You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by su...@apache.org on 2011/04/01 22:10:21 UTC
svn commit: r1087879 - in /hadoop/common/branches/branch-0.20-security-203:
./ src/core/org/apache/hadoop/ipc/ src/core/org/apache/hadoop/net/
src/core/org/apache/hadoop/security/ src/mapred/
src/test/org/apache/hadoop/security/
Author: suresh
Date: Fri Apr 1 20:10:21 2011
New Revision: 1087879
URL: http://svn.apache.org/viewvc?rev=1087879&view=rev
Log:
Merging change r1087875 for HADOOP-7215 from branch-0.20-security
Modified:
hadoop/common/branches/branch-0.20-security-203/ (props changed)
hadoop/common/branches/branch-0.20-security-203/CHANGES.txt (contents, props changed)
hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/ipc/Client.java
hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/net/NetUtils.java
hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/branches/branch-0.20-security-203/src/mapred/ (props changed)
hadoop/common/branches/branch-0.20-security-203/src/test/org/apache/hadoop/security/TestSecurityUtil.java
Propchange: hadoop/common/branches/branch-0.20-security-203/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Apr 1 20:10:21 2011
@@ -1,2 +1,3 @@
+/hadoop/common/branches/branch-0.20-security:1087875
/hadoop/core/branches/branch-0.19:713112
/hadoop/core/trunk:727001,727117,727191,727212,727217,727228,727255,727869,728187,729052,729987,732385,732572,732613,732777,732838,732869,733887,734870,734916,736426,738328,738697,740077,740157,741703,741762,743745,743816,743892,744894,745180,746010,746206,746227,746233,746274,746338,746902-746903,746925,746944,746968,746970,747279,747289,747802,748084,748090,748783,749262,749318,749863,750533,752073,752609,752834,752836,752913,752932,753112-753113,753346,754645,754847,754927,755035,755226,755348,755370,755418,755426,755790,755905,755938,755960,755986,755998,756352,757448,757624,757849,758156,758180,759398,759932,760502,760783,761046,761482,761632,762216,762879,763107,763502,764967,765016,765809,765951,771607,771661,772844,772876,772884,772920,773889,776638,778962,778966,779893,781720,784661,785046,785569
Modified: hadoop/common/branches/branch-0.20-security-203/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-203/CHANGES.txt?rev=1087879&r1=1087878&r2=1087879&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-203/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.20-security-203/CHANGES.txt Fri Apr 1 20:10:21 2011
@@ -54,6 +54,9 @@ Release 0.20.203.0 - unreleased
HADOOP-6879. Provide SSH based (Jsch) remote execution API for system
tests. (cos)
+ HADOOP-7215. RPC clients must use network interface corresponding to
+ the host in the client's kerberos principal key. (suresh)
+
Release 0.20.202.0 - unreleased
MAPREDUCE-2355. Add a configuration knob
Propchange: hadoop/common/branches/branch-0.20-security-203/CHANGES.txt
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Apr 1 20:10:21 2011
@@ -1,3 +1,4 @@
+/hadoop/common/branches/branch-0.20-security/CHANGES.txt:1087875
/hadoop/core/branches/branch-0.18/CHANGES.txt:727226
/hadoop/core/branches/branch-0.19/CHANGES.txt:713112
/hadoop/core/trunk/CHANGES.txt:727001,727117,727191,727212,727228,727255,727869,728187,729052,729987,732385,732572,732613,732777,732838,732869,733887,734870,734916,735082,736426,738602,738697,739416,740077,740157,741703,741762,743296,743745,743816,743892,744894,745180,745268,746010,746193,746206,746227,746233,746274,746902-746903,746925,746944,746968,746970,747279,747289,747802,748084,748090,748783,749262,749318,749863,750533,752073,752514,752555,752590,752609,752834,752836,752913,752932,753112-753113,753346,754645,754847,754927,755035,755226,755348,755370,755418,755426,755790,755905,755938,755986,755998,756352,757448,757624,757849,758156,758180,759398,759932,760502,760783,761046,761482,761632,762216,762879,763107,763502,764967,765016,765809,765951,771607,772844,772876,772884,772920,773889,776638,778962,778966,779893,781720,784661,785046,785569
Modified: hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/ipc/Client.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/ipc/Client.java?rev=1087879&r1=1087878&r2=1087879&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/ipc/Client.java (original)
+++ hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/ipc/Client.java Fri Apr 1 20:10:21 2011
@@ -18,8 +18,11 @@
package org.apache.hadoop.ipc;
+import java.net.InetAddress;
+import java.net.NetworkInterface;
import java.net.Socket;
import java.net.InetSocketAddress;
+import java.net.SocketException;
import java.net.SocketTimeoutException;
import java.net.UnknownHostException;
import java.net.ConnectException;
@@ -386,6 +389,27 @@ public class Client {
try {
this.socket = socketFactory.createSocket();
this.socket.setTcpNoDelay(tcpNoDelay);
+
+ /*
+ * Bind the socket to the host specified in the principal name of the
+ * client, to ensure Server matching address of the client connection
+ * to host name in principal passed.
+ */
+ if (UserGroupInformation.isSecurityEnabled()) {
+ KerberosInfo krbInfo =
+ remoteId.getProtocol().getAnnotation(KerberosInfo.class);
+ if (krbInfo != null && krbInfo.clientPrincipal() != null) {
+ String host =
+ SecurityUtil.getHostFromPrincipal(remoteId.getTicket().getUserName());
+
+ // If host name is a valid local address then bind socket to it
+ InetAddress localAddr = NetUtils.getLocalInetAddress(host);
+ if (localAddr != null) {
+ this.socket.bind(new InetSocketAddress(localAddr, 0));
+ }
+ }
+ }
+
// connection time out is 20s
NetUtils.connect(this.socket, remoteId.getAddress(), 20000);
this.socket.setSoTimeout(pingInterval);
Modified: hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/net/NetUtils.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/net/NetUtils.java?rev=1087879&r1=1087878&r2=1087879&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/net/NetUtils.java (original)
+++ hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/net/NetUtils.java Fri Apr 1 20:10:21 2011
@@ -22,8 +22,10 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
+import java.net.NetworkInterface;
import java.net.Socket;
import java.net.SocketAddress;
+import java.net.SocketException;
import java.net.URI;
import java.net.UnknownHostException;
import java.nio.channels.SocketChannel;
@@ -281,7 +283,7 @@ public class NetUtils {
* case, the timeout argument is ignored and the timeout set with
* {@link Socket#setSoTimeout(int)} applies for reads.<br><br>
*
- * Any socket created using socket factories returned by {@link #NetUtils},
+ * Any socket created using socket factories returned by {@link NetUtils},
* must use this interface instead of {@link Socket#getInputStream()}.
*
* @see #getInputStream(Socket, long)
@@ -303,7 +305,7 @@ public class NetUtils {
* case, the timeout argument is ignored and the timeout set with
* {@link Socket#setSoTimeout(int)} applies for reads.<br><br>
*
- * Any socket created using socket factories returned by {@link #NetUtils},
+ * Any socket created using socket factories returned by {@link NetUtils},
* must use this interface instead of {@link Socket#getInputStream()}.
*
* @see Socket#getChannel()
@@ -332,7 +334,7 @@ public class NetUtils {
* case, the timeout argument is ignored and the write will wait until
* data is available.<br><br>
*
- * Any socket created using socket factories returned by {@link #NetUtils},
+ * Any socket created using socket factories returned by {@link NetUtils},
* must use this interface instead of {@link Socket#getOutputStream()}.
*
* @see #getOutputStream(Socket, long)
@@ -354,7 +356,7 @@ public class NetUtils {
* case, the timeout argument is ignored and the write will wait until
* data is available.<br><br>
*
- * Any socket created using socket factories returned by {@link #NetUtils},
+ * Any socket created using socket factories returned by {@link NetUtils},
* must use this interface instead of {@link Socket#getOutputStream()}.
*
* @see Socket#getChannel()
@@ -441,4 +443,27 @@ public class NetUtils {
}
return hostNames;
}
+
+ /**
+ * Checks if {@code host} is a local host name and return {@link InetAddress}
+ * corresponding to that address.
+ *
+ * @param host the specified host
+ * @return a valid local {@link InetAddress} or null
+ * @throws SocketException if an I/O error occurs
+ */
+ public static InetAddress getLocalInetAddress(String host)
+ throws SocketException {
+ if (host == null) {
+ return null;
+ }
+ InetAddress addr = null;
+ try {
+ addr = InetAddress.getByName(host);
+ if (NetworkInterface.getByInetAddress(addr) == null) {
+ addr = null; // Not a local address
+ }
+ } catch (UnknownHostException ignore) { }
+ return addr;
+ }
}
Modified: hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1087879&r1=1087878&r2=1087879&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/security/SecurityUtil.java (original)
+++ hadoop/common/branches/branch-0.20-security-203/src/core/org/apache/hadoop/security/SecurityUtil.java Fri Apr 1 20:10:21 2011
@@ -274,4 +274,13 @@ public class SecurityUtil {
throw new RuntimeException(ex);
}
}
+
+ /**
+ * Get the host name from the principal name of format <service>/host@realm.
+ * @param principalName principal name of format as described above
+ * @return host name if the the string conforms to the above format, else null
+ */
+ public static String getHostFromPrincipal(String principalName) {
+ return new KerberosName(principalName).getHostName();
+ }
}
Propchange: hadoop/common/branches/branch-0.20-security-203/src/mapred/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Apr 1 20:10:21 2011
@@ -1,3 +1,4 @@
+/hadoop/common/branches/branch-0.20-security/src/mapred:1087875
/hadoop/core/branches/branch-0.19/src/mapred:713112
/hadoop/core/trunk/src/mapred:727001,727117,727191,727212,727217,727228,727255,727869,728187,729052,729987,732385,732572,732613,732777,732838,732869,733887,734870,734916,736426,738328,738697,740077,740157,741703,741762,743745,743816,743892,744894,745180,746010,746206,746227,746233,746274,746338,746902-746903,746925,746944,746968,746970,747279,747289,747802,748084,748090,748783,749262,749318,749863,750533,752073,752609,752834,752836,752913,752932,753112-753113,753346,754645,754847,754927,755035,755226,755348,755370,755418,755426,755790,755905,755938,755960,755986,755998,756352,757448,757624,757849,758156,758180,759398,759932,760502,760783,761046,761482,761632,762216,762879,763107,763502,764967,765016,765809,765951,771607,771661,772844,772876,772884,772920,773889,776638,778962,778966,779893,781720,784661,785046,785569
/hadoop/mapreduce/trunk/src/java:808650
Modified: hadoop/common/branches/branch-0.20-security-203/src/test/org/apache/hadoop/security/TestSecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-203/src/test/org/apache/hadoop/security/TestSecurityUtil.java?rev=1087879&r1=1087878&r2=1087879&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-203/src/test/org/apache/hadoop/security/TestSecurityUtil.java (original)
+++ hadoop/common/branches/branch-0.20-security-203/src/test/org/apache/hadoop/security/TestSecurityUtil.java Fri Apr 1 20:10:21 2011
@@ -82,4 +82,12 @@ public class TestSecurityUtil {
assertEquals("hdfs/" + local + "@REALM", SecurityUtil.getServerPrincipal(
"hdfs/_HOST@REALM", "0.0.0.0"));
}
+
+ @Test
+ public void testGetHostFromPrincipal() {
+ assertEquals("host",
+ SecurityUtil.getHostFromPrincipal("service/host@realm"));
+ assertEquals(null,
+ SecurityUtil.getHostFromPrincipal("service@realm"));
+ }
}