diff --git a/CHANGES.txt b/CHANGES.txt index b410737551..9eb1bf6851 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -117,6 +117,9 @@ Trunk (unreleased changes) HADOOP-6648. Adds a check for null tokens in Credentials.addToken api. (ddas) + + HADOOP-6647. balancer fails with "is not authorized for protocol + interface NamenodeProtocol" in secure environment (boryas) Release 0.21.0 - Unreleased diff --git a/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java b/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java index e6bd5afc64..1c4e504e04 100644 --- a/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java +++ b/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.security.authorize; +import java.io.IOException; import java.util.IdentityHashMap; import java.util.Map; @@ -27,6 +28,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.security.KerberosInfo; +import org.apache.hadoop.security.KerberosName; import org.apache.hadoop.security.UserGroupInformation; /** @@ -37,6 +39,8 @@ @InterfaceStability.Evolving public class ServiceAuthorizationManager { private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml"; + private static final Log LOG = LogFactory + .getLog(ServiceAuthorizationManager.class); private static Map, AccessControlList> protocolToAcl = new IdentityHashMap, AccessControlList>(); @@ -85,7 +89,19 @@ public static void authorize(UserGroupInformation user, clientPrincipal = conf.get(clientKey); } } - if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || + // when authorizing use the short name only + String shortName = clientPrincipal; + if(clientPrincipal != null ) { + try { + shortName = new KerberosName(clientPrincipal).getShortName(); + } catch (IOException e) { + LOG.warn("couldn't get short name from " + clientPrincipal, e); + // just keep going + } + } + LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " + + shortName + " with " + user.getShortUserName()); + if((shortName != null && !shortName.equals(user.getShortUserName())) || !acl.isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol); throw new AuthorizationException("User " + user +