You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ji...@apache.org on 2013/12/17 21:45:28 UTC
svn commit: r1551692 -
/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
Author: jing9
Date: Tue Dec 17 20:45:27 2013
New Revision: 1551692
URL: http://svn.apache.org/r1551692
Log:
HDFS-5538. Merge change r1545491 from trunk.
Modified:
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java?rev=1551692&r1=1551691&r2=1551692&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java Tue Dec 17 20:45:27 2013
@@ -22,19 +22,14 @@ import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
-import java.net.URL;
-import java.net.URLConnection;
import java.net.UnknownHostException;
-import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.ServiceLoader;
-import java.util.Set;
-import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
@@ -44,22 +39,19 @@ import org.apache.hadoop.classification.
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.http.HttpConfig;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenInfo;
-import com.google.common.annotations.VisibleForTesting;
//this will need to be replaced someday when there is a suitable replacement
import sun.net.dns.ResolverConfiguration;
import sun.net.util.IPAddressUtil;
+import com.google.common.annotations.VisibleForTesting;
+
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
public class SecurityUtil {
@@ -73,24 +65,14 @@ public class SecurityUtil {
@VisibleForTesting
static HostResolver hostResolver;
- private static SSLFactory sslFactory;
-
static {
Configuration conf = new Configuration();
boolean useIp = conf.getBoolean(
- CommonConfigurationKeys.HADOOP_SECURITY_TOKEN_SERVICE_USE_IP,
- CommonConfigurationKeys.HADOOP_SECURITY_TOKEN_SERVICE_USE_IP_DEFAULT);
+ CommonConfigurationKeys.HADOOP_SECURITY_TOKEN_SERVICE_USE_IP,
+ CommonConfigurationKeys.HADOOP_SECURITY_TOKEN_SERVICE_USE_IP_DEFAULT);
setTokenServiceUseIp(useIp);
- if (HttpConfig.isSecure()) {
- sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
- try {
- sslFactory.init();
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
- }
}
-
+
/**
* For use only by tests and initialization
*/
@@ -103,29 +85,6 @@ public class SecurityUtil {
}
/**
- * Find the original TGT within the current subject's credentials. Cross-realm
- * TGT's of the form "krbtgt/TWO.COM@ONE.COM" may be present.
- *
- * @return The TGT from the current subject
- * @throws IOException
- * if TGT can't be found
- */
- private static KerberosTicket getTgtFromSubject() throws IOException {
- Subject current = Subject.getSubject(AccessController.getContext());
- if (current == null) {
- throw new IOException(
- "Can't get TGT from current Subject, because it is null");
- }
- Set<KerberosTicket> tickets = current
- .getPrivateCredentials(KerberosTicket.class);
- for (KerberosTicket t : tickets) {
- if (isOriginalTGT(t))
- return t;
- }
- throw new IOException("Failed to find TGT from current Subject:"+current);
- }
-
- /**
* TGS must have the server principal of the form "krbtgt/FOO@FOO".
* @param principal
* @return true or false
@@ -493,30 +452,6 @@ public class SecurityUtil {
}
/**
- * Open a (if need be) secure connection to a URL in a secure environment
- * that is using SPNEGO to authenticate its URLs. All Namenode and Secondary
- * Namenode URLs that are protected via SPNEGO should be accessed via this
- * method.
- *
- * @param url to authenticate via SPNEGO.
- * @return A connection that has been authenticated via SPNEGO
- * @throws IOException If unable to authenticate via SPNEGO
- */
- public static URLConnection openSecureHttpConnection(URL url) throws IOException {
- if (!HttpConfig.isSecure() && !UserGroupInformation.isSecurityEnabled()) {
- return url.openConnection();
- }
-
- AuthenticatedURL.Token token = new AuthenticatedURL.Token();
- try {
- return new AuthenticatedURL(null, sslFactory).openConnection(url, token);
- } catch (AuthenticationException e) {
- throw new IOException("Exception trying to open authenticated connection to "
- + url, e);
- }
- }
-
- /**
* Resolves a host subject to the security requirements determined by
* hadoop.security.token.service.use_ip.
*