You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by da...@apache.org on 2012/10/03 15:43:53 UTC
svn commit: r1393483 - in
/hadoop/common/trunk/hadoop-common-project/hadoop-common: CHANGES.txt
src/main/java/org/apache/hadoop/ipc/Server.java
src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java
Author: daryn
Date: Wed Oct 3 13:43:53 2012
New Revision: 1393483
URL: http://svn.apache.org/viewvc?rev=1393483&view=rev
Log:
HADOOP-8783. Improve RPC.Server's digest auth (daryn)
Modified:
hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1393483&r1=1393482&r2=1393483&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Wed Oct 3 13:43:53 2012
@@ -288,6 +288,8 @@ Release 2.0.3-alpha - Unreleased
HADOOP-8851. Use -XX:+HeapDumpOnOutOfMemoryError JVM option in the forked
tests. (Ivan A. Veselovsky via atm)
+ HADOOP-8783. Improve RPC.Server's digest auth (daryn)
+
OPTIMIZATIONS
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java?rev=1393483&r1=1393482&r2=1393483&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java Wed Oct 3 13:43:53 2012
@@ -87,7 +87,6 @@ import org.apache.hadoop.security.SaslRp
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.PolicyProvider;
import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -1374,20 +1373,38 @@ public abstract class Server {
dataLengthBuffer.clear();
if (authMethod == null) {
throw new IOException("Unable to read authentication method");
- }
- if (isSecurityEnabled && authMethod == AuthMethod.SIMPLE) {
- AccessControlException ae = new AccessControlException("Authorization ("
- + CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
- + ") is enabled but authentication ("
- + CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION
- + ") is configured as simple. Please configure another method "
- + "like kerberos or digest.");
- setupResponse(authFailedResponse, authFailedCall, RpcStatusProto.FATAL,
- null, ae.getClass().getName(), ae.getMessage());
- responder.doRespond(authFailedCall);
- throw ae;
- }
- if (!isSecurityEnabled && authMethod != AuthMethod.SIMPLE) {
+ }
+ final boolean clientUsingSasl;
+ switch (authMethod) {
+ case SIMPLE: { // no sasl for simple
+ if (isSecurityEnabled) {
+ AccessControlException ae = new AccessControlException("Authorization ("
+ + CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
+ + ") is enabled but authentication ("
+ + CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION
+ + ") is configured as simple. Please configure another method "
+ + "like kerberos or digest.");
+ setupResponse(authFailedResponse, authFailedCall, RpcStatusProto.FATAL,
+ null, ae.getClass().getName(), ae.getMessage());
+ responder.doRespond(authFailedCall);
+ throw ae;
+ }
+ clientUsingSasl = false;
+ useSasl = false;
+ break;
+ }
+ case DIGEST: {
+ clientUsingSasl = true;
+ useSasl = (secretManager != null);
+ break;
+ }
+ default: {
+ clientUsingSasl = true;
+ useSasl = isSecurityEnabled;
+ break;
+ }
+ }
+ if (clientUsingSasl && !useSasl) {
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
authMethod = AuthMethod.SIMPLE;
@@ -1396,9 +1413,6 @@ public abstract class Server {
// to simple auth from now on.
skipInitialSaslHandshake = true;
}
- if (authMethod != AuthMethod.SIMPLE) {
- useSasl = true;
- }
connectionHeaderBuf = null;
connectionHeaderRead = true;
@@ -1532,8 +1546,6 @@ public abstract class Server {
UserGroupInformation realUser = user;
user = UserGroupInformation.createProxyUser(protocolUser
.getUserName(), realUser);
- // Now the user is a proxy user, set Authentication method Proxy.
- user.setAuthenticationMethod(AuthenticationMethod.PROXY);
}
}
}
@@ -1883,7 +1895,7 @@ public abstract class Server {
// Create the responder here
responder = new Responder();
- if (isSecurityEnabled) {
+ if (secretManager != null) {
SaslRpcServer.init(conf);
}
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java?rev=1393483&r1=1393482&r2=1393483&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java Wed Oct 3 13:43:53 2012
@@ -60,6 +60,7 @@ import org.apache.hadoop.security.token.
import org.apache.hadoop.security.token.TokenSelector;
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.log4j.Level;
+import org.junit.BeforeClass;
import org.junit.Test;
/** Unit tests for using Sasl over RPC. */
@@ -76,7 +77,8 @@ public class TestSaslRPC {
static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR";
private static Configuration conf;
- static {
+ @BeforeClass
+ public static void setup() {
conf = new Configuration();
conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf);
@@ -449,11 +451,25 @@ public class TestSaslRPC {
}
@Test
- public void testDigestAuthMethod() throws Exception {
+ public void testDigestAuthMethodSecureServer() throws Exception {
+ checkDigestAuthMethod(true);
+ }
+
+ @Test
+ public void testDigestAuthMethodInsecureServer() throws Exception {
+ checkDigestAuthMethod(false);
+ }
+
+ private void checkDigestAuthMethod(boolean secureServer) throws Exception {
TestTokenSecretManager sm = new TestTokenSecretManager();
Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class)
.setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0)
.setNumHandlers(5).setVerbose(true).setSecretManager(sm).build();
+ if (secureServer) {
+ server.enableSecurity();
+ } else {
+ server.disableSecurity();
+ }
server.start();
final UserGroupInformation current = UserGroupInformation.getCurrentUser();