HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
This commit is contained in:
parent
dfc1c4c303
commit
424a00daa0
@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED
|
|||||||
HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
|
HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
|
||||||
(Brahma Reddy Battula via ozawa)
|
(Brahma Reddy Battula via ozawa)
|
||||||
|
|
||||||
|
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
|
||||||
|
instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
|
||||||
|
|
||||||
Release 2.7.1 - UNRELEASED
|
Release 2.7.1 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
@ -239,7 +239,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
|
|||||||
if (doAsUser != null) {
|
if (doAsUser != null) {
|
||||||
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
|
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
|
||||||
try {
|
try {
|
||||||
ProxyUsers.authorize(ugi, request.getRemoteHost());
|
ProxyUsers.authorize(ugi, request.getRemoteAddr());
|
||||||
} catch (AuthorizationException ex) {
|
} catch (AuthorizationException ex) {
|
||||||
HttpExceptionUtils.createServletExceptionResponse(response,
|
HttpExceptionUtils.createServletExceptionResponse(response,
|
||||||
HttpServletResponse.SC_FORBIDDEN, ex);
|
HttpServletResponse.SC_FORBIDDEN, ex);
|
||||||
|
@ -199,7 +199,7 @@ public boolean managementOperation(AuthenticationToken token,
|
|||||||
requestUgi = UserGroupInformation.createProxyUser(
|
requestUgi = UserGroupInformation.createProxyUser(
|
||||||
doAsUser, requestUgi);
|
doAsUser, requestUgi);
|
||||||
try {
|
try {
|
||||||
ProxyUsers.authorize(requestUgi, request.getRemoteHost());
|
ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
|
||||||
} catch (AuthorizationException ex) {
|
} catch (AuthorizationException ex) {
|
||||||
HttpExceptionUtils.createServletExceptionResponse(response,
|
HttpExceptionUtils.createServletExceptionResponse(response,
|
||||||
HttpServletResponse.SC_FORBIDDEN, ex);
|
HttpServletResponse.SC_FORBIDDEN, ex);
|
||||||
|
@ -35,6 +35,7 @@
|
|||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
import org.mortbay.jetty.AbstractConnector;
|
||||||
import org.mortbay.jetty.Connector;
|
import org.mortbay.jetty.Connector;
|
||||||
import org.mortbay.jetty.Server;
|
import org.mortbay.jetty.Server;
|
||||||
import org.mortbay.jetty.servlet.Context;
|
import org.mortbay.jetty.servlet.Context;
|
||||||
@ -658,7 +659,7 @@ protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration(
|
|||||||
org.apache.hadoop.conf.Configuration conf =
|
org.apache.hadoop.conf.Configuration conf =
|
||||||
new org.apache.hadoop.conf.Configuration(false);
|
new org.apache.hadoop.conf.Configuration(false);
|
||||||
conf.set("proxyuser.client.users", OK_USER);
|
conf.set("proxyuser.client.users", OK_USER);
|
||||||
conf.set("proxyuser.client.hosts", "localhost");
|
conf.set("proxyuser.client.hosts", "127.0.0.1");
|
||||||
return conf;
|
return conf;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -752,6 +753,7 @@ private void testKerberosDelegationTokenAuthenticator(
|
|||||||
Context context = new Context();
|
Context context = new Context();
|
||||||
context.setContextPath("/foo");
|
context.setContextPath("/foo");
|
||||||
jetty.setHandler(context);
|
jetty.setHandler(context);
|
||||||
|
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
|
||||||
context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
|
context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
|
||||||
context.addServlet(new ServletHolder(UserServlet.class), "/bar");
|
context.addServlet(new ServletHolder(UserServlet.class), "/bar");
|
||||||
try {
|
try {
|
||||||
@ -969,4 +971,56 @@ public Void run() throws Exception {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
|
||||||
|
@Override
|
||||||
|
protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
|
||||||
|
(FilterConfig filterConfig) throws ServletException {
|
||||||
|
org.apache.hadoop.conf.Configuration configuration = super
|
||||||
|
.getProxyuserConfiguration(filterConfig);
|
||||||
|
configuration.set("proxyuser.foo.hosts", "127.0.0.1");
|
||||||
|
return configuration;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testIpaddressCheck() throws Exception {
|
||||||
|
final Server jetty = createJettyServer();
|
||||||
|
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
|
||||||
|
Context context = new Context();
|
||||||
|
context.setContextPath("/foo");
|
||||||
|
jetty.setHandler(context);
|
||||||
|
|
||||||
|
context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
|
||||||
|
context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
|
||||||
|
|
||||||
|
try {
|
||||||
|
jetty.start();
|
||||||
|
final URL url = new URL(getJettyURL() + "/foo/bar");
|
||||||
|
|
||||||
|
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
|
||||||
|
ugi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() throws Exception {
|
||||||
|
DelegationTokenAuthenticatedURL.Token token =
|
||||||
|
new DelegationTokenAuthenticatedURL.Token();
|
||||||
|
DelegationTokenAuthenticatedURL aUrl =
|
||||||
|
new DelegationTokenAuthenticatedURL();
|
||||||
|
|
||||||
|
// user ok-user via proxyuser foo
|
||||||
|
HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
|
||||||
|
Assert.assertEquals(HttpURLConnection.HTTP_OK,
|
||||||
|
conn.getResponseCode());
|
||||||
|
List<String> ret = IOUtils.readLines(conn.getInputStream());
|
||||||
|
Assert.assertEquals(1, ret.size());
|
||||||
|
Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
|
||||||
|
":ugi=" + OK_USER, ret.get(0));
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} finally {
|
||||||
|
jetty.stop();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user