From 83e4b2b46962ba2f799ea5c92aa328a5f01e21b7 Mon Sep 17 00:00:00 2001 From: Aaron Myers Date: Wed, 21 Sep 2011 16:09:44 +0000 Subject: [PATCH] HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1173739 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 3 +++ .../content/xdocs/HttpAuthentication.xml | 8 +++--- .../AuthenticationFilterInitializer.java | 26 ++++++++++++++++++- .../src/main/resources/core-default.xml | 4 +-- .../security/TestAuthenticationFilter.java | 16 +++++++++++- hadoop-project/pom.xml | 22 ++++++++++++++++ 6 files changed, 72 insertions(+), 7 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index fe9710f5cd..6245bcf8f9 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -23,6 +23,9 @@ Trunk (unreleased changes) HADOOP-7641. Add Apache License to template config files (Eric Yang via atm) + HADOOP-7621. alfredo config should be in a file not readable by users + (Alejandro Abdelnur via atm) + Release 0.23.0 - Unreleased INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml b/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml index 15abfbb044..5c756ac21c 100644 --- a/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml +++ b/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml @@ -82,10 +82,12 @@ 36000.

-

hadoop.http.authentication.signature.secret: The signature secret for - signing the authentication tokens. If not set a random secret is generated at +

hadoop.http.authentication.signature.secret.file: The signature secret + file for signing the authentication tokens. If not set a random secret is generated at startup time. The same secret should be used for all nodes in the cluster, JobTracker, - NameNode, DataNode and TastTracker. The default value is a hadoop value. + NameNode, DataNode and TastTracker. The default value is + ${user.home}/hadoop-http-auth-signature-secret. + IMPORTANT: This file should be readable only by the Unix user running the daemons.

hadoop.http.authentication.cookie.domain: The domain to use for the HTTP diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java index cd6ab7b326..666632d5bf 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java @@ -22,6 +22,9 @@ import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterInitializer; +import java.io.FileReader; +import java.io.IOException; +import java.io.Reader; import java.util.HashMap; import java.util.Map; @@ -40,8 +43,10 @@ */ public class AuthenticationFilterInitializer extends FilterInitializer { - private static final String PREFIX = "hadoop.http.authentication."; + static final String PREFIX = "hadoop.http.authentication."; + static final String SIGNATURE_SECRET_FILE = AuthenticationFilter.SIGNATURE_SECRET + ".file"; + /** * Initializes Alfredo AuthenticationFilter. *

@@ -67,6 +72,25 @@ public void initFilter(FilterContainer container, Configuration conf) { } } + String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE); + if (signatureSecretFile == null) { + throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE); + } + + try { + StringBuilder secret = new StringBuilder(); + Reader reader = new FileReader(signatureSecretFile); + int c = reader.read(); + while (c > -1) { + secret.append((char)c); + c = reader.read(); + } + reader.close(); + filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, secret.toString()); + } catch (IOException ex) { + throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile); + } + container.addFilter("authentication", AuthenticationFilter.class.getName(), filterConfig); diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index d4b4030559..e34c202373 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -808,8 +808,8 @@ - hadoop.http.authentication.signature.secret - hadoop + hadoop.http.authentication.signature.secret.file + ${user.home}/hadoop-http-auth-signature-secret The signature secret for signing the authentication tokens. If not set a random secret is generated at startup time. diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java index 7a21e4c6b8..2d699ddcf1 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java @@ -25,14 +25,28 @@ import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; +import java.io.File; +import java.io.FileWriter; +import java.io.Writer; import java.util.Map; public class TestAuthenticationFilter extends TestCase { @SuppressWarnings("unchecked") - public void testConfiguration() { + public void testConfiguration() throws Exception { Configuration conf = new Configuration(); conf.set("hadoop.http.authentication.foo", "bar"); + + File testDir = new File(System.getProperty("test.build.data", + "target/test-dir")); + testDir.mkdirs(); + File secretFile = new File(testDir, "http-secret.txt"); + Writer writer = new FileWriter(new File(testDir, "http-secret.txt")); + writer.write("hadoop"); + writer.close(); + conf.set(AuthenticationFilterInitializer.PREFIX + + AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE, + secretFile.getAbsolutePath()); FilterContainer container = Mockito.mock(FilterContainer.class); Mockito.doAnswer( diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml index 290d33d02f..aa9b43f7fd 100644 --- a/hadoop-project/pom.xml +++ b/hadoop-project/pom.xml @@ -76,6 +76,9 @@ https://repository.apache.org/content/repositories/snapshots 1.0.3 + + ${project.build.directory}/test-dir + ${test.build.dir} @@ -554,6 +557,25 @@ + + org.apache.maven.plugins + maven-antrun-plugin + + + create-testdirs + validate + + run + + + + + + + + + + org.apache.maven.plugins maven-compiler-plugin