You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ji...@apache.org on 2011/10/06 19:29:51 UTC
svn commit: r1179716 - in /hadoop/common/branches/branch-0.20-security-205:
./ src/core/org/apache/hadoop/security/authentication/server/
src/hdfs/org/apache/hadoop/hdfs/
src/hdfs/org/apache/hadoop/hdfs/server/namenode/
src/hdfs/org/apache/hadoop/hdfs/...
Author: jitendra
Date: Thu Oct 6 17:29:51 2011
New Revision: 1179716
URL: http://svn.apache.org/viewvc?rev=1179716&view=rev
Log:
Merged r1179713 from branch-0.20-security for HADOOP-7721 and HDFS-2405.
Added:
hadoop/common/branches/branch-0.20-security-205/src/test/org/apache/hadoop/hdfs/web/TestAuthFilter.java
- copied unchanged from r1179713, hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/hdfs/web/TestAuthFilter.java
Modified:
hadoop/common/branches/branch-0.20-security-205/CHANGES.txt (contents, props changed)
hadoop/common/branches/branch-0.20-security-205/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java
hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java
hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/AuthFilter.java
hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/resources/UserProvider.java
Modified: hadoop/common/branches/branch-0.20-security-205/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-205/CHANGES.txt?rev=1179716&r1=1179715&r2=1179716&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-205/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.20-security-205/CHANGES.txt Thu Oct 6 17:29:51 2011
@@ -271,6 +271,9 @@ Release 0.20.205.0 - 2011.09.28
HDFS-2408. DFSClient#getNumCurrentReplicas is package private in 205 but
public in branch-0.20-append (stack via atm)
+ HADOOP-7721. dfs.web.authentication.kerberos.principal expects the full
+ hostname and does not replace _HOST with the hostname. (jitendra)
+
IMPROVEMENTS
MAPREDUCE-2928. MR-2413 improvements (Eli Collins via mattf)
Propchange: hadoop/common/branches/branch-0.20-security-205/CHANGES.txt
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Oct 6 17:29:51 2011
@@ -1,6 +1,6 @@
/hadoop/common/branches/branch-0.20/CHANGES.txt:826138,826568,829987,831184,833001,880632,898713,909245,909723,960946,990003,1044225
/hadoop/common/branches/branch-0.20-append/CHANGES.txt:955380,955398,955448,956329
-/hadoop/common/branches/branch-0.20-security/CHANGES.txt:1170042,1170087,1170997,1171137,1171181,1171380,1171613,1171891,1171905,1172184,1172188,1172190,1172192,1173470,1173843,1174326,1174471,1174476,1174482,1175114,1176179,1176182,1176270,1176276,1176675,1176720,1177031,1177036,1177098,1177101,1177907,1178074,1179036,1179171,1179471,1179519
+/hadoop/common/branches/branch-0.20-security/CHANGES.txt:1170042,1170087,1170997,1171137,1171181,1171380,1171613,1171891,1171905,1172184,1172188,1172190,1172192,1173470,1173843,1174326,1174471,1174476,1174482,1175114,1176179,1176182,1176270,1176276,1176675,1176720,1177031,1177036,1177098,1177101,1177907,1178074,1179036,1179171,1179471,1179519,1179713
/hadoop/common/branches/branch-0.20-security-203/CHANGES.txt:1096071,1097011,1097249,1097269,1097281,1097966,1098816,1098819,1098823,1098827,1098832,1098839,1098854,1098863,1099088,1099191,1099324,1099330,1099333,1102071,1128115
/hadoop/common/branches/branch-0.20-security-204/CHANGES.txt:1128390,1147228,1148069,1149316,1154413,1159730,1161741
/hadoop/core/branches/branch-0.18/CHANGES.txt:727226
Modified: hadoop/common/branches/branch-0.20-security-205/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-205/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java?rev=1179716&r1=1179715&r2=1179716&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-205/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java (original)
+++ hadoop/common/branches/branch-0.20-security-205/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java Thu Oct 6 17:29:51 2011
@@ -160,6 +160,7 @@ public class KerberosAuthenticationHandl
KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, principal);
+ LOG.info("Login using keytab "+keytab+", for principal "+principal);
loginContext = new LoginContext("", subject, null, kerberosConfiguration);
loginContext.login();
Modified: hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=1179716&r1=1179715&r2=1179716&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java (original)
+++ hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/DFSConfigKeys.java Thu Oct 6 17:29:51 2011
@@ -216,4 +216,7 @@ public class DFSConfigKeys extends Commo
public static final String DFS_SECONDARY_NAMENODE_KRB_HTTPS_USER_NAME_KEY = "dfs.secondary.namenode.kerberos.https.principal";
public static final String DFS_NAMENODE_NAME_CACHE_THRESHOLD_KEY = "dfs.namenode.name.cache.threshold";
public static final int DFS_NAMENODE_NAME_CACHE_THRESHOLD_DEFAULT = 10;
+
+ public static final String DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY = "dfs.web.authentication.kerberos.principal";
+ public static final String DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY = "dfs.web.authentication.kerberos.keytab";
}
Modified: hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java?rev=1179716&r1=1179715&r2=1179716&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java (original)
+++ hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java Thu Oct 6 17:29:51 2011
@@ -25,8 +25,10 @@ import java.security.PrivilegedException
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
+import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -363,7 +365,8 @@ public class NameNode implements ClientP
final String name = "SPNEGO";
final String classname = AuthFilter.class.getName();
final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*";
- defineFilter(webAppContext, name, classname, null,
+ Map<String, String> params = getAuthFilterParams(conf);
+ defineFilter(webAppContext, name, classname, params,
new String[]{pathSpec});
LOG.info("Added filter '" + name + "' (class=" + classname + ")");
@@ -373,6 +376,30 @@ public class NameNode implements ClientP
+ ";" + Param.class.getPackage().getName(), pathSpec);
}
}
+
+ private Map<String, String> getAuthFilterParams(Configuration conf)
+ throws IOException {
+ Map<String, String> params = new HashMap<String, String>();
+ String principalInConf = conf
+ .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY);
+ if (principalInConf != null && !principalInConf.isEmpty()) {
+ params
+ .put(
+ DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
+ SecurityUtil.getServerPrincipal(principalInConf,
+ serverAddress.getHostName()));
+ }
+ String httpKeytab = conf
+ .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY);
+ if (httpKeytab != null && !httpKeytab.isEmpty()) {
+ params.put(
+ DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY,
+ httpKeytab);
+ }
+ params.put("kerberos.name.rules",
+ conf.get("hadoop.security.auth_to_local", "DEFAULT"));
+ return params;
+ }
};
boolean certSSL = conf.getBoolean("dfs.https.enable", false);
Modified: hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/AuthFilter.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/AuthFilter.java?rev=1179716&r1=1179715&r2=1179716&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/AuthFilter.java (original)
+++ hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/AuthFilter.java Thu Oct 6 17:29:51 2011
@@ -17,12 +17,11 @@
*/
package org.apache.hadoop.hdfs.web;
-import java.util.Map;
import java.util.Properties;
import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
-import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
@@ -41,30 +40,21 @@ public class AuthFilter extends Authenti
* The prefix is removed from the returned property names.
*
* @param prefix parameter not used.
- * @param config parameter not used.
+ * @param config parameter contains the initialization values.
* @return Hadoop-Auth configuration properties.
+ * @throws ServletException
*/
@Override
- protected Properties getConfiguration(String prefix, FilterConfig config) {
- final Configuration conf = new Configuration();
- final Properties p = new Properties();
-
- //set authentication type
+ protected Properties getConfiguration(String prefix, FilterConfig config)
+ throws ServletException {
+ final Properties p = super.getConfiguration(CONF_PREFIX, config);
+ // set authentication type
p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()?
KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE);
//For Pseudo Authentication, allow anonymous.
p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
//set cookie path
p.setProperty(COOKIE_PATH, "/");
-
- //set other configurations with CONF_PREFIX
- for (Map.Entry<String, String> entry : conf) {
- final String key = entry.getKey();
- if (key.startsWith(CONF_PREFIX)) {
- //remove prefix from the key and set property
- p.setProperty(key.substring(CONF_PREFIX.length()), conf.get(key));
- }
- }
- return p;
+ return p;
}
}
\ No newline at end of file
Modified: hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/resources/UserProvider.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/resources/UserProvider.java?rev=1179716&r1=1179715&r2=1179716&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/resources/UserProvider.java (original)
+++ hadoop/common/branches/branch-0.20-security-205/src/hdfs/org/apache/hadoop/hdfs/web/resources/UserProvider.java Thu Oct 6 17:29:51 2011
@@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.web.resou
import java.io.IOException;
import java.lang.reflect.Type;
+import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
import javax.ws.rs.ext.Provider;
@@ -42,11 +43,12 @@ public class UserProvider
extends AbstractHttpContextInjectable<UserGroupInformation>
implements InjectableProvider<Context, Type> {
@Context HttpServletRequest request;
+ @Context ServletContext servletcontext;
@Override
public UserGroupInformation getValue(final HttpContext context) {
- final Configuration conf = (Configuration)context.getProperties().get(
- JspHelper.CURRENT_CONF);
+ final Configuration conf = (Configuration) servletcontext
+ .getAttribute(JspHelper.CURRENT_CONF);
try {
return JspHelper.getUGI(request, conf,
AuthenticationMethod.KERBEROS, false);