diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 31a8065537..2c9e86a5f0 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -1240,6 +1240,9 @@ Release 2.8.0 - UNRELEASED HADOOP-11628. SPNEGO auth does not work with CNAMEs in JDK8. (Daryn Sharp via stevel). + HADOOP-10941. Proxy user verification NPEs if remote host is unresolvable. + (Benoy Antony via stevel). + OPTIMIZATIONS HADOOP-12051. ProtobufRpcEngine.invoke() should use Exception.toString() diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java index b36ac80717..26cd7ab261 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java @@ -108,6 +108,10 @@ public Configuration getConf() { public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { + if (user == null) { + throw new IllegalArgumentException("user is null."); + } + UserGroupInformation realUser = user.getRealUser(); if (realUser == null) { return; diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java index d60d08387e..2e6c079d0f 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java @@ -18,7 +18,6 @@ package org.apache.hadoop.util; import java.net.InetAddress; - import java.net.UnknownHostException; import java.util.ArrayList; import java.util.Collection; @@ -141,6 +140,10 @@ public boolean includes(String ipAddress) { return true; } + if (ipAddress == null) { + throw new IllegalArgumentException("ipAddress is null."); + } + //check in the set of ipAddresses if ((ipAddresses != null) && ipAddresses.contains(ipAddress)) { return true; diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java index 8ff4bfb108..577f11b929 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java @@ -334,6 +334,45 @@ public void testIPRange() { assertNotAuthorized(proxyUserUgi, "10.221.0.0"); } + @Test(expected = IllegalArgumentException.class) + public void testNullUser() throws Exception { + Configuration conf = new Configuration(); + conf.set( + DefaultImpersonationProvider.getTestProvider(). + getProxySuperuserGroupConfKey(REAL_USER_NAME), + "*"); + conf.set( + DefaultImpersonationProvider.getTestProvider(). + getProxySuperuserIpConfKey(REAL_USER_NAME), + PROXY_IP_RANGE); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + // user is null + ProxyUsers.authorize(null, "10.222.0.0"); + } + + @Test(expected = IllegalArgumentException.class) + public void testNullIpAddress() throws Exception { + Configuration conf = new Configuration(); + conf.set( + DefaultImpersonationProvider.getTestProvider(). + getProxySuperuserGroupConfKey(REAL_USER_NAME), + "*"); + conf.set( + DefaultImpersonationProvider.getTestProvider(). + getProxySuperuserIpConfKey(REAL_USER_NAME), + PROXY_IP_RANGE); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + + // First try proxying a group that's allowed + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // remote address is null + ProxyUsers.authorize(proxyUserUgi, null); + } + @Test public void testWithDuplicateProxyGroups() throws Exception { Configuration conf = new Configuration(); diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestMachineList.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestMachineList.java index 2aa61fed35..d721c29530 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestMachineList.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestMachineList.java @@ -176,7 +176,15 @@ public void testCIDRs() { //test for exclusion with an unknown IP assertFalse(ml.includes("10.119.103.111")); + } + @Test(expected = IllegalArgumentException.class) + public void testNullIpAddress() { + //create MachineList with a list of of ip ranges specified in CIDR format + MachineList ml = new MachineList(CIDR_LIST); + + //test for exclusion with a null IP + assertFalse(ml.includes(null)); } @Test