HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@963490 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
4ff2991849
commit
6ba9b70d85
@ -117,6 +117,9 @@ Trunk (unreleased changes)
|
||||
|
||||
HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
|
||||
(ddas)
|
||||
|
||||
HADOOP-6647. balancer fails with "is not authorized for protocol
|
||||
interface NamenodeProtocol" in secure environment (boryas)
|
||||
|
||||
Release 0.21.0 - Unreleased
|
||||
|
||||
|
@ -17,6 +17,7 @@
|
||||
*/
|
||||
package org.apache.hadoop.security.authorize;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.IdentityHashMap;
|
||||
import java.util.Map;
|
||||
|
||||
@ -27,6 +28,7 @@
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||
import org.apache.hadoop.security.KerberosInfo;
|
||||
import org.apache.hadoop.security.KerberosName;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
|
||||
/**
|
||||
@ -37,6 +39,8 @@
|
||||
@InterfaceStability.Evolving
|
||||
public class ServiceAuthorizationManager {
|
||||
private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
|
||||
private static final Log LOG = LogFactory
|
||||
.getLog(ServiceAuthorizationManager.class);
|
||||
|
||||
private static Map<Class<?>, AccessControlList> protocolToAcl =
|
||||
new IdentityHashMap<Class<?>, AccessControlList>();
|
||||
@ -85,7 +89,19 @@ public static void authorize(UserGroupInformation user,
|
||||
clientPrincipal = conf.get(clientKey);
|
||||
}
|
||||
}
|
||||
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
|
||||
// when authorizing use the short name only
|
||||
String shortName = clientPrincipal;
|
||||
if(clientPrincipal != null ) {
|
||||
try {
|
||||
shortName = new KerberosName(clientPrincipal).getShortName();
|
||||
} catch (IOException e) {
|
||||
LOG.warn("couldn't get short name from " + clientPrincipal, e);
|
||||
// just keep going
|
||||
}
|
||||
}
|
||||
LOG.debug("for protocol authorization compare (" + clientPrincipal + "): "
|
||||
+ shortName + " with " + user.getShortUserName());
|
||||
if((shortName != null && !shortName.equals(user.getShortUserName())) ||
|
||||
!acl.isUserAllowed(user)) {
|
||||
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
|
||||
throw new AuthorizationException("User " + user +
|
||||
|
Loading…
Reference in New Issue
Block a user