You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-commits@hadoop.apache.org by jg...@apache.org on 2010/07/03 02:31:14 UTC
svn commit: r960139 - in /hadoop/hdfs/trunk: CHANGES.txt
src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
Author: jghoman
Date: Sat Jul 3 00:31:13 2010
New Revision: 960139
URL: http://svn.apache.org/viewvc?rev=960139&view=rev
Log:
HDFS-1004. Update NN to support Kerberized SSL from HADOOP-6584.
Modified:
hadoop/hdfs/trunk/CHANGES.txt
hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
Modified: hadoop/hdfs/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/CHANGES.txt?rev=960139&r1=960138&r2=960139&view=diff
==============================================================================
--- hadoop/hdfs/trunk/CHANGES.txt (original)
+++ hadoop/hdfs/trunk/CHANGES.txt Sat Jul 3 00:31:13 2010
@@ -10,6 +10,9 @@ Trunk (unreleased changes)
HDFS-599. Allow NameNode to have a seprate port for service requests from
client requests. (Dmytro Molkov via hairong)
+ HDFS-1004. Update NN to support Kerberized SSL from HADOOP-6584.
+ (jghoman and Kan Zhang via jghoman)
+
IMPROVEMENTS
HDFS-1096. fix for prev. commit. (boryas)
Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java?rev=960139&r1=960138&r2=960139&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java Sat Jul 3 00:31:13 2010
@@ -21,6 +21,7 @@ import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URI;
+import java.security.PrivilegedExceptionAction;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
@@ -412,48 +413,80 @@ public class NameNode implements Namenod
this.emptier.start();
}
- private void startHttpServer(Configuration conf) throws IOException {
- InetSocketAddress infoSocAddr = getHttpServerAddress(conf);
- String infoHost = infoSocAddr.getHostName();
- int infoPort = infoSocAddr.getPort();
- this.httpServer = new HttpServer("hdfs", infoHost, infoPort,
- infoPort == 0, conf);
- if (conf.getBoolean("dfs.https.enable", false)) {
- boolean needClientAuth = conf.getBoolean(DFSConfigKeys.DFS_CLIENT_HTTPS_NEED_AUTH_KEY,
- DFSConfigKeys.DFS_CLIENT_HTTPS_NEED_AUTH_DEFAULT);
- InetSocketAddress secInfoSocAddr = NetUtils.createSocketAddr(conf.get(
- DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, infoHost + ":" + 0));
- Configuration sslConf = new HdfsConfiguration(false);
- sslConf.addResource(conf.get("dfs.https.server.keystore.resource",
- "ssl-server.xml"));
- this.httpServer.addSslListener(secInfoSocAddr, sslConf, needClientAuth);
- // assume same ssl port for all datanodes
- InetSocketAddress datanodeSslPort = NetUtils.createSocketAddr(conf.get(
- "dfs.datanode.https.address", infoHost + ":" + 50475));
- this.httpServer.setAttribute("datanode.https.port", datanodeSslPort
- .getPort());
- }
- this.httpServer.setAttribute("name.node", this);
- this.httpServer.setAttribute("name.node.address", getNameNodeAddress());
- this.httpServer.setAttribute("name.system.image", getFSImage());
- this.httpServer.setAttribute("name.conf", conf);
- this.httpServer.addInternalServlet("getDelegationToken",
- DelegationTokenServlet.PATH_SPEC, DelegationTokenServlet.class);
- this.httpServer.addInternalServlet("fsck", "/fsck", FsckServlet.class);
- this.httpServer.addInternalServlet("getimage", "/getimage", GetImageServlet.class);
- this.httpServer.addInternalServlet("listPaths", "/listPaths/*", ListPathsServlet.class);
- this.httpServer.addInternalServlet("data", "/data/*", FileDataServlet.class);
- this.httpServer.addInternalServlet("checksum", "/fileChecksum/*",
- FileChecksumServlets.RedirectServlet.class);
- this.httpServer.addInternalServlet("contentSummary", "/contentSummary/*",
- ContentSummaryServlet.class);
- this.httpServer.start();
-
- // The web-server port can be ephemeral... ensure we have the correct info
- infoPort = this.httpServer.getPort();
- this.httpAddress = new InetSocketAddress(infoHost, infoPort);
- setHttpServerAddress(conf);
- LOG.info(getRole() + " Web-server up at: " + httpAddress);
+ private void startHttpServer(final Configuration conf) throws IOException {
+ // Kerberized SSL servers must be run from the host principal...
+ DFSUtil.login(conf, DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY,
+ DFSConfigKeys.DFS_NAMENODE_KRB_HTTPS_USER_NAME_KEY);
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ try {
+ this.httpServer = ugi.doAs(new PrivilegedExceptionAction<HttpServer>() {
+ @Override
+ public HttpServer run() throws IOException, InterruptedException {
+ InetSocketAddress infoSocAddr = getHttpServerAddress(conf);
+ String infoHost = infoSocAddr.getHostName();
+ int infoPort = infoSocAddr.getPort();
+ httpServer = new HttpServer("hdfs", infoHost, infoPort,
+ infoPort == 0, conf);
+
+ boolean certSSL = conf.getBoolean("dfs.https.enable", false);
+ boolean useKrb = UserGroupInformation.isSecurityEnabled();
+ if (certSSL || useKrb) {
+ boolean needClientAuth = conf.getBoolean(
+ DFSConfigKeys.DFS_CLIENT_HTTPS_NEED_AUTH_KEY,
+ DFSConfigKeys.DFS_CLIENT_HTTPS_NEED_AUTH_DEFAULT);
+ InetSocketAddress secInfoSocAddr = NetUtils.createSocketAddr(conf
+ .get(DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, infoHost
+ + ":" + 0));
+ Configuration sslConf = new HdfsConfiguration(false);
+ if (certSSL) {
+ sslConf.addResource(conf.get(
+ "dfs.https.server.keystore.resource", "ssl-server.xml"));
+ }
+ httpServer.addSslListener(secInfoSocAddr, sslConf, needClientAuth,
+ useKrb);
+ // assume same ssl port for all datanodes
+ InetSocketAddress datanodeSslPort = NetUtils.createSocketAddr(conf
+ .get("dfs.datanode.https.address", infoHost + ":" + 50475));
+ httpServer.setAttribute("datanode.https.port", datanodeSslPort
+ .getPort());
+ }
+ httpServer.setAttribute("name.node", NameNode.this);
+ httpServer.setAttribute("name.node.address", getNameNodeAddress());
+ httpServer.setAttribute("name.system.image", getFSImage());
+ httpServer.setAttribute("name.conf", conf);
+ httpServer.addInternalServlet("getDelegationToken",
+ DelegationTokenServlet.PATH_SPEC, DelegationTokenServlet.class,
+ true);
+ httpServer.addInternalServlet("fsck", "/fsck", FsckServlet.class,
+ true);
+ httpServer.addInternalServlet("getimage", "/getimage",
+ GetImageServlet.class, true);
+ httpServer.addInternalServlet("listPaths", "/listPaths/*",
+ ListPathsServlet.class, true);
+ httpServer.addInternalServlet("data", "/data/*",
+ FileDataServlet.class, true);
+ httpServer.addInternalServlet("checksum", "/fileChecksum/*",
+ FileChecksumServlets.RedirectServlet.class, true);
+ httpServer.addInternalServlet("contentSummary", "/contentSummary/*",
+ ContentSummaryServlet.class, true);
+ httpServer.start();
+
+ // The web-server port can be ephemeral... ensure we have the correct
+ // info
+ infoPort = httpServer.getPort();
+ httpAddress = new InetSocketAddress(infoHost, infoPort);
+ setHttpServerAddress(conf);
+ LOG.info(getRole() + " Web-server up at: " + httpAddress);
+ return httpServer;
+ }
+ });
+ } catch (InterruptedException e) {
+ throw new IOException(e);
+ } finally {
+ // Go back to being the correct Namenode principal
+ DFSUtil.login(conf, DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY,
+ DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY);
+ }
}
/**