HDFS-4560. Webhdfs cannot use tokens obtained by another user (daryn)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1453955 13f79535-47bb-0310-9956-ffa450edef68
2013-03-07 16:56:19 +00:00 · 2013-03-07 16:56:19 +00:00 · 97c4668312
commit 97c4668312
parent 80c2cf57fd
3 changed files with 8 additions and 10 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@ -2369,6 +2369,8 @@ Release 0.23.7 - UNRELEASED
    HDFS-4542. Webhdfs doesn't support secure proxy users (Daryn Sharp via
    kihwal)

+    HDFS-4560. Webhdfs cannot use tokens obtained by another user (daryn)
+
 Release 0.23.6 - UNRELEASED

  INCOMPATIBLE CHANGES
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@ -350,15 +350,15 @@ Param<?,?>[] getAuthParameters(final HttpOpParam.Op op) throws IOException {
        } // else we are talking to an insecure cluster
      }
    }
-    UserGroupInformation userUgi = ugi;
    if (!hasToken) {
+      UserGroupInformation userUgi = ugi;
      UserGroupInformation realUgi = userUgi.getRealUser();
      if (realUgi != null) { // proxy user
        authParams.add(new DoAsParam(userUgi.getShortUserName()));
        userUgi = realUgi;
      }
+      authParams.add(new UserParam(userUgi.getShortUserName()));
    }
-    authParams.add(new UserParam(userUgi.getShortUserName()));
    return authParams.toArray(new Param<?,?>[0]);
  }

--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java
@ -134,24 +134,22 @@ public void testSecureAuthParamsInUrl() throws IOException {
        },
        renewTokenUrl);

-    // send user+token
+    // send token
    URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
        fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(
        new String[]{
            PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
-            new UserParam(ugi.getShortUserName()).toString(),
            new TokenArgumentParam(tokenString).toString(),
            new DelegationParam(tokenString).toString()
        },
        cancelTokenUrl);
    
-    // send user+token
+    // send token
    URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
    checkQueryParams(
        new String[]{
            GetOpParam.Op.GETFILESTATUS.toQueryString(),
-            new UserParam(ugi.getShortUserName()).toString(),
            new DelegationParam(tokenString).toString()
        },
        fileStatusUrl);
@ -219,24 +217,22 @@ public void testSecureProxyAuthParamsInUrl() throws IOException {
        },
        renewTokenUrl);

-    // send effective+token
+    // send token
    URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
        fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(
        new String[]{
            PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
-            new UserParam(ugi.getShortUserName()).toString(),
            new TokenArgumentParam(tokenString).toString(),
            new DelegationParam(tokenString).toString()
        },
        cancelTokenUrl);
    
-    // send effective+token
+    // send token
    URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
    checkQueryParams(
        new String[]{
            GetOpParam.Op.GETFILESTATUS.toQueryString(),
-            new UserParam(ugi.getShortUserName()).toString(),
            new DelegationParam(tokenString).toString()
        },
        fileStatusUrl);