From 424a00daa069bf2049014fd46ad152ec5fc77ac8 Mon Sep 17 00:00:00 2001 From: Arun Suresh Date: Tue, 21 Apr 2015 11:31:51 -0700 Subject: [PATCH] HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) --- .../hadoop-common/CHANGES.txt | 3 + .../DelegationTokenAuthenticationFilter.java | 2 +- .../DelegationTokenAuthenticationHandler.java | 2 +- .../web/TestWebDelegationToken.java | 56 ++++++++++++++++++- 4 files changed, 60 insertions(+), 3 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 230717ca0c..5c6d44ae1d 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList. (Brahma Reddy Battula via ozawa) + HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress + instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) + Release 2.7.1 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java index fbd1129a8c..b6e1a76638 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java @@ -239,7 +239,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request, if (doAsUser != null) { ugi = UserGroupInformation.createProxyUser(doAsUser, ugi); try { - ProxyUsers.authorize(ugi, request.getRemoteHost()); + ProxyUsers.authorize(ugi, request.getRemoteAddr()); } catch (AuthorizationException ex) { HttpExceptionUtils.createServletExceptionResponse(response, HttpServletResponse.SC_FORBIDDEN, ex); diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java index c498f70e52..3f191de2fb 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java @@ -199,7 +199,7 @@ public boolean managementOperation(AuthenticationToken token, requestUgi = UserGroupInformation.createProxyUser( doAsUser, requestUgi); try { - ProxyUsers.authorize(requestUgi, request.getRemoteHost()); + ProxyUsers.authorize(requestUgi, request.getRemoteAddr()); } catch (AuthorizationException ex) { HttpExceptionUtils.createServletExceptionResponse(response, HttpServletResponse.SC_FORBIDDEN, ex); diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java index 87c3105ec2..d18f96862d 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java @@ -35,6 +35,7 @@ import org.junit.Assert; import org.junit.Before; import org.junit.Test; +import org.mortbay.jetty.AbstractConnector; import org.mortbay.jetty.Connector; import org.mortbay.jetty.Server; import org.mortbay.jetty.servlet.Context; @@ -658,7 +659,7 @@ protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration( org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration(false); conf.set("proxyuser.client.users", OK_USER); - conf.set("proxyuser.client.hosts", "localhost"); + conf.set("proxyuser.client.hosts", "127.0.0.1"); return conf; } } @@ -752,6 +753,7 @@ private void testKerberosDelegationTokenAuthenticator( Context context = new Context(); context.setContextPath("/foo"); jetty.setHandler(context); + ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true); context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0); context.addServlet(new ServletHolder(UserServlet.class), "/bar"); try { @@ -969,4 +971,56 @@ public Void run() throws Exception { } } + public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter { + @Override + protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration + (FilterConfig filterConfig) throws ServletException { + org.apache.hadoop.conf.Configuration configuration = super + .getProxyuserConfiguration(filterConfig); + configuration.set("proxyuser.foo.hosts", "127.0.0.1"); + return configuration; + } + } + + @Test + public void testIpaddressCheck() throws Exception { + final Server jetty = createJettyServer(); + ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true); + Context context = new Context(); + context.setContextPath("/foo"); + jetty.setHandler(context); + + context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0); + context.addServlet(new ServletHolder(UGIServlet.class), "/bar"); + + try { + jetty.start(); + final URL url = new URL(getJettyURL() + "/foo/bar"); + + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER); + ugi.doAs(new PrivilegedExceptionAction() { + @Override + public Void run() throws Exception { + DelegationTokenAuthenticatedURL.Token token = + new DelegationTokenAuthenticatedURL.Token(); + DelegationTokenAuthenticatedURL aUrl = + new DelegationTokenAuthenticatedURL(); + + // user ok-user via proxyuser foo + HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER); + Assert.assertEquals(HttpURLConnection.HTTP_OK, + conn.getResponseCode()); + List ret = IOUtils.readLines(conn.getInputStream()); + Assert.assertEquals(1, ret.size()); + Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER + + ":ugi=" + OK_USER, ret.get(0)); + + return null; + } + }); + } finally { + jetty.stop(); + } + } + }