HADOOP-19249. KMSClientProvider raises NPE with unauthed user (#6984)

KMSClientProvider raises a NullPointerException when an unauthorised user
tries to perform the key operation

Contributed by Dhaval Shah
This commit is contained in:
dhavalshah9131 2024-08-20 18:33:05 +05:30 committed by GitHub
parent 2fd7cf53fa
commit 33c9ecb652
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -18,6 +18,7 @@
package org.apache.hadoop.crypto.key.kms; package org.apache.hadoop.crypto.key.kms;
import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider; import org.apache.hadoop.crypto.key.KeyProvider;
@ -561,17 +562,19 @@ private <T> T call(HttpURLConnection conn, Object jsonOutput,
} }
throw ex; throw ex;
} }
if ((conn.getResponseCode() == HttpURLConnection.HTTP_FORBIDDEN if ((conn.getResponseCode() == HttpURLConnection.HTTP_FORBIDDEN
&& (conn.getResponseMessage().equals(ANONYMOUS_REQUESTS_DISALLOWED) || && (!StringUtils.isEmpty(conn.getResponseMessage())
conn.getResponseMessage().contains(INVALID_SIGNATURE))) && (conn.getResponseMessage().equals(ANONYMOUS_REQUESTS_DISALLOWED)
|| conn.getResponseMessage().contains(INVALID_SIGNATURE))))
|| conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) { || conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
// Ideally, this should happen only when there is an Authentication // Ideally, this should happen only when there is an Authentication
// failure. Unfortunately, the AuthenticationFilter returns 403 when it // failure. Unfortunately, the AuthenticationFilter returns 403 when it
// cannot authenticate (Since a 401 requires Server to send // cannot authenticate (Since a 401 requires Server to send
// WWW-Authenticate header as well).. // WWW-Authenticate header as well)..
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug("Response={}({}), resetting authToken", LOG.debug("Response={}, resetting authToken",
conn.getResponseCode(), conn.getResponseMessage()); conn.getResponseCode());
} }
KMSClientProvider.this.authToken = KMSClientProvider.this.authToken =
new DelegationTokenAuthenticatedURL.Token(); new DelegationTokenAuthenticatedURL.Token();
@ -797,6 +800,7 @@ public EncryptedKeyVersion generateEncryptedKey(
@SuppressWarnings("rawtypes") @SuppressWarnings("rawtypes")
@Override @Override
public KeyVersion decryptEncryptedKey( public KeyVersion decryptEncryptedKey(
EncryptedKeyVersion encryptedKeyVersion) throws IOException, EncryptedKeyVersion encryptedKeyVersion) throws IOException,
GeneralSecurityException { GeneralSecurityException {
checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(), checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),