HDFS-14006. Refactor name node to allow different token verification implementations. Contributed by CR Hota.

This commit is contained in:
Giovanni Matteo Fumarola 2018-12-14 11:10:54 -08:00
parent f858f18554
commit 00d5e631b5
4 changed files with 53 additions and 5 deletions

View File

@ -23,7 +23,6 @@
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer;
import org.apache.hadoop.hdfs.web.resources.DelegationParam;
import org.apache.hadoop.hdfs.web.resources.DoAsParam;
@ -176,10 +175,11 @@ private static UserGroupInformation getTokenUGI(ServletContext context,
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in);
if (context != null) {
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
if (nn != null) {
final TokenVerifier<DelegationTokenIdentifier> tokenVerifier =
NameNodeHttpServer.getTokenVerifierFromContext(context);
if (tokenVerifier != null) {
// Verify the token.
nn.getNamesystem().verifyToken(id, token.getPassword());
tokenVerifier.verifyToken(id, token.getPassword());
}
}
UserGroupInformation ugi = id.getUser();

View File

@ -0,0 +1,35 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hdfs.server.common;
import java.io.IOException;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
/**
* Interface to verify delegation tokens passed through WebHDFS.
* Implementations are intercepted by JspHelper that pass delegation token
* for verification.
*/
public interface TokenVerifier<T extends AbstractDelegationTokenIdentifier> {
/* Verify delegation token passed through WebHDFS
* Name node, Router implement this for JspHelper to verify token
*/
void verifyToken(T t, byte[] password) throws IOException;
}

View File

@ -47,6 +47,7 @@
import org.apache.hadoop.hdfs.protocol.ClientProtocol;
import org.apache.hadoop.hdfs.protocol.HdfsConstants;
import org.apache.hadoop.hdfs.protocol.HdfsConstants.StoragePolicySatisfierMode;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryLevelDBAliasMapServer;
import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager;
@ -55,6 +56,7 @@
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption;
import org.apache.hadoop.hdfs.server.common.MetricsLoggerTask;
import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory;
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
import org.apache.hadoop.hdfs.server.namenode.ha.ActiveState;
import org.apache.hadoop.hdfs.server.namenode.ha.BootstrapStandby;
import org.apache.hadoop.hdfs.server.namenode.ha.HAContext;
@ -208,7 +210,7 @@
**********************************************************/
@InterfaceAudience.Private
public class NameNode extends ReconfigurableBase implements
NameNodeStatusMXBean {
NameNodeStatusMXBean, TokenVerifier<DelegationTokenIdentifier> {
static{
HdfsConfiguration.init();
}
@ -656,6 +658,11 @@ public static UserGroupInformation getRemoteUser() throws IOException {
return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser();
}
@Override
public void verifyToken(DelegationTokenIdentifier id, byte[] password)
throws IOException {
namesystem.verifyToken(id, password);
}
/**
* Login as the configured user for the NameNode.

View File

@ -38,6 +38,7 @@
import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
import org.apache.hadoop.hdfs.server.common.JspHelper;
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress;
import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
import org.apache.hadoop.hdfs.web.AuthFilter;
@ -319,6 +320,11 @@ public static NameNode getNameNodeFromContext(ServletContext context) {
return (NameNode)context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
}
public static TokenVerifier
getTokenVerifierFromContext(ServletContext context) {
return (TokenVerifier) context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
}
static Configuration getConfFromContext(ServletContext context) {
return (Configuration)context.getAttribute(JspHelper.CURRENT_CONF);
}