You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:02:26 UTC
svn commit: r1077312 - in
/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs:
./ server/datanode/ server/namenode/
Author: omalley
Date: Fri Mar 4 04:02:25 2011
New Revision: 1077312
URL: http://svn.apache.org/viewvc?rev=1077312&view=rev
Log:
commit d94bb7893882878efcaf3ec6a77110806bfcc222
Author: Jakob Homan <jh...@yahoo-inc.com>
Date: Thu Mar 11 14:38:56 2010 -0800
HDFS:1033 from https://issues.apache.org/jira/secure/attachment/12438477/HDFS-1033-Y20.patch
+++ b/YAHOO-CHANGES.txt
+ HDFS-1033. In secure clusters, NN and SNN should verify that the remote
+ principal during image and edits transfer (jhoman)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/datanode/DataNode.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=1077312&r1=1077311&r2=1077312&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java Fri Mar 4 04:02:25 2011
@@ -193,8 +193,12 @@ public class DFSConfigKeys extends Commo
public static final String DFS_WEB_UGI_KEY = "dfs.web.ugi";
public static final String DFS_NAMENODE_STARTUP_KEY = "dfs.namenode.startup";
public static final String DFS_DATANODE_KEYTAB_FILE_KEY = "dfs.datanode.keytab.file";
- public static final String DFS_DATANODE_USER_NAME_KEY = "dfs.datanode.user.name.key";
+ public static final String DFS_DATANODE_USER_NAME_KEY = "dfs.datanode.user.name";
public static final String DFS_NAMENODE_KEYTAB_FILE_KEY = "dfs.namenode.keytab.file";
- public static final String DFS_NAMENODE_USER_NAME_KEY = "dfs.namenode.user.name.key";
- public static final String DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY = "dfs.namenode.krb.https.user.name.key";
+ public static final String DFS_NAMENODE_USER_NAME_KEY = "dfs.namenode.user.name";
+ public static final String DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY = "dfs.namenode.krb.https.user.name";
+
+ public static final String DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY = "dfs.secondary.namenode.keytab.file";
+ public static final String DFS_SECONDARY_NAMENODE_USER_NAME_KEY = "dfs.secondary.namenode.user.name";
+ public static final String DFS_SECONDARY_NAMENODE_KRB_HTTPS_USER_NAME_KEY = "dfs.secondary.namenode.krb.https.user.name";
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/datanode/DataNode.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/datanode/DataNode.java?rev=1077312&r1=1077311&r2=1077312&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/datanode/DataNode.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/datanode/DataNode.java Fri Mar 4 04:02:25 2011
@@ -55,6 +55,7 @@ import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.LocalFileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.HDFSPolicyProvider;
import org.apache.hadoop.hdfs.protocol.Block;
@@ -213,9 +214,6 @@ public class DataNode extends Configured
private static final Random R = new Random();
- private final static String KEYTAB_FILE_KEY = "dfs.datanode.keytab.file";
- private final static String USER_NAME_KEY = "dfs.datanode.user.name.key";
-
public static final String DATA_DIR_KEY = "dfs.data.dir";
public final static String DATA_DIR_PERMISSION_KEY =
"dfs.datanode.data.dir.perm";
@@ -240,7 +238,8 @@ public class DataNode extends Configured
final AbstractList<File> dataDirs) throws IOException {
super(conf);
UserGroupInformation.setConfiguration(conf);
- DFSUtil.login(conf, KEYTAB_FILE_KEY, USER_NAME_KEY);
+ DFSUtil.login(conf, DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY,
+ DFSConfigKeys.DFS_DATANODE_USER_NAME_KEY);
datanodeObject = this;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java?rev=1077312&r1=1077311&r2=1077312&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/GetImageServlet.java Fri Mar 4 04:02:25 2011
@@ -17,6 +17,11 @@
*/
package org.apache.hadoop.hdfs.server.namenode;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SECONDARY_NAMENODE_KRB_HTTPS_USER_NAME_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SECONDARY_NAMENODE_USER_NAME_KEY;
+
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
@@ -27,10 +32,12 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.StringUtils;
-
/**
* This class is used in Namesystem's jetty to retrieve a file.
* Typically used by the Secondary NameNode to retrieve image and
@@ -38,7 +45,7 @@ import org.apache.hadoop.util.StringUtil
*/
public class GetImageServlet extends HttpServlet {
private static final long serialVersionUID = -7669068179452648952L;
-
+ private static final Log LOG = LogFactory.getLog(GetImageServlet.class);
@SuppressWarnings("unchecked")
public void doGet(final HttpServletRequest request,
final HttpServletResponse response
@@ -48,6 +55,16 @@ public class GetImageServlet extends Htt
ServletContext context = getServletContext();
final FSImage nnImage = (FSImage)context.getAttribute("name.system.image");
final TransferFsImage ff = new TransferFsImage(pmap, request, response);
+ Configuration conf = (Configuration)getServletContext().getAttribute("name.conf");
+ if(UserGroupInformation.isSecurityEnabled() &&
+ !isValidRequestor(request.getRemoteUser(), conf)) {
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,
+ "Only Namenode and Secondary Namenode may access this servlet");
+ LOG.warn("Received non-NN/SNN request for image or edits from "
+ + request.getRemoteHost());
+ return;
+ }
+
UserGroupInformation.getCurrentUser().doAs(new PrivilegedExceptionAction<Void>() {
@Override
@@ -79,4 +96,25 @@ public class GetImageServlet extends Htt
response.getOutputStream().close();
}
}
+
+ private boolean isValidRequestor(String remoteUser, Configuration conf) {
+ if(remoteUser == null) { // This really shouldn't happen...
+ LOG.warn("Received null remoteUser while authorizing access to getImage servlet");
+ return false;
+ }
+
+ String [] validRequestors = {conf.get(DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY),
+ conf.get(DFS_NAMENODE_USER_NAME_KEY),
+ conf.get(DFS_SECONDARY_NAMENODE_KRB_HTTPS_USER_NAME_KEY),
+ conf.get(DFS_SECONDARY_NAMENODE_USER_NAME_KEY) };
+
+ for(String v : validRequestors) {
+ if(v != null && v.equals(remoteUser)) {
+ if(LOG.isDebugEnabled()) LOG.debug("isValidRequestor is allowing: " + remoteUser);
+ return true;
+ }
+ }
+ if(LOG.isDebugEnabled()) LOG.debug("isValidRequestor is rejecting: " + remoteUser);
+ return false;
+ }
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java?rev=1077312&r1=1077311&r2=1077312&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java Fri Mar 4 04:02:25 2011
@@ -309,9 +309,6 @@ public class NameNode implements ClientP
}
}
- private final static String KEYTAB_FILE_KEY = "dfs.namenode.keytab.file";
- private final static String USER_NAME_KEY = "dfs.namenode.user.name.key";
-
/**
* Start NameNode.
* <p>
@@ -336,7 +333,8 @@ public class NameNode implements ClientP
*/
public NameNode(Configuration conf) throws IOException {
UserGroupInformation.setConfiguration(conf);
- DFSUtil.login(conf, KEYTAB_FILE_KEY, USER_NAME_KEY);
+ DFSUtil.login(conf, DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY,
+ DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY);
try {
initialize(conf);
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java?rev=1077312&r1=1077311&r2=1077312&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/SecondaryNameNode.java Fri Mar 4 04:02:25 2011
@@ -120,8 +120,8 @@ public class SecondaryNameNode implement
*/
public SecondaryNameNode(Configuration conf) throws IOException {
DFSUtil.login(conf,
- DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY,
- DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY);
+ DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY,
+ DFSConfigKeys.DFS_SECONDARY_NAMENODE_USER_NAME_KEY);
try {
initialize(conf);
} catch(IOException e) {
@@ -161,8 +161,8 @@ public class SecondaryNameNode implement
// initialize the webserver for uploading files.
// Kerberized SSL servers must be run from the host principal...
- DFSUtil.login(conf, DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY,
- DFSConfigKeys.DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY);
+ DFSUtil.login(conf, DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY,
+ DFSConfigKeys.DFS_SECONDARY_NAMENODE_KRB_HTTPS_USER_NAME_KEY);
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
try {
infoServer = ugi.doAs(new PrivilegedExceptionAction<HttpServer>() {