big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1173739 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Aaron Myers 2011-09-21 16:09:44 +00:00
parent d50ecc38a3
commit 83e4b2b469
6 changed files with 72 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -23,6 +23,9 @@ Trunk (unreleased changes)
HADOOP-7641. Add Apache License to template config files (Eric Yang via atm) HADOOP-7641. Add Apache License to template config files (Eric Yang via atm)
HADOOP-7621. alfredo config should be in a file not readable by users
(Alejandro Abdelnur via atm)
Release 0.23.0 - Unreleased Release 0.23.0 - Unreleased
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

8
hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
View File

@ -82,10 +82,12 @@
<code>36000</code>. <code>36000</code>.
</p> </p>
<p><code>hadoop.http.authentication.signature.secret</code>: The signature secret for <p><code>hadoop.http.authentication.signature.secret.file</code>: The signature secret
signing the authentication tokens. If not set a random secret is generated at file for signing the authentication tokens. If not set a random secret is generated at
startup time. The same secret should be used for all nodes in the cluster, JobTracker, startup time. The same secret should be used for all nodes in the cluster, JobTracker,
NameNode, DataNode and TastTracker. The default value is a <code>hadoop</code> value. NameNode, DataNode and TastTracker. The default value is
<code>${user.home}/hadoop-http-auth-signature-secret</code>.
IMPORTANT: This file should be readable only by the Unix user running the daemons.
</p> </p>
<p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP <p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP

26
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
View File

@ -22,6 +22,9 @@
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.FilterInitializer;
import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
@ -40,7 +43,9 @@
*/ */
public class AuthenticationFilterInitializer extends FilterInitializer { public class AuthenticationFilterInitializer extends FilterInitializer {
private static final String PREFIX = "hadoop.http.authentication."; static final String PREFIX = "hadoop.http.authentication.";
static final String SIGNATURE_SECRET_FILE = AuthenticationFilter.SIGNATURE_SECRET + ".file";
/** /**
* Initializes Alfredo AuthenticationFilter. * Initializes Alfredo AuthenticationFilter.
@ -67,6 +72,25 @@ public void initFilter(FilterContainer container, Configuration conf) {
} }
} }
String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE);
if (signatureSecretFile == null) {
throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE);
}
try {
StringBuilder secret = new StringBuilder();
Reader reader = new FileReader(signatureSecretFile);
int c = reader.read();
while (c > -1) {
secret.append((char)c);
c = reader.read();
}
reader.close();
filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
} catch (IOException ex) {
throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);
}
container.addFilter("authentication", container.addFilter("authentication",
AuthenticationFilter.class.getName(), AuthenticationFilter.class.getName(),
filterConfig); filterConfig);

4
hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
View File

@ -808,8 +808,8 @@
</property> </property>
<property> <property>
<name>hadoop.http.authentication.signature.secret</name> <name>hadoop.http.authentication.signature.secret.file</name>
<value>hadoop</value> <value>${user.home}/hadoop-http-auth-signature-secret</value>
<description> <description>
The signature secret for signing the authentication tokens. The signature secret for signing the authentication tokens.
If not set a random secret is generated at startup time. If not set a random secret is generated at startup time.

16
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
View File

@ -25,15 +25,29 @@
import org.mockito.invocation.InvocationOnMock; import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer; import org.mockito.stubbing.Answer;
import java.io.File;
import java.io.FileWriter;
import java.io.Writer;
import java.util.Map; import java.util.Map;
public class TestAuthenticationFilter extends TestCase { public class TestAuthenticationFilter extends TestCase {
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public void testConfiguration() { public void testConfiguration() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.http.authentication.foo", "bar"); conf.set("hadoop.http.authentication.foo", "bar");
File testDir = new File(System.getProperty("test.build.data",
"target/test-dir"));
testDir.mkdirs();
File secretFile = new File(testDir, "http-secret.txt");
Writer writer = new FileWriter(new File(testDir, "http-secret.txt"));
writer.write("hadoop");
writer.close();
conf.set(AuthenticationFilterInitializer.PREFIX +
AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE,
secretFile.getAbsolutePath());
FilterContainer container = Mockito.mock(FilterContainer.class); FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer( Mockito.doAnswer(
new Answer() { new Answer() {

22
hadoop-project/pom.xml
View File

@ -76,6 +76,9 @@
<distMgmtSnapshotsUrl>https://repository.apache.org/content/repositories/snapshots</distMgmtSnapshotsUrl> <distMgmtSnapshotsUrl>https://repository.apache.org/content/repositories/snapshots</distMgmtSnapshotsUrl>
<commons-daemon.version>1.0.3</commons-daemon.version> <commons-daemon.version>1.0.3</commons-daemon.version>
<test.build.dir>${project.build.directory}/test-dir</test.build.dir>
<test.build.data>${test.build.dir}</test.build.data>
</properties> </properties>
<dependencyManagement> <dependencyManagement>
@ -554,6 +557,25 @@
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
<id>create-testdirs</id>
<phase>validate</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<mkdir dir="${test.build.dir}"/>
<mkdir dir="${test.build.data}"/>
</target>
</configuration>
</execution>
</executions>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId> <artifactId>maven-compiler-plugin</artifactId>