You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by bo...@apache.org on 2010/05/13 22:52:59 UTC
svn commit: r944012 - in /hadoop/common/trunk: ./
src/java/org/apache/hadoop/ipc/ src/java/org/apache/hadoop/security/
src/java/org/apache/hadoop/security/authorize/
src/test/core/org/apache/hadoop/ipc/
Author: boryas
Date: Thu May 13 20:52:59 2010
New Revision: 944012
URL: http://svn.apache.org/viewvc?rev=944012&view=rev
Log:
HADOOP-6600. mechanism for authorization check for inter-server protocols
Modified:
hadoop/common/trunk/CHANGES.txt
hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Client.java
hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java
hadoop/common/trunk/src/java/org/apache/hadoop/security/KerberosInfo.java
hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/MiniRPCBenchmark.java
hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java
Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Thu May 13 20:52:59 2010
@@ -4,6 +4,9 @@ Trunk (unreleased changes)
IMPROVEMENTS
+ HADOOP-6600. mechanism for authorization check for inter-server
+ protocols. (boryas)
+
HADOOP-6623. Add StringUtils.split for non-escaped single-character
separator. (Todd Lipcon via tomwhite)
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Client.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Client.java?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Client.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Client.java Thu May 13 20:52:59 2010
@@ -253,7 +253,7 @@ public class Client {
}
KerberosInfo krbInfo = protocol.getAnnotation(KerberosInfo.class);
if (krbInfo != null) {
- String serverKey = krbInfo.value();
+ String serverKey = krbInfo.serverPrincipal();
if (serverKey != null) {
serverPrincipal = conf.get(serverKey);
}
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java Thu May 13 20:52:59 2010
@@ -1615,7 +1615,7 @@ public abstract class Server {
throw new AuthorizationException("Unknown protocol: " +
connection.getProtocol());
}
- ServiceAuthorizationManager.authorize(user, protocol);
+ ServiceAuthorizationManager.authorize(user, protocol, getConf());
}
}
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/KerberosInfo.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/KerberosInfo.java?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/KerberosInfo.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/KerberosInfo.java Thu May 13 20:52:59 2010
@@ -27,5 +27,6 @@ import java.lang.annotation.*;
@Target(ElementType.TYPE)
public @interface KerberosInfo {
/** Key for getting server's Kerberos principal name from Configuration */
- String value();
+ String serverPrincipal();
+ String clientPrincipal() default "";
}
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java Thu May 13 20:52:59 2010
@@ -24,6 +24,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.UserGroupInformation;
/**
@@ -62,18 +63,30 @@ public class ServiceAuthorizationManager
* @throws AuthorizationException on authorization failure
*/
public static void authorize(UserGroupInformation user,
- Class<?> protocol
+ Class<?> protocol,
+ Configuration conf
) throws AuthorizationException {
AccessControlList acl = protocolToAcl.get(protocol);
if (acl == null) {
throw new AuthorizationException("Protocol " + protocol +
" is not known.");
}
- if (!acl.isUserAllowed(user)) {
+
+ // get client principal key to verify (if available)
+ KerberosInfo krbInfo = protocol.getAnnotation(KerberosInfo.class);
+ String clientPrincipal = null;
+ if (krbInfo != null) {
+ String clientKey = krbInfo.clientPrincipal();
+ if (clientKey != null && !clientKey.equals("")) {
+ clientPrincipal = conf.get(clientKey);
+ }
+ }
+ if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
+ !acl.isUserAllowed(user)) {
auditLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
throw new AuthorizationException("User " + user +
- " is not authorized for protocol " +
- protocol);
+ " is not authorized for protocol " +
+ protocol);
}
auditLOG.info(AUTHZ_SUCCESSFULL_FOR + user + " for protocol="+protocol);
}
Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/MiniRPCBenchmark.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/MiniRPCBenchmark.java?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/MiniRPCBenchmark.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/MiniRPCBenchmark.java Thu May 13 20:52:59 2010
@@ -101,7 +101,8 @@ public class MiniRPCBenchmark {
}
}
- @KerberosInfo(USER_NAME_KEY)
+ @KerberosInfo(
+ serverPrincipal=USER_NAME_KEY)
@TokenInfo(TestDelegationTokenSelector.class)
public static interface MiniProtocol extends VersionedProtocol {
public static final long versionID = 1L;
Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java?rev=944012&r1=944011&r2=944012&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java Thu May 13 20:52:59 2010
@@ -162,7 +162,8 @@ public class TestSaslRPC {
}
}
- @KerberosInfo(SERVER_PRINCIPAL_KEY)
+ @KerberosInfo(
+ serverPrincipal = SERVER_PRINCIPAL_KEY)
@TokenInfo(TestTokenSelector.class)
public interface TestSaslProtocol extends TestRPC.TestProtocol {
public AuthenticationMethod getAuthMethod() throws IOException;