From 9ee891aa90333bf18cba412400daa5834f15c41d Mon Sep 17 00:00:00 2001 From: Alejandro Abdelnur Date: Tue, 9 Sep 2014 22:18:03 -0700 Subject: [PATCH] HADOOP-11077. NPE if hosts not specified in ProxyUsers. (gchanan via tucu) --- hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++ .../authorize/DefaultImpersonationProvider.java | 2 +- .../hadoop/security/authorize/TestProxyUsers.java | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index c60a9b701e..b0150873cd 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -777,6 +777,8 @@ Release 2.6.0 - UNRELEASED HADOOP-10925. Compilation fails in native link0 function on Windows. (cnauroth) + HADOOP-11077. NPE if hosts not specified in ProxyUsers. (gchanan via tucu) + Release 2.5.1 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java index ab1c390f46..b36ac80717 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java @@ -123,7 +123,7 @@ public void authorize(UserGroupInformation user, MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); - if(!MachineList.includes(remoteAddress)) { + if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java index dbcac676fa..8ff4bfb108 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java @@ -478,6 +478,21 @@ public void testProxyUsersWithCustomPrefix() throws Exception { assertNotAuthorized(proxyUserUgi, "1.2.3.5"); } + @Test + public void testNoHostsForUsers() throws Exception { + Configuration conf = new Configuration(false); + conf.set("y." + REAL_USER_NAME + ".users", + StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); + + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // IP doesn't matter + assertNotAuthorized(proxyUserUgi, "1.2.3.4"); + } private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { try {