HDFS-14006. Refactor name node to allow different token verification implementations. Contributed by CR Hota.
This commit is contained in:
parent
f858f18554
commit
00d5e631b5
@ -23,7 +23,6 @@
|
||||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
|
||||
import org.apache.hadoop.hdfs.server.namenode.NameNode;
|
||||
import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer;
|
||||
import org.apache.hadoop.hdfs.web.resources.DelegationParam;
|
||||
import org.apache.hadoop.hdfs.web.resources.DoAsParam;
|
||||
@ -176,10 +175,11 @@ private static UserGroupInformation getTokenUGI(ServletContext context,
|
||||
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
||||
id.readFields(in);
|
||||
if (context != null) {
|
||||
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
|
||||
if (nn != null) {
|
||||
final TokenVerifier<DelegationTokenIdentifier> tokenVerifier =
|
||||
NameNodeHttpServer.getTokenVerifierFromContext(context);
|
||||
if (tokenVerifier != null) {
|
||||
// Verify the token.
|
||||
nn.getNamesystem().verifyToken(id, token.getPassword());
|
||||
tokenVerifier.verifyToken(id, token.getPassword());
|
||||
}
|
||||
}
|
||||
UserGroupInformation ugi = id.getUser();
|
||||
|
@ -0,0 +1,35 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.hdfs.server.common;
|
||||
|
||||
import java.io.IOException;
|
||||
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
|
||||
|
||||
/**
|
||||
* Interface to verify delegation tokens passed through WebHDFS.
|
||||
* Implementations are intercepted by JspHelper that pass delegation token
|
||||
* for verification.
|
||||
*/
|
||||
public interface TokenVerifier<T extends AbstractDelegationTokenIdentifier> {
|
||||
|
||||
/* Verify delegation token passed through WebHDFS
|
||||
* Name node, Router implement this for JspHelper to verify token
|
||||
*/
|
||||
void verifyToken(T t, byte[] password) throws IOException;
|
||||
|
||||
}
|
@ -47,6 +47,7 @@
|
||||
import org.apache.hadoop.hdfs.protocol.ClientProtocol;
|
||||
import org.apache.hadoop.hdfs.protocol.HdfsConstants;
|
||||
import org.apache.hadoop.hdfs.protocol.HdfsConstants.StoragePolicySatisfierMode;
|
||||
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
|
||||
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
|
||||
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryLevelDBAliasMapServer;
|
||||
import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager;
|
||||
@ -55,6 +56,7 @@
|
||||
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption;
|
||||
import org.apache.hadoop.hdfs.server.common.MetricsLoggerTask;
|
||||
import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory;
|
||||
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
|
||||
import org.apache.hadoop.hdfs.server.namenode.ha.ActiveState;
|
||||
import org.apache.hadoop.hdfs.server.namenode.ha.BootstrapStandby;
|
||||
import org.apache.hadoop.hdfs.server.namenode.ha.HAContext;
|
||||
@ -208,7 +210,7 @@
|
||||
**********************************************************/
|
||||
@InterfaceAudience.Private
|
||||
public class NameNode extends ReconfigurableBase implements
|
||||
NameNodeStatusMXBean {
|
||||
NameNodeStatusMXBean, TokenVerifier<DelegationTokenIdentifier> {
|
||||
static{
|
||||
HdfsConfiguration.init();
|
||||
}
|
||||
@ -656,6 +658,11 @@ public static UserGroupInformation getRemoteUser() throws IOException {
|
||||
return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void verifyToken(DelegationTokenIdentifier id, byte[] password)
|
||||
throws IOException {
|
||||
namesystem.verifyToken(id, password);
|
||||
}
|
||||
|
||||
/**
|
||||
* Login as the configured user for the NameNode.
|
||||
|
@ -38,6 +38,7 @@
|
||||
import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
|
||||
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
|
||||
import org.apache.hadoop.hdfs.server.common.JspHelper;
|
||||
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
|
||||
import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress;
|
||||
import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
|
||||
import org.apache.hadoop.hdfs.web.AuthFilter;
|
||||
@ -319,6 +320,11 @@ public static NameNode getNameNodeFromContext(ServletContext context) {
|
||||
return (NameNode)context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
|
||||
}
|
||||
|
||||
public static TokenVerifier
|
||||
getTokenVerifierFromContext(ServletContext context) {
|
||||
return (TokenVerifier) context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
|
||||
}
|
||||
|
||||
static Configuration getConfFromContext(ServletContext context) {
|
||||
return (Configuration)context.getAttribute(JspHelper.CURRENT_CONF);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user