HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)

This commit is contained in:
Arun Suresh 2015-04-21 11:31:51 -07:00
parent dfc1c4c303
commit 424a00daa0
4 changed files with 60 additions and 3 deletions

View File

@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList. HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
(Brahma Reddy Battula via ozawa) (Brahma Reddy Battula via ozawa)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
Release 2.7.1 - UNRELEASED Release 2.7.1 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -239,7 +239,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
if (doAsUser != null) { if (doAsUser != null) {
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi); ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
try { try {
ProxyUsers.authorize(ugi, request.getRemoteHost()); ProxyUsers.authorize(ugi, request.getRemoteAddr());
} catch (AuthorizationException ex) { } catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response, HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex); HttpServletResponse.SC_FORBIDDEN, ex);

View File

@ -199,7 +199,7 @@ public boolean managementOperation(AuthenticationToken token,
requestUgi = UserGroupInformation.createProxyUser( requestUgi = UserGroupInformation.createProxyUser(
doAsUser, requestUgi); doAsUser, requestUgi);
try { try {
ProxyUsers.authorize(requestUgi, request.getRemoteHost()); ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
} catch (AuthorizationException ex) { } catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response, HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex); HttpServletResponse.SC_FORBIDDEN, ex);

View File

@ -35,6 +35,7 @@
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mortbay.jetty.AbstractConnector;
import org.mortbay.jetty.Connector; import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server; import org.mortbay.jetty.Server;
import org.mortbay.jetty.servlet.Context; import org.mortbay.jetty.servlet.Context;
@ -658,7 +659,7 @@ protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration(
org.apache.hadoop.conf.Configuration conf = org.apache.hadoop.conf.Configuration conf =
new org.apache.hadoop.conf.Configuration(false); new org.apache.hadoop.conf.Configuration(false);
conf.set("proxyuser.client.users", OK_USER); conf.set("proxyuser.client.users", OK_USER);
conf.set("proxyuser.client.hosts", "localhost"); conf.set("proxyuser.client.hosts", "127.0.0.1");
return conf; return conf;
} }
} }
@ -752,6 +753,7 @@ private void testKerberosDelegationTokenAuthenticator(
Context context = new Context(); Context context = new Context();
context.setContextPath("/foo"); context.setContextPath("/foo");
jetty.setHandler(context); jetty.setHandler(context);
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0); context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
context.addServlet(new ServletHolder(UserServlet.class), "/bar"); context.addServlet(new ServletHolder(UserServlet.class), "/bar");
try { try {
@ -969,4 +971,56 @@ public Void run() throws Exception {
} }
} }
public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
@Override
protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
(FilterConfig filterConfig) throws ServletException {
org.apache.hadoop.conf.Configuration configuration = super
.getProxyuserConfiguration(filterConfig);
configuration.set("proxyuser.foo.hosts", "127.0.0.1");
return configuration;
}
}
@Test
public void testIpaddressCheck() throws Exception {
final Server jetty = createJettyServer();
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
Context context = new Context();
context.setContextPath("/foo");
jetty.setHandler(context);
context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
try {
jetty.start();
final URL url = new URL(getJettyURL() + "/foo/bar");
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
DelegationTokenAuthenticatedURL.Token token =
new DelegationTokenAuthenticatedURL.Token();
DelegationTokenAuthenticatedURL aUrl =
new DelegationTokenAuthenticatedURL();
// user ok-user via proxyuser foo
HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
Assert.assertEquals(HttpURLConnection.HTTP_OK,
conn.getResponseCode());
List<String> ret = IOUtils.readLines(conn.getInputStream());
Assert.assertEquals(1, ret.size());
Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
":ugi=" + OK_USER, ret.get(0));
return null;
}
});
} finally {
jetty.stop();
}
}
} }