You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by as...@apache.org on 2015/04/21 20:32:13 UTC
hadoop git commit: HADOOP-11704. DelegationTokenAuthenticationFilter
must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav
Dhoot via asuresh)
Repository: hadoop
Updated Branches:
refs/heads/trunk dfc1c4c30 -> 424a00daa
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/424a00da
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/424a00da
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/424a00da
Branch: refs/heads/trunk
Commit: 424a00daa069bf2049014fd46ad152ec5fc77ac8
Parents: dfc1c4c
Author: Arun Suresh <as...@apache.org>
Authored: Tue Apr 21 11:31:51 2015 -0700
Committer: Arun Suresh <as...@apache.org>
Committed: Tue Apr 21 11:31:51 2015 -0700
----------------------------------------------------------------------
hadoop-common-project/hadoop-common/CHANGES.txt | 3 ++
.../DelegationTokenAuthenticationFilter.java | 2 +-
.../DelegationTokenAuthenticationHandler.java | 2 +-
.../delegation/web/TestWebDelegationToken.java | 56 +++++++++++++++++++-
4 files changed, 60 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/424a00da/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 230717c..5c6d44a 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
(Brahma Reddy Battula via ozawa)
+ HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
+ instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
+
Release 2.7.1 - UNRELEASED
INCOMPATIBLE CHANGES
http://git-wip-us.apache.org/repos/asf/hadoop/blob/424a00da/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
index fbd1129..b6e1a76 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
@@ -239,7 +239,7 @@ public class DelegationTokenAuthenticationFilter
if (doAsUser != null) {
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
try {
- ProxyUsers.authorize(ugi, request.getRemoteHost());
+ ProxyUsers.authorize(ugi, request.getRemoteAddr());
} catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex);
http://git-wip-us.apache.org/repos/asf/hadoop/blob/424a00da/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index c498f70..3f191de 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -199,7 +199,7 @@ public abstract class DelegationTokenAuthenticationHandler
requestUgi = UserGroupInformation.createProxyUser(
doAsUser, requestUgi);
try {
- ProxyUsers.authorize(requestUgi, request.getRemoteHost());
+ ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
} catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex);
http://git-wip-us.apache.org/repos/asf/hadoop/blob/424a00da/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
index 87c3105..d18f968 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
@@ -35,6 +35,7 @@ import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import org.mortbay.jetty.AbstractConnector;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.servlet.Context;
@@ -658,7 +659,7 @@ public class TestWebDelegationToken {
org.apache.hadoop.conf.Configuration conf =
new org.apache.hadoop.conf.Configuration(false);
conf.set("proxyuser.client.users", OK_USER);
- conf.set("proxyuser.client.hosts", "localhost");
+ conf.set("proxyuser.client.hosts", "127.0.0.1");
return conf;
}
}
@@ -752,6 +753,7 @@ public class TestWebDelegationToken {
Context context = new Context();
context.setContextPath("/foo");
jetty.setHandler(context);
+ ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
context.addServlet(new ServletHolder(UserServlet.class), "/bar");
try {
@@ -969,4 +971,56 @@ public class TestWebDelegationToken {
}
}
+ public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
+ @Override
+ protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
+ (FilterConfig filterConfig) throws ServletException {
+ org.apache.hadoop.conf.Configuration configuration = super
+ .getProxyuserConfiguration(filterConfig);
+ configuration.set("proxyuser.foo.hosts", "127.0.0.1");
+ return configuration;
+ }
+ }
+
+ @Test
+ public void testIpaddressCheck() throws Exception {
+ final Server jetty = createJettyServer();
+ ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
+ Context context = new Context();
+ context.setContextPath("/foo");
+ jetty.setHandler(context);
+
+ context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
+ context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
+
+ try {
+ jetty.start();
+ final URL url = new URL(getJettyURL() + "/foo/bar");
+
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ DelegationTokenAuthenticatedURL.Token token =
+ new DelegationTokenAuthenticatedURL.Token();
+ DelegationTokenAuthenticatedURL aUrl =
+ new DelegationTokenAuthenticatedURL();
+
+ // user ok-user via proxyuser foo
+ HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
+ Assert.assertEquals(HttpURLConnection.HTTP_OK,
+ conn.getResponseCode());
+ List<String> ret = IOUtils.readLines(conn.getInputStream());
+ Assert.assertEquals(1, ret.size());
+ Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
+ ":ugi=" + OK_USER, ret.get(0));
+
+ return null;
+ }
+ });
+ } finally {
+ jetty.stop();
+ }
+ }
+
}