HDFS-2361. hftp is broken, fixed username checks in JspHelper.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1176729 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
59265d6ed8
commit
825f9c80a4
@ -78,6 +78,8 @@ Trunk (unreleased changes)
|
|||||||
HDFS-2373. Commands using webhdfs and hftp print unnecessary debug
|
HDFS-2373. Commands using webhdfs and hftp print unnecessary debug
|
||||||
info on the console with security enabled. (Arpit Gupta via suresh)
|
info on the console with security enabled. (Arpit Gupta via suresh)
|
||||||
|
|
||||||
|
HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra)
|
||||||
|
|
||||||
Release 0.23.0 - Unreleased
|
Release 0.23.0 - Unreleased
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
@ -60,6 +60,7 @@
|
|||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.AccessControlException;
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
|
import org.apache.hadoop.security.authentication.util.KerberosName;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
@ -552,7 +553,8 @@ public static UserGroupInformation getUGI(ServletContext context,
|
|||||||
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
||||||
id.readFields(in);
|
id.readFields(in);
|
||||||
ugi = id.getUser();
|
ugi = id.getUser();
|
||||||
checkUsername(ugi.getUserName(), user);
|
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
||||||
|
checkUsername(ugi.getShortUserName(), user);
|
||||||
ugi.addToken(token);
|
ugi.addToken(token);
|
||||||
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
|
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
|
||||||
} else {
|
} else {
|
||||||
@ -561,13 +563,11 @@ public static UserGroupInformation getUGI(ServletContext context,
|
|||||||
"authenticated by filter");
|
"authenticated by filter");
|
||||||
}
|
}
|
||||||
ugi = UserGroupInformation.createRemoteUser(user);
|
ugi = UserGroupInformation.createRemoteUser(user);
|
||||||
|
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
||||||
// This is not necessarily true, could have been auth'ed by user-facing
|
// This is not necessarily true, could have been auth'ed by user-facing
|
||||||
// filter
|
// filter
|
||||||
ugi.setAuthenticationMethod(secureAuthMethod);
|
ugi.setAuthenticationMethod(secureAuthMethod);
|
||||||
}
|
}
|
||||||
|
|
||||||
checkUsername(user, usernameFromQuery);
|
|
||||||
|
|
||||||
} else { // Security's not on, pull from url
|
} else { // Security's not on, pull from url
|
||||||
ugi = usernameFromQuery == null?
|
ugi = usernameFromQuery == null?
|
||||||
getDefaultWebUser(conf) // not specified in request
|
getDefaultWebUser(conf) // not specified in request
|
||||||
@ -580,10 +580,18 @@ public static UserGroupInformation getUGI(ServletContext context,
|
|||||||
return ugi;
|
return ugi;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Expected user name should be a short name.
|
||||||
|
*/
|
||||||
private static void checkUsername(final String expected, final String name
|
private static void checkUsername(final String expected, final String name
|
||||||
) throws IOException {
|
) throws IOException {
|
||||||
if (name != null && !name.equals(expected)) {
|
if (name == null) {
|
||||||
throw new IOException("Usernames not matched: name=" + name
|
return;
|
||||||
|
}
|
||||||
|
KerberosName u = new KerberosName(name);
|
||||||
|
String shortName = u.getShortName();
|
||||||
|
if (!shortName.equals(expected)) {
|
||||||
|
throw new IOException("Usernames not matched: name=" + shortName
|
||||||
+ " != expected=" + expected);
|
+ " != expected=" + expected);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user