HDFS-2807. Service level authorizartion for HAServiceProtocol.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/HDFS-1623@1235431 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
83bcb1bbf4
commit
0b2245a0f3
@ -138,6 +138,12 @@
|
|||||||
dfsadmin and mradmin commands to refresh the security policy in-effect.
|
dfsadmin and mradmin commands to refresh the security policy in-effect.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>security.ha.service.protocol.acl</code></td>
|
||||||
|
<td>ACL for HAService protocol used by HAAdmin to manage the
|
||||||
|
active and stand-by states of namenode.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -114,11 +114,12 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
|
|||||||
public static final String
|
public static final String
|
||||||
HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_USER_MAPPINGS =
|
HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_USER_MAPPINGS =
|
||||||
"security.refresh.user.mappings.protocol.acl";
|
"security.refresh.user.mappings.protocol.acl";
|
||||||
|
public static final String
|
||||||
|
SECURITY_HA_SERVICE_PROTOCOL_ACL = "security.ha.service.protocol.acl";
|
||||||
|
|
||||||
public static final String HADOOP_SECURITY_TOKEN_SERVICE_USE_IP =
|
public static final String HADOOP_SECURITY_TOKEN_SERVICE_USE_IP =
|
||||||
"hadoop.security.token.service.use_ip";
|
"hadoop.security.token.service.use_ip";
|
||||||
public static final boolean HADOOP_SECURITY_TOKEN_SERVICE_USE_IP_DEFAULT =
|
public static final boolean HADOOP_SECURITY_TOKEN_SERVICE_USE_IP_DEFAULT =
|
||||||
true;
|
true;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -19,7 +19,9 @@
|
|||||||
|
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.classification.InterfaceStability;
|
import org.apache.hadoop.classification.InterfaceStability;
|
||||||
|
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||||
import org.apache.hadoop.ipc.VersionedProtocol;
|
import org.apache.hadoop.ipc.VersionedProtocol;
|
||||||
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
@ -29,6 +31,8 @@
|
|||||||
*
|
*
|
||||||
* This interface could be used by HA frameworks to manage the service.
|
* This interface could be used by HA frameworks to manage the service.
|
||||||
*/
|
*/
|
||||||
|
@KerberosInfo(
|
||||||
|
serverPrincipal=CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_USER_NAME_KEY)
|
||||||
@InterfaceAudience.Public
|
@InterfaceAudience.Public
|
||||||
@InterfaceStability.Evolving
|
@InterfaceStability.Evolving
|
||||||
public interface HAServiceProtocol extends VersionedProtocol {
|
public interface HAServiceProtocol extends VersionedProtocol {
|
||||||
|
@ -216,6 +216,13 @@
|
|||||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||||
A special value of "*" means all users are allowed.</description>
|
A special value of "*" means all users are allowed.</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>security.ha.service.protocol.acl</name>
|
||||||
|
<value>*</value>
|
||||||
|
<description>ACL for HAService protocol used by HAAdmin to manage the
|
||||||
|
active and stand-by states of namenode.</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>security.mrhs.client.protocol.acl</name>
|
<name>security.mrhs.client.protocol.acl</name>
|
||||||
|
@ -127,3 +127,5 @@ HDFS-2820. Add a simple sanity check for HA config (todd)
|
|||||||
HDFS-2688. Add tests for quota tracking in an HA cluster. (todd)
|
HDFS-2688. Add tests for quota tracking in an HA cluster. (todd)
|
||||||
|
|
||||||
HDFS-2804. Should not mark blocks under-replicated when exiting safemode (todd)
|
HDFS-2804. Should not mark blocks under-replicated when exiting safemode (todd)
|
||||||
|
|
||||||
|
HDFS-2807. Service level authorizartion for HAServiceProtocol. (jitendra)
|
||||||
|
@ -19,6 +19,7 @@
|
|||||||
|
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||||
|
import org.apache.hadoop.ha.HAServiceProtocol;
|
||||||
import org.apache.hadoop.hdfs.protocol.ClientDatanodeProtocol;
|
import org.apache.hadoop.hdfs.protocol.ClientDatanodeProtocol;
|
||||||
import org.apache.hadoop.hdfs.protocol.ClientProtocol;
|
import org.apache.hadoop.hdfs.protocol.ClientProtocol;
|
||||||
import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
|
import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
|
||||||
@ -44,6 +45,8 @@ public class HDFSPolicyProvider extends PolicyProvider {
|
|||||||
new Service("security.inter.datanode.protocol.acl",
|
new Service("security.inter.datanode.protocol.acl",
|
||||||
InterDatanodeProtocol.class),
|
InterDatanodeProtocol.class),
|
||||||
new Service("security.namenode.protocol.acl", NamenodeProtocol.class),
|
new Service("security.namenode.protocol.acl", NamenodeProtocol.class),
|
||||||
|
new Service(CommonConfigurationKeys.SECURITY_HA_SERVICE_PROTOCOL_ACL,
|
||||||
|
HAServiceProtocol.class),
|
||||||
new Service(
|
new Service(
|
||||||
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY,
|
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY,
|
||||||
RefreshAuthorizationPolicyProtocol.class),
|
RefreshAuthorizationPolicyProtocol.class),
|
||||||
|
@ -109,5 +109,12 @@
|
|||||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||||
A special value of "*" means all users are allowed.</description>
|
A special value of "*" means all users are allowed.</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>security.ha.service.protocol.acl</name>
|
||||||
|
<value>*</value>
|
||||||
|
<description>ACL for HAService protocol used by HAAdmin to manage the
|
||||||
|
active and stand-by states of namenode.</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
</configuration>
|
</configuration>
|
||||||
|
Loading…
Reference in New Issue
Block a user