You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:05:52 UTC
svn commit: r1077347 -
/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Author: omalley
Date: Fri Mar 4 04:05:52 2011
New Revision: 1077347
URL: http://svn.apache.org/viewvc?rev=1077347&view=rev
Log:
commit 16e060ad9934801287be10fcaedd0a8ad519b456
Author: Boris Shkolnik <bo...@yahoo-inc.com>
Date: Fri Mar 19 14:05:16 2010 -0700
HADOOP:6647 from https://issues.apache.org/jira/secure/attachment/12439325/HADOOP-6647-BP20.patch
+++ b/YAHOO-CHANGES.txt
+ HADOOP-6647. balancer fails with "is not authorized for protocol
+ interface NamenodeProtocol" in secure environment (boryas)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java?rev=1077347&r1=1077346&r2=1077347&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java Fri Mar 4 04:05:52 2011
@@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFac
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.KerberosName;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
@@ -35,6 +36,8 @@ import org.apache.hadoop.security.UserGr
*/
public class ServiceAuthorizationManager {
private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
+ private static final Log LOG = LogFactory
+ .getLog(ServiceAuthorizationManager.class);
private static Map<Class<?>, AccessControlList> protocolToAcl =
new IdentityHashMap<Class<?>, AccessControlList>();
@@ -97,7 +100,19 @@ public class ServiceAuthorizationManager
}
}
}
- if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
+ // when authorizing use the short name only
+ String shortName = clientPrincipal;
+ if(clientPrincipal != null ) {
+ try {
+ shortName = new KerberosName(clientPrincipal).getShortName();
+ } catch (IOException e) {
+ LOG.warn("couldn't get short name from " + clientPrincipal, e);
+ // just keep going
+ }
+ }
+ LOG.debug("for protocol authorization compare (" + clientPrincipal + "): "
+ + shortName + " with " + user.getShortUserName());
+ if((shortName != null && !shortName.equals(user.getShortUserName())) ||
!acl.isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
throw new AuthorizationException("User " + user +