HDFS-2361. hftp is broken, fixed username checks in JspHelper.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1176729 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jitendra Nath Pandey 2011-09-28 05:29:09 +00:00
parent 59265d6ed8
commit 825f9c80a4
2 changed files with 16 additions and 6 deletions

View File

@ -78,6 +78,8 @@ Trunk (unreleased changes)
HDFS-2373. Commands using webhdfs and hftp print unnecessary debug HDFS-2373. Commands using webhdfs and hftp print unnecessary debug
info on the console with security enabled. (Arpit Gupta via suresh) info on the console with security enabled. (Arpit Gupta via suresh)
HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra)
Release 0.23.0 - Unreleased Release 0.23.0 - Unreleased
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -60,6 +60,7 @@
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
@ -552,7 +553,8 @@ public static UserGroupInformation getUGI(ServletContext context,
DelegationTokenIdentifier id = new DelegationTokenIdentifier(); DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in); id.readFields(in);
ugi = id.getUser(); ugi = id.getUser();
checkUsername(ugi.getUserName(), user); checkUsername(ugi.getShortUserName(), usernameFromQuery);
checkUsername(ugi.getShortUserName(), user);
ugi.addToken(token); ugi.addToken(token);
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN); ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
} else { } else {
@ -561,13 +563,11 @@ public static UserGroupInformation getUGI(ServletContext context,
"authenticated by filter"); "authenticated by filter");
} }
ugi = UserGroupInformation.createRemoteUser(user); ugi = UserGroupInformation.createRemoteUser(user);
checkUsername(ugi.getShortUserName(), usernameFromQuery);
// This is not necessarily true, could have been auth'ed by user-facing // This is not necessarily true, could have been auth'ed by user-facing
// filter // filter
ugi.setAuthenticationMethod(secureAuthMethod); ugi.setAuthenticationMethod(secureAuthMethod);
} }
checkUsername(user, usernameFromQuery);
} else { // Security's not on, pull from url } else { // Security's not on, pull from url
ugi = usernameFromQuery == null? ugi = usernameFromQuery == null?
getDefaultWebUser(conf) // not specified in request getDefaultWebUser(conf) // not specified in request
@ -580,10 +580,18 @@ public static UserGroupInformation getUGI(ServletContext context,
return ugi; return ugi;
} }
/**
* Expected user name should be a short name.
*/
private static void checkUsername(final String expected, final String name private static void checkUsername(final String expected, final String name
) throws IOException { ) throws IOException {
if (name != null && !name.equals(expected)) { if (name == null) {
throw new IOException("Usernames not matched: name=" + name return;
}
KerberosName u = new KerberosName(name);
String shortName = u.getShortName();
if (!shortName.equals(expected)) {
throw new IOException("Usernames not matched: name=" + shortName
+ " != expected=" + expected); + " != expected=" + expected);
} }
} }