From 8970e93b01c88bd4d489cb8e4f915d47f2adee86 Mon Sep 17 00:00:00 2001 From: Boris Shkolnik Date: Tue, 22 Jun 2010 23:04:33 +0000 Subject: [PATCH] HADOOP-6815. refreshSuperUserGroupsConfiguration should use server side configuration for the refresh git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@957074 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES.txt | 3 +++ .../org/apache/hadoop/security/Groups.java | 9 +++++++ .../security/RefreshUserMappingsProtocol.java | 5 ++-- .../hadoop/security/authorize/ProxyUsers.java | 24 +++++++++++++------ .../security/TestDoAsEffectiveUser.java | 2 ++ 5 files changed, 33 insertions(+), 10 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 29bada0642..a63694bbad 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -91,6 +91,9 @@ Trunk (unreleased changes) HADOOP-6652. Removes the unnecessary cache from ShellBasedUnixGroupsMapping. (ddas) + HADOOP-6815. refreshSuperUserGroupsConfiguration should use server side +configuration for the refresh (boryas) + Release 0.21.0 - Unreleased INCOMPATIBLE CHANGES diff --git a/src/java/org/apache/hadoop/security/Groups.java b/src/java/org/apache/hadoop/security/Groups.java index b7e35bb50c..3780de5ad1 100644 --- a/src/java/org/apache/hadoop/security/Groups.java +++ b/src/java/org/apache/hadoop/security/Groups.java @@ -121,6 +121,15 @@ public class Groups { * Get the groups being used to map user-to-groups. * @return the groups being used to map user-to-groups. */ + public static Groups getUserToGroupsMappingService() { + return getUserToGroupsMappingService(new Configuration()); + } + + /** + * Get the groups being used to map user-to-groups. + * @param Configuration + * @return the groups being used to map user-to-groups. + */ public static Groups getUserToGroupsMappingService(Configuration conf) { if(GROUPS == null) { LOG.debug(" Creating new Groups object"); diff --git a/src/java/org/apache/hadoop/security/RefreshUserMappingsProtocol.java b/src/java/org/apache/hadoop/security/RefreshUserMappingsProtocol.java index f711e44717..7ca99015dc 100644 --- a/src/java/org/apache/hadoop/security/RefreshUserMappingsProtocol.java +++ b/src/java/org/apache/hadoop/security/RefreshUserMappingsProtocol.java @@ -46,13 +46,12 @@ public interface RefreshUserMappingsProtocol extends VersionedProtocol { * @param conf * @throws IOException */ - public void refreshUserToGroupsMappings(Configuration conf) throws IOException; + public void refreshUserToGroupsMappings() throws IOException; /** * Refresh superuser proxy group list - * @param conf * @throws IOException */ - public void refreshSuperUserGroupsConfiguration(Configuration conf) + public void refreshSuperUserGroupsConfiguration() throws IOException; } diff --git a/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java b/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java index c1b7901be9..2d11afabc6 100644 --- a/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java +++ b/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java @@ -37,7 +37,7 @@ public class ProxyUsers { public static final String CONF_GROUPS = ".groups"; public static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser."; public static final String CONF_HADOOP_PROXYUSER_RE = "hadoop\\.proxyuser\\."; - private static Configuration conf=null; + private static boolean init = false; // list of groups and hosts per proxyuser private static Map> proxyGroups = new HashMap>(); @@ -47,9 +47,17 @@ public class ProxyUsers { /** * reread the conf and get new values for "hadoop.proxyuser.*.groups/hosts" */ - public static synchronized void refreshSuperUserGroupsConfiguration(Configuration cn) { - conf = cn; + public static void refreshSuperUserGroupsConfiguration() { + //load server side configuration; + refreshSuperUserGroupsConfiguration(new Configuration()); + } + /** + * refresh configuration + * @param conf + */ + public static synchronized void refreshSuperUserGroupsConfiguration(Configuration conf) { + // remove alle existing stuff proxyGroups.clear(); proxyHosts.clear(); @@ -69,6 +77,8 @@ public class ProxyUsers { proxyHosts.put(entry.getKey(), StringUtils.getStringCollection(entry.getValue())); } + + init = true; } /** @@ -102,8 +112,8 @@ public class ProxyUsers { public static synchronized void authorize(UserGroupInformation user, String remoteAddress, Configuration newConf) throws AuthorizationException { - if(conf == null) { - refreshSuperUserGroupsConfiguration(newConf); + if(!init) { + refreshSuperUserGroupsConfiguration(); } if (user.getRealUser() == null) { @@ -116,7 +126,7 @@ public class ProxyUsers { Collection allowedUserGroups = proxyGroups.get( getProxySuperuserGroupConfKey(superUser.getShortUserName())); - if (!allowedUserGroups.isEmpty()) { + if (allowedUserGroups != null && !allowedUserGroups.isEmpty()) { for (String group : user.getGroupNames()) { if (allowedUserGroups.contains(group)) { groupAuthorized = true; @@ -133,7 +143,7 @@ public class ProxyUsers { Collection ipList = proxyHosts.get( getProxySuperuserIpConfKey(superUser.getShortUserName())); - if (!ipList.isEmpty()) { + if (ipList != null && !ipList.isEmpty()) { for (String allowedHost : ipList) { InetAddress hostAddr; try { diff --git a/src/test/core/org/apache/hadoop/security/TestDoAsEffectiveUser.java b/src/test/core/org/apache/hadoop/security/TestDoAsEffectiveUser.java index 708745cdd9..699e6dc666 100644 --- a/src/test/core/org/apache/hadoop/security/TestDoAsEffectiveUser.java +++ b/src/test/core/org/apache/hadoop/security/TestDoAsEffectiveUser.java @@ -148,6 +148,7 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(TestProtocol.class, new TestImpl(), ADDRESS, 0, 5, true, conf, null); + refreshConf(conf); try { server.start(); @@ -188,6 +189,7 @@ public class TestDoAsEffectiveUser { Server server = RPC.getServer(TestProtocol.class, new TestImpl(), ADDRESS, 0, 2, false, conf, null); + refreshConf(conf); try { server.start();