You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by te...@apache.org on 2012/08/28 20:54:59 UTC
svn commit: r1378268 - in /hbase/branches/0.94: pom.xml
security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
Author: tedyu
Date: Tue Aug 28 18:54:58 2012
New Revision: 1378268
URL: http://svn.apache.org/viewvc?rev=1378268&view=rev
Log:
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis)
Modified:
hbase/branches/0.94/pom.xml
hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
Modified: hbase/branches/0.94/pom.xml
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/pom.xml?rev=1378268&r1=1378267&r2=1378268&view=diff
==============================================================================
--- hbase/branches/0.94/pom.xml (original)
+++ hbase/branches/0.94/pom.xml Tue Aug 28 18:54:58 2012
@@ -1844,7 +1844,7 @@
</property>
</activation>
<properties>
- <hadoop.version>0.23.2-SNAPSHOT</hadoop.version>
+ <hadoop.version>0.23.3-SNAPSHOT</hadoop.version>
<slf4j.version>1.6.1</slf4j.version>
</properties>
<dependencies>
Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java?rev=1378268&r1=1378267&r2=1378268&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java Tue Aug 28 18:54:58 2012
@@ -31,6 +31,7 @@ import org.apache.hadoop.hbase.ipc.Secur
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
@@ -80,8 +81,7 @@ public class TokenProvider extends BaseE
}
if (currentUser == null) {
throw new AccessDeniedException("No authenticated user for request!");
- } else if (ugi.getAuthenticationMethod() !=
- UserGroupInformation.AuthenticationMethod.KERBEROS) {
+ } else if (!isAllowedDelegationTokenOp(ugi)) {
LOG.warn("Token generation denied for user="+currentUser.getName()
+", authMethod="+ugi.getAuthenticationMethod());
throw new AccessDeniedException(
@@ -91,6 +91,23 @@ public class TokenProvider extends BaseE
return secretManager.generateToken(currentUser.getName());
}
+ /**
+ * @param ugi
+ * @return true if delegation token operation is allowed
+ */
+ private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
+ AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
+ if (authMethod == AuthenticationMethod.PROXY) {
+ authMethod = ugi.getRealUser().getAuthenticationMethod();
+ }
+ if (authMethod != AuthenticationMethod.KERBEROS
+ && authMethod != AuthenticationMethod.KERBEROS_SSL
+ && authMethod != AuthenticationMethod.CERTIFICATE) {
+ return false;
+ }
+ return true;
+ }
+
@Override
public String whoami() {
return RequestContext.getRequestUserName();