {
+ final DistributedFileSystem dfs = (DistributedFileSystem) cluster
+ .getFileSystem();
+ try {
+ //try cancel with long name
+ dfs.cancelDelegationToken(token);
+ } catch (IOException e) {
+ Assert.fail("Could not cancel delegation token for user "+longUgi);
+ }
+ return null;
+ }
+ });
+ }
}