You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by aa...@apache.org on 2020/05/02 13:10:05 UTC
[hadoop] branch branch-2.9 updated: SPNEGO TLS verification
This is an automated email from the ASF dual-hosted git repository.
aajisaka pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-2.9 by this push:
new c1925b2 SPNEGO TLS verification
c1925b2 is described below
commit c1925b2310625a635692ac8039ca15219cdf59bc
Author: Eric Yang <ey...@apache.org>
AuthorDate: Tue Mar 31 13:37:55 2020 -0400
SPNEGO TLS verification
Signed-off-by: Akira Ajisaka <aa...@apache.org>
(cherry picked from commit ba66f3b454a5f6ea84f2cf7ac0082c555e2954a7)
Conflicts:
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
(cherry picked from commit 28715b584ab25dedc600cc2d5d22866865026bf7)
---
.../main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index 283ba1b..913cc1d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -139,6 +139,7 @@ public class WebHdfsFileSystem extends FileSystem
+ "/v" + VERSION;
public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
+ public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
/**
* Default connection factory may be overridden in tests to use smaller
@@ -168,6 +169,7 @@ public class WebHdfsFileSystem extends FileSystem
new ObjectMapper().reader(Map.class);
private DFSOpsCountStatistics storageStatistics;
+ private boolean isTLSKrb;
/**
* Return the protocol scheme for the FileSystem.
@@ -230,6 +232,8 @@ public class WebHdfsFileSystem extends FileSystem
.newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
}
+ this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
+
ugi = UserGroupInformation.getCurrentUser();
this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
this.nnAddrs = resolveNNAddr();
@@ -688,6 +692,11 @@ public class WebHdfsFileSystem extends FileSystem
//redirect hostname and port
redirectHost = null;
+ if (url.getProtocol().equals(getTransportScheme()) &&
+ UserGroupInformation.isSecurityEnabled() &&
+ isTLSKrb) {
+ throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
+ }
// resolve redirects for a DN operation unless already resolved
if (op.getRedirect() && !redirected) {
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org