You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ey...@apache.org on 2019/08/06 21:08:42 UTC
[hadoop] branch trunk updated: HADOOP-16457. Fixed Kerberos
activation in ServiceAuthorizationManager. Contributed by Prabhu Joseph
This is an automated email from the ASF dual-hosted git repository.
eyang pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 22430c1 HADOOP-16457. Fixed Kerberos activation in ServiceAuthorizationManager. Contributed by Prabhu Joseph
22430c1 is described below
commit 22430c10e2c41d7b5e4f0457eedaf5395b2b3c84
Author: Eric Yang <ey...@apache.org>
AuthorDate: Tue Aug 6 17:04:17 2019 -0400
HADOOP-16457. Fixed Kerberos activation in ServiceAuthorizationManager.
Contributed by Prabhu Joseph
---
.../authorize/ServiceAuthorizationManager.java | 32 ++++++-------
.../authorize/TestServiceAuthorization.java | 52 ++++++++++++++++++++++
2 files changed, 69 insertions(+), 15 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
index 4c47348..a264eb4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
@@ -97,21 +97,23 @@ public class ServiceAuthorizationManager {
throw new AuthorizationException("Protocol " + protocol +
" is not known.");
}
-
- // get client principal key to verify (if available)
- KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
- String clientPrincipal = null;
- if (krbInfo != null) {
- String clientKey = krbInfo.clientPrincipal();
- if (clientKey != null && !clientKey.isEmpty()) {
- try {
- clientPrincipal = SecurityUtil.getServerPrincipal(
- conf.get(clientKey), addr);
- } catch (IOException e) {
- throw (AuthorizationException) new AuthorizationException(
- "Can't figure out Kerberos principal name for connection from "
- + addr + " for user=" + user + " protocol=" + protocol)
- .initCause(e);
+
+ String clientPrincipal = null;
+ if (UserGroupInformation.isSecurityEnabled()) {
+ // get client principal key to verify (if available)
+ KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
+ if (krbInfo != null) {
+ String clientKey = krbInfo.clientPrincipal();
+ if (clientKey != null && !clientKey.isEmpty()) {
+ try {
+ clientPrincipal = SecurityUtil.getServerPrincipal(
+ conf.get(clientKey), addr);
+ } catch (IOException e) {
+ throw (AuthorizationException) new AuthorizationException(
+ "Can't figure out Kerberos principal name for connection from "
+ + addr + " for user=" + user + " protocol=" + protocol)
+ .initCause(e);
+ }
}
}
}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java
index c473c50..d02fe60 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestServiceAuthorization.java
@@ -20,13 +20,18 @@ package org.apache.hadoop.security.authorize;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
+import java.lang.annotation.Annotation;
import java.net.InetAddress;
import java.net.UnknownHostException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.ipc.TestRPC.TestProtocol;
+import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.SecurityInfo;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.TokenInfo;
import org.junit.Test;
public class TestServiceAuthorization {
@@ -52,6 +57,53 @@ public class TestServiceAuthorization {
}
}
+ private static class CustomSecurityInfo extends SecurityInfo {
+ @Override
+ public KerberosInfo getKerberosInfo(Class<?> protocol,
+ Configuration conf) {
+ return new KerberosInfo() {
+ @Override
+ public Class<? extends Annotation> annotationType() {
+ return null;
+ }
+ @Override
+ public String serverPrincipal() {
+ return null;
+ }
+ @Override
+ public String clientPrincipal() {
+ return "dfs.datanode.kerberos.principal";
+ }
+ };
+ }
+
+ @Override
+ public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
+ return null;
+ }
+ }
+
+ @Test
+ public void testWithClientPrincipalOnUnsecureMode()
+ throws UnknownHostException {
+ UserGroupInformation hdfsUser = UserGroupInformation.createUserForTesting(
+ "hdfs", new String[] {"hadoop"});
+ ServiceAuthorizationManager serviceAuthorizationManager =
+ new ServiceAuthorizationManager();
+ SecurityUtil.setSecurityInfoProviders(new CustomSecurityInfo());
+
+ Configuration conf = new Configuration();
+ conf.set("dfs.datanode.kerberos.principal", "dn/_HOST@EXAMPLE.COM");
+ conf.set(ACL_CONFIG, "user1 hadoop");
+ serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
+ try {
+ serviceAuthorizationManager.authorize(hdfsUser, TestProtocol.class, conf,
+ InetAddress.getByName(ADDRESS));
+ } catch (AuthorizationException e) {
+ fail();
+ }
+ }
+
@Test
public void testDefaultAcl() {
ServiceAuthorizationManager serviceAuthorizationManager =
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org