You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:05:52 UTC

svn commit: r1077347 - /hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

Author: omalley
Date: Fri Mar  4 04:05:52 2011
New Revision: 1077347

URL: http://svn.apache.org/viewvc?rev=1077347&view=rev
Log:
commit 16e060ad9934801287be10fcaedd0a8ad519b456
Author: Boris Shkolnik <bo...@yahoo-inc.com>
Date:   Fri Mar 19 14:05:16 2010 -0700

    HADOOP:6647 from https://issues.apache.org/jira/secure/attachment/12439325/HADOOP-6647-BP20.patch
    
    +++ b/YAHOO-CHANGES.txt
    +    HADOOP-6647. balancer fails with "is not authorized for protocol
    +    interface NamenodeProtocol" in secure environment (boryas)
    +

Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java?rev=1077347&r1=1077346&r2=1077347&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java Fri Mar  4 04:05:52 2011
@@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFac
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.KerberosName;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 
@@ -35,6 +36,8 @@ import org.apache.hadoop.security.UserGr
  */
 public class ServiceAuthorizationManager {
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
+  private static final Log LOG = LogFactory
+      .getLog(ServiceAuthorizationManager.class);
 
   private static Map<Class<?>, AccessControlList> protocolToAcl =
     new IdentityHashMap<Class<?>, AccessControlList>();
@@ -97,7 +100,19 @@ public class ServiceAuthorizationManager
         }
       }
     }
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
+    // when authorizing use the short name only
+    String shortName = clientPrincipal;
+    if(clientPrincipal != null ) {
+      try {
+        shortName = new KerberosName(clientPrincipal).getShortName();
+      } catch (IOException e) {
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
+        // just keep going
+      }
+    }
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
         !acl.isUserAllowed(user)) {
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
       throw new AuthorizationException("User " + user +