You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ey...@apache.org on 2016/10/15 05:14:14 UTC
hadoop git commit: HADOOP-13707. Skip authorization for anonymous
user to access Hadoop web interface in non-secure environment. (Yuanbo Liu
via eyang)
Repository: hadoop
Updated Branches:
refs/heads/master [created] f2b056bad
HADOOP-13707. Skip authorization for anonymous user to access Hadoop
web interface in non-secure environment. (Yuanbo Liu via eyang)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/f2b056ba
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/f2b056ba
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/f2b056ba
Branch: refs/heads/master
Commit: f2b056bad73d2b3cc787f880403faf30aabab15a
Parents: a0da1ec
Author: Eric Yang <ey...@apache.org>
Authored: Fri Oct 14 22:10:15 2016 -0700
Committer: Eric Yang <ey...@apache.org>
Committed: Fri Oct 14 22:10:15 2016 -0700
----------------------------------------------------------------------
hadoop-common-project/hadoop-common/CHANGES.txt | 3 ++
.../org/apache/hadoop/conf/ConfServlet.java | 8 ++++-
.../hadoop/http/AdminAuthorizedServlet.java | 11 +++++--
.../org/apache/hadoop/http/HttpServer2.java | 31 ++++++++++++++++++--
.../org/apache/hadoop/jmx/JMXJsonServlet.java | 8 ++++-
.../java/org/apache/hadoop/log/LogLevel.java | 10 +++++--
.../org/apache/hadoop/http/TestHttpServer.java | 17 ++++++++++-
7 files changed, 76 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index bfad714..7154bd7 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -175,6 +175,9 @@ Release 2.8.0 - UNRELEASED
BUG FIXES
+ HADOOP-13707. Skip authorization for anonymous user to access Hadoop
+ web interface in non-secure environment. (Yuanbo Liu via eyang)
+
HADOOP-12124. Add HTrace support for FsShell (cmccabe)
HADOOP-12171. Shorten overly-long htrace span names for server (cmccabe)
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
index c7f11b3..d4b34e9 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.conf;
import java.io.IOException;
import java.io.Writer;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -56,7 +57,12 @@ public class ConfServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
- if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
+ // If user is a static user and auth Type is null, that means
+ // there is a non-security environment and no need authorization,
+ // otherwise, do the authorization.
+ final ServletContext servletContext = getServletContext();
+ if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+ !HttpServer2.isInstrumentationAccessAllowed(servletContext,
request, response)) {
return;
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
index ef562b4..e591ab4 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.http;
import java.io.IOException;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -35,9 +36,13 @@ public class AdminAuthorizedServlet extends DefaultServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- // Do the authorization
- if (HttpServer2.hasAdministratorAccess(getServletContext(), request,
+ throws ServletException, IOException {
+ // If user is a static user and auth Type is null, that means
+ // there is a non-security environment and no need authorization,
+ // otherwise, do the authorization.
+ final ServletContext servletContext = getServletContext();
+ if (HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) ||
+ HttpServer2.hasAdministratorAccess(servletContext, request,
response)) {
// Authorization is done. Just call super.
super.doGet(request, response);
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index 11ab23b..2a85a57 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -96,6 +96,8 @@ import org.mortbay.util.MultiException;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import com.sun.jersey.spi.container.servlet.ServletContainer;
+import static org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
+import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
import static org.apache.hadoop.security.authentication.server
.AuthenticationFilter.*;
@@ -1005,6 +1007,24 @@ public final class HttpServer2 implements FilterContainer {
}
/**
+ * check whether user is static and unauthenticated, if the
+ * answer is TRUE, that means http sever is in non-security
+ * environment.
+ * @param servletContext the servlet context.
+ * @param request the servlet request.
+ * @return TRUE/FALSE based on the logic described above.
+ */
+ public static boolean isStaticUserAndNoneAuthType(
+ ServletContext servletContext, HttpServletRequest request) {
+ Configuration conf =
+ (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
+ final String authType = request.getAuthType();
+ final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
+ DEFAULT_HADOOP_HTTP_STATIC_USER);
+ return authType == null && staticUser.equals(request.getRemoteUser());
+ }
+
+ /**
* Checks the user has privileges to access to instrumentation servlets.
* <p/>
* If <code>hadoop.security.instrumentation.requires.admin</code> is set to FALSE
@@ -1101,9 +1121,14 @@ public final class HttpServer2 implements FilterContainer {
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
- request, response)) {
+ throws ServletException, IOException {
+ // If user is a static user and auth Type is null, that means
+ // there is a non-security environment and no need authorization,
+ // otherwise, do the authorization.
+ final ServletContext servletContext = getServletContext();
+ if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+ !HttpServer2.isInstrumentationAccessAllowed(servletContext,
+ request, response)) {
return;
}
response.setContentType("text/plain; charset=UTF-8");
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
index 1764ecc..8609d96 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@@ -38,6 +38,7 @@ import javax.management.RuntimeMBeanException;
import javax.management.openmbean.CompositeData;
import javax.management.openmbean.CompositeType;
import javax.management.openmbean.TabularData;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -157,7 +158,12 @@ public class JMXJsonServlet extends HttpServlet {
String jsonpcb = null;
PrintWriter writer = null;
try {
- if (!isInstrumentationAccessAllowed(request, response)) {
+ // If user is a static user and auth Type is null, that means
+ // there is a non-security environment and no need authorization,
+ // otherwise, do the authorization.
+ final ServletContext servletContext = getServletContext();
+ if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+ !isInstrumentationAccessAllowed(request, response)) {
return;
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
index 4749ce1..26502ec 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
@@ -93,9 +93,13 @@ public class LogLevel {
public void doGet(HttpServletRequest request, HttpServletResponse response
) throws ServletException, IOException {
- // Do the authorization
- if (!HttpServer2.hasAdministratorAccess(getServletContext(), request,
- response)) {
+ // If user is a static user and auth Type is null, that means
+ // there is a non-security environment and no need authorization,
+ // otherwise, do the authorization.
+ final ServletContext servletContext = getServletContext();
+ if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+ !HttpServer2.hasAdministratorAccess(servletContext,
+ request, response)) {
return;
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/f2b056ba/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
index 5b202da..5443953 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
@@ -64,6 +64,9 @@ import java.util.concurrent.CountDownLatch;
import java.util.concurrent.Executor;
import java.util.concurrent.Executors;
+import static org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
+import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
+
public class TestHttpServer extends HttpServerFunctionalTest {
static final Log LOG = LogFactory.getLog(TestHttpServer.class);
private static HttpServer2 server;
@@ -383,7 +386,7 @@ public class TestHttpServer extends HttpServerFunctionalTest {
String serverURL = "http://"
+ NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
for (String servlet : new String[] { "conf", "logs", "stacks",
- "logLevel", "metrics" }) {
+ "logLevel", "metrics", "jmx" }) {
for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
+ servlet, user));
@@ -391,6 +394,18 @@ public class TestHttpServer extends HttpServerFunctionalTest {
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
serverURL + servlet, "userE"));
}
+
+ // hadoop.security.authorization is set as true while
+ // hadoop.http.authentication.type's value is `simple`(default value)
+ // in this case, static user has administrator access
+ final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
+ DEFAULT_HADOOP_HTTP_STATIC_USER);
+ for (String servlet : new String[] {"conf", "logs", "stacks",
+ "logLevel", "jmx"}) {
+ assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(
+ serverURL + servlet, staticUser));
+ }
+
myServer.stop();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org