diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index 0e0995514d..930444bec8 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -100,6 +100,8 @@ Trunk (unreleased changes) HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use the renewer parameter. (szetszwo) + HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. (jitendra) + Release 0.23.0 - Unreleased INCOMPATIBLE CHANGES diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java index c10d185acf..9c53bc0879 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java @@ -282,4 +282,6 @@ public class DFSConfigKeys extends CommonConfigurationKeys { public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved"; public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes"; + public static final String DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY = "dfs.web.authentication.kerberos.principal"; + public static final String DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY = "dfs.web.authentication.kerberos.keytab"; } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java index 2aa1fba5bc..56191433ff 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java @@ -20,6 +20,8 @@ import java.io.IOException; import java.net.InetSocketAddress; import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; import javax.servlet.ServletContext; @@ -108,7 +110,8 @@ public HttpServer run() throws IOException, InterruptedException { final String name = "SPNEGO"; final String classname = AuthFilter.class.getName(); final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*"; - defineFilter(webAppContext, name, classname, null, + Map params = getAuthFilterParams(conf); + defineFilter(webAppContext, name, classname, params, new String[]{pathSpec}); LOG.info("Added filter '" + name + "' (class=" + classname + ")"); @@ -118,6 +121,30 @@ public HttpServer run() throws IOException, InterruptedException { + ";" + Param.class.getPackage().getName(), pathSpec); } } + + private Map getAuthFilterParams(Configuration conf) + throws IOException { + Map params = new HashMap(); + String principalInConf = conf + .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY); + if (principalInConf != null && !principalInConf.isEmpty()) { + params + .put( + DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + SecurityUtil.getServerPrincipal(principalInConf, + infoHost)); + } + String httpKeytab = conf + .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY); + if (httpKeytab != null && !httpKeytab.isEmpty()) { + params.put( + DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY, + httpKeytab); + } + params.put("kerberos.name.rules", + conf.get("hadoop.security.auth_to_local", "DEFAULT")); + return params; + } }; boolean certSSL = conf.getBoolean("dfs.https.enable", false); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java index 6e5a8dd1d9..6c3f800668 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java @@ -17,12 +17,11 @@ */ package org.apache.hadoop.hdfs.web; -import java.util.Map; import java.util.Properties; import javax.servlet.FilterConfig; +import javax.servlet.ServletException; -import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; @@ -41,30 +40,21 @@ public class AuthFilter extends AuthenticationFilter { * The prefix is removed from the returned property names. * * @param prefix parameter not used. - * @param config parameter not used. + * @param config parameter contains the initialization values. * @return Hadoop-Auth configuration properties. + * @throws ServletException */ @Override - protected Properties getConfiguration(String prefix, FilterConfig config) { - final Configuration conf = new Configuration(); - final Properties p = new Properties(); - - //set authentication type + protected Properties getConfiguration(String prefix, FilterConfig config) + throws ServletException { + final Properties p = super.getConfiguration(CONF_PREFIX, config); + // set authentication type p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); //For Pseudo Authentication, allow anonymous. p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); //set cookie path p.setProperty(COOKIE_PATH, "/"); - - //set other configurations with CONF_PREFIX - for (Map.Entry entry : conf) { - final String key = entry.getKey(); - if (key.startsWith(CONF_PREFIX)) { - //remove prefix from the key and set property - p.setProperty(key.substring(CONF_PREFIX.length()), conf.get(key)); - } - } - return p; + return p; } } \ No newline at end of file diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java index 813b64bfcc..8906fbfcf1 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java @@ -20,6 +20,7 @@ import java.io.IOException; import java.lang.reflect.Type; +import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.ext.Provider; @@ -42,11 +43,12 @@ public class UserProvider extends AbstractHttpContextInjectable implements InjectableProvider { @Context HttpServletRequest request; + @Context ServletContext servletcontext; @Override public UserGroupInformation getValue(final HttpContext context) { - final Configuration conf = (Configuration)context.getProperties().get( - JspHelper.CURRENT_CONF); + final Configuration conf = (Configuration) servletcontext + .getAttribute(JspHelper.CURRENT_CONF); try { return JspHelper.getUGI(null, request, conf, AuthenticationMethod.KERBEROS, false); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java new file mode 100644 index 0000000000..0d6ff189ed --- /dev/null +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java @@ -0,0 +1,78 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hdfs.web; + +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; + +import org.apache.hadoop.hdfs.DFSConfigKeys; +import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; +import org.junit.Assert; +import org.junit.Test; + +public class TestAuthFilter { + + private static class DummyFilterConfig implements FilterConfig { + final Map map; + + DummyFilterConfig(Map map) { + this.map = map; + } + + @Override + public String getFilterName() { + return "dummy"; + } + @Override + public String getInitParameter(String arg0) { + return map.get(arg0); + } + @Override + public Enumeration getInitParameterNames() { + return Collections.enumeration(map.keySet()); + } + @Override + public ServletContext getServletContext() { + return null; + } + } + + @Test + public void testGetConfiguration() throws ServletException { + AuthFilter filter = new AuthFilter(); + Map m = new HashMap(); + m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + "xyz/thehost@REALM"); + m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY, + "thekeytab"); + FilterConfig config = new DummyFilterConfig(m); + Properties p = filter.getConfiguration("random", config); + Assert.assertEquals("xyz/thehost@REALM", + p.getProperty("kerberos.principal")); + Assert.assertEquals("thekeytab", p.getProperty("kerberos.keytab")); + Assert.assertEquals("true", + p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED)); + } +}