HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@963490 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Boris Shkolnik 2010-07-12 21:18:47 +00:00
parent 4ff2991849
commit 6ba9b70d85
2 changed files with 20 additions and 1 deletions

View File

@ -117,6 +117,9 @@ Trunk (unreleased changes)
HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
(ddas)
HADOOP-6647. balancer fails with "is not authorized for protocol
interface NamenodeProtocol" in secure environment (boryas)
Release 0.21.0 - Unreleased

View File

@ -17,6 +17,7 @@
*/
package org.apache.hadoop.security.authorize;
import java.io.IOException;
import java.util.IdentityHashMap;
import java.util.Map;
@ -27,6 +28,7 @@
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.KerberosName;
import org.apache.hadoop.security.UserGroupInformation;
/**
@ -37,6 +39,8 @@
@InterfaceStability.Evolving
public class ServiceAuthorizationManager {
private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
private static final Log LOG = LogFactory
.getLog(ServiceAuthorizationManager.class);
private static Map<Class<?>, AccessControlList> protocolToAcl =
new IdentityHashMap<Class<?>, AccessControlList>();
@ -85,7 +89,19 @@ public static void authorize(UserGroupInformation user,
clientPrincipal = conf.get(clientKey);
}
}
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
// when authorizing use the short name only
String shortName = clientPrincipal;
if(clientPrincipal != null ) {
try {
shortName = new KerberosName(clientPrincipal).getShortName();
} catch (IOException e) {
LOG.warn("couldn't get short name from " + clientPrincipal, e);
// just keep going
}
}
LOG.debug("for protocol authorization compare (" + clientPrincipal + "): "
+ shortName + " with " + user.getShortUserName());
if((shortName != null && !shortName.equals(user.getShortUserName())) ||
!acl.isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
throw new AuthorizationException("User " + user +