Revert "HADOOP-14077. Add ability to access jmx via proxy. Contributed by Yuanbo Liu."
This reverts commit 172b23af33
.
(cherry picked from commit d0d2d4c51e9534e08893ae14cf3fff7b2ee70b1d)
This commit is contained in:
parent
4743d4a2c7
commit
3a8dade9b1
@ -20,10 +20,9 @@
|
||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||
import org.apache.hadoop.security.authorize.AuthorizationException;
|
||||
import org.apache.hadoop.security.authorize.ProxyUsers;
|
||||
import org.apache.hadoop.util.HttpExceptionUtils;
|
||||
import org.apache.http.NameValuePair;
|
||||
import org.apache.http.client.utils.URLEncodedUtils;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
@ -42,9 +41,6 @@
|
||||
*/
|
||||
public class AuthenticationWithProxyUserFilter extends AuthenticationFilter {
|
||||
|
||||
public static final Logger LOG =
|
||||
LoggerFactory.getLogger(AuthenticationWithProxyUserFilter.class);
|
||||
|
||||
/**
|
||||
* Constant used in URL's query string to perform a proxy user request, the
|
||||
* value of the <code>DO_AS</code> parameter is the user the request will be
|
||||
@ -70,30 +66,29 @@ public class AuthenticationWithProxyUserFilter extends AuthenticationFilter {
|
||||
protected void doFilter(FilterChain filterChain, HttpServletRequest request,
|
||||
HttpServletResponse response) throws IOException, ServletException {
|
||||
|
||||
final String proxyUser = getDoAs(request);
|
||||
// authorize proxy user before calling next filter.
|
||||
String proxyUser = getDoAs(request);
|
||||
if (proxyUser != null) {
|
||||
|
||||
// Change the remote user after proxy user is authorized.
|
||||
final HttpServletRequest finalReq = request;
|
||||
request = new HttpServletRequestWrapper(finalReq) {
|
||||
|
||||
private String getRemoteOrProxyUser() throws AuthorizationException {
|
||||
UserGroupInformation realUser =
|
||||
UserGroupInformation.createRemoteUser(finalReq.getRemoteUser());
|
||||
UserGroupInformation.createRemoteUser(request.getRemoteUser());
|
||||
UserGroupInformation proxyUserInfo =
|
||||
UserGroupInformation.createProxyUser(proxyUser, realUser);
|
||||
ProxyUsers.authorize(proxyUserInfo, finalReq.getRemoteAddr());
|
||||
return proxyUserInfo.getUserName();
|
||||
|
||||
try {
|
||||
ProxyUsers.authorize(proxyUserInfo, request.getRemoteAddr());
|
||||
} catch (AuthorizationException ex) {
|
||||
HttpExceptionUtils.createServletExceptionResponse(response,
|
||||
HttpServletResponse.SC_FORBIDDEN, ex);
|
||||
// stop filter chain if there is an Authorization Exception.
|
||||
return;
|
||||
}
|
||||
|
||||
final UserGroupInformation finalProxyUser = proxyUserInfo;
|
||||
// Change the remote user after proxy user is authorized.
|
||||
request = new HttpServletRequestWrapper(request) {
|
||||
@Override
|
||||
public String getRemoteUser() {
|
||||
try {
|
||||
return getRemoteOrProxyUser();
|
||||
} catch (AuthorizationException ex) {
|
||||
LOG.error("Unable to verify proxy user: " + ex.getMessage(), ex);
|
||||
}
|
||||
return null;
|
||||
return finalProxyUser.getUserName();
|
||||
}
|
||||
};
|
||||
|
||||
|
@ -178,25 +178,12 @@ public void testAuthenticationWithProxyUser() throws Exception {
|
||||
Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
|
||||
}
|
||||
|
||||
// userA cannot impersonate userC, but for /stacks, /jmx and /conf,
|
||||
// they doesn't require users to authorize by default, so they
|
||||
// can be accessed.
|
||||
// userA cannot impersonate userC, it fails.
|
||||
for (String servlet :
|
||||
new String[]{"stacks", "jmx", "conf"}){
|
||||
HttpURLConnection conn = authUrl
|
||||
.openConnection(new URL(serverURL + servlet + "?doAs=userC"),
|
||||
token);
|
||||
Assert.assertEquals(HttpURLConnection.HTTP_OK,
|
||||
conn.getResponseCode());
|
||||
}
|
||||
|
||||
// "/logs" and "/logLevel" require admin authorization,
|
||||
// only userA has the access.
|
||||
for (String servlet :
|
||||
new String[]{"logLevel", "logs"}) {
|
||||
HttpURLConnection conn = authUrl
|
||||
.openConnection(new URL(serverURL + servlet + "?doAs=userC"),
|
||||
token);
|
||||
Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
|
||||
conn.getResponseCode());
|
||||
}
|
||||
|
@ -393,11 +393,10 @@ void accessDenied(String s) {
|
||||
*/
|
||||
boolean checkAccess(Job job) {
|
||||
String remoteUser = request().getRemoteUser();
|
||||
if (remoteUser == null) {
|
||||
return false;
|
||||
UserGroupInformation callerUGI = null;
|
||||
if (remoteUser != null) {
|
||||
callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
|
||||
}
|
||||
UserGroupInformation callerUGI =
|
||||
UserGroupInformation.createRemoteUser(remoteUser);
|
||||
if (callerUGI != null && !job.checkAccess(callerUGI, JobACL.VIEW_JOB)) {
|
||||
return false;
|
||||
}
|
||||
|
@ -32,7 +32,6 @@
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||
import org.apache.hadoop.security.http.RestCsrfPreventionFilter;
|
||||
import org.apache.hadoop.util.StringUtils;
|
||||
import org.apache.hadoop.yarn.api.ApplicationBaseProtocol;
|
||||
@ -110,8 +109,8 @@ protected void render(Block html) {
|
||||
final GetApplicationReportRequest request =
|
||||
GetApplicationReportRequest.newInstance(appID);
|
||||
if (callerUGI == null) {
|
||||
throw new AuthenticationException(
|
||||
"Failed to get user name from request");
|
||||
appReport =
|
||||
appBaseProt.getApplicationReport(request).getApplicationReport();
|
||||
} else {
|
||||
appReport = callerUGI.doAs(
|
||||
new PrivilegedExceptionAction<ApplicationReport> () {
|
||||
@ -205,25 +204,6 @@ public Collection<ApplicationAttemptReport> run() throws Exception {
|
||||
String schedulerPath = WebAppUtils.getResolvedRMWebAppURLWithScheme(conf) +
|
||||
"/cluster/scheduler?openQueues=" + app.getQueue();
|
||||
|
||||
generateOverviewTable(app, schedulerPath, webUiType, appReport);
|
||||
|
||||
createApplicationMetricsTable(html);
|
||||
|
||||
html.__(InfoBlock.class);
|
||||
|
||||
generateApplicationTable(html, callerUGI, attempts);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate overview table for app web page.
|
||||
* @param app app info.
|
||||
* @param schedulerPath schedule path.
|
||||
* @param webUiType web ui type.
|
||||
* @param appReport app report.
|
||||
*/
|
||||
private void generateOverviewTable(AppInfo app, String schedulerPath,
|
||||
String webUiType, ApplicationReport appReport) {
|
||||
ResponseInfo overviewTable = info("Application Overview")
|
||||
.__("User:", schedulerPath, app.getUser())
|
||||
.__("Name:", app.getName())
|
||||
@ -285,6 +265,37 @@ private void generateOverviewTable(AppInfo app, String schedulerPath,
|
||||
overviewTable.__("AM container Node Label expression:",
|
||||
app.getAmNodeLabelExpression() == null ? "<Not set>"
|
||||
: app.getAmNodeLabelExpression());
|
||||
|
||||
try {
|
||||
final GetApplicationAttemptsRequest request =
|
||||
GetApplicationAttemptsRequest.newInstance(appID);
|
||||
if (callerUGI == null) {
|
||||
attempts = appBaseProt.getApplicationAttempts(request)
|
||||
.getApplicationAttemptList();
|
||||
} else {
|
||||
attempts = callerUGI.doAs(
|
||||
new PrivilegedExceptionAction<Collection<ApplicationAttemptReport>> () {
|
||||
@Override
|
||||
public Collection<ApplicationAttemptReport> run() throws Exception {
|
||||
return appBaseProt.getApplicationAttempts(request)
|
||||
.getApplicationAttemptList();
|
||||
}
|
||||
});
|
||||
}
|
||||
} catch (Exception e) {
|
||||
String message =
|
||||
"Failed to read the attempts of the application " + appID + ".";
|
||||
LOG.error(message, e);
|
||||
html.p().__(message).__();
|
||||
return;
|
||||
}
|
||||
|
||||
createApplicationMetricsTable(html);
|
||||
|
||||
html.__(InfoBlock.class);
|
||||
|
||||
generateApplicationTable(html, callerUGI, attempts);
|
||||
|
||||
}
|
||||
|
||||
protected void generateApplicationTable(Block html,
|
||||
|
Loading…
Reference in New Issue
Block a user