HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
This commit is contained in:
parent
dfc1c4c303
commit
424a00daa0
@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED
|
||||
HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
|
||||
(Brahma Reddy Battula via ozawa)
|
||||
|
||||
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
|
||||
instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
|
||||
|
||||
Release 2.7.1 - UNRELEASED
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -239,7 +239,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
|
||||
if (doAsUser != null) {
|
||||
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
|
||||
try {
|
||||
ProxyUsers.authorize(ugi, request.getRemoteHost());
|
||||
ProxyUsers.authorize(ugi, request.getRemoteAddr());
|
||||
} catch (AuthorizationException ex) {
|
||||
HttpExceptionUtils.createServletExceptionResponse(response,
|
||||
HttpServletResponse.SC_FORBIDDEN, ex);
|
||||
|
@ -199,7 +199,7 @@ public boolean managementOperation(AuthenticationToken token,
|
||||
requestUgi = UserGroupInformation.createProxyUser(
|
||||
doAsUser, requestUgi);
|
||||
try {
|
||||
ProxyUsers.authorize(requestUgi, request.getRemoteHost());
|
||||
ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
|
||||
} catch (AuthorizationException ex) {
|
||||
HttpExceptionUtils.createServletExceptionResponse(response,
|
||||
HttpServletResponse.SC_FORBIDDEN, ex);
|
||||
|
@ -35,6 +35,7 @@
|
||||
import org.junit.Assert;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.mortbay.jetty.AbstractConnector;
|
||||
import org.mortbay.jetty.Connector;
|
||||
import org.mortbay.jetty.Server;
|
||||
import org.mortbay.jetty.servlet.Context;
|
||||
@ -658,7 +659,7 @@ protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration(
|
||||
org.apache.hadoop.conf.Configuration conf =
|
||||
new org.apache.hadoop.conf.Configuration(false);
|
||||
conf.set("proxyuser.client.users", OK_USER);
|
||||
conf.set("proxyuser.client.hosts", "localhost");
|
||||
conf.set("proxyuser.client.hosts", "127.0.0.1");
|
||||
return conf;
|
||||
}
|
||||
}
|
||||
@ -752,6 +753,7 @@ private void testKerberosDelegationTokenAuthenticator(
|
||||
Context context = new Context();
|
||||
context.setContextPath("/foo");
|
||||
jetty.setHandler(context);
|
||||
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
|
||||
context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
|
||||
context.addServlet(new ServletHolder(UserServlet.class), "/bar");
|
||||
try {
|
||||
@ -969,4 +971,56 @@ public Void run() throws Exception {
|
||||
}
|
||||
}
|
||||
|
||||
public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
|
||||
@Override
|
||||
protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
|
||||
(FilterConfig filterConfig) throws ServletException {
|
||||
org.apache.hadoop.conf.Configuration configuration = super
|
||||
.getProxyuserConfiguration(filterConfig);
|
||||
configuration.set("proxyuser.foo.hosts", "127.0.0.1");
|
||||
return configuration;
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testIpaddressCheck() throws Exception {
|
||||
final Server jetty = createJettyServer();
|
||||
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
|
||||
Context context = new Context();
|
||||
context.setContextPath("/foo");
|
||||
jetty.setHandler(context);
|
||||
|
||||
context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
|
||||
context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
|
||||
|
||||
try {
|
||||
jetty.start();
|
||||
final URL url = new URL(getJettyURL() + "/foo/bar");
|
||||
|
||||
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
|
||||
ugi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
DelegationTokenAuthenticatedURL.Token token =
|
||||
new DelegationTokenAuthenticatedURL.Token();
|
||||
DelegationTokenAuthenticatedURL aUrl =
|
||||
new DelegationTokenAuthenticatedURL();
|
||||
|
||||
// user ok-user via proxyuser foo
|
||||
HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
|
||||
Assert.assertEquals(HttpURLConnection.HTTP_OK,
|
||||
conn.getResponseCode());
|
||||
List<String> ret = IOUtils.readLines(conn.getInputStream());
|
||||
Assert.assertEquals(1, ret.size());
|
||||
Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
|
||||
":ugi=" + OK_USER, ret.get(0));
|
||||
|
||||
return null;
|
||||
}
|
||||
});
|
||||
} finally {
|
||||
jetty.stop();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user