HADOOP-8855. SSL-based image transfer does not work when Kerberos is disabled. Contributed by Todd Lipcon
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1390841 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
40062e1aaa
commit
a33ae4020d
@ -19,6 +19,8 @@
|
||||
import org.ietf.jgss.GSSManager;
|
||||
import org.ietf.jgss.GSSName;
|
||||
import org.ietf.jgss.Oid;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
@ -44,6 +46,9 @@
|
||||
* sequence.
|
||||
*/
|
||||
public class KerberosAuthenticator implements Authenticator {
|
||||
|
||||
private static Logger LOG = LoggerFactory.getLogger(
|
||||
KerberosAuthenticator.class);
|
||||
|
||||
/**
|
||||
* HTTP header used by the SPNEGO server endpoint during an authentication sequence.
|
||||
@ -152,9 +157,18 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
|
||||
}
|
||||
conn.setRequestMethod(AUTH_HTTP_METHOD);
|
||||
conn.connect();
|
||||
if (isNegotiate()) {
|
||||
|
||||
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
|
||||
LOG.debug("JDK performed authentication on our behalf.");
|
||||
// If the JDK already did the SPNEGO back-and-forth for
|
||||
// us, just pull out the token.
|
||||
AuthenticatedURL.extractToken(conn, token);
|
||||
return;
|
||||
} else if (isNegotiate()) {
|
||||
LOG.debug("Performing our own SPNEGO sequence.");
|
||||
doSpnegoSequence(token);
|
||||
} else {
|
||||
LOG.debug("Using fallback authenticator sequence.");
|
||||
getFallBackAuthenticator().authenticate(url, token);
|
||||
}
|
||||
}
|
||||
@ -168,7 +182,11 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
|
||||
* @return the fallback {@link Authenticator}.
|
||||
*/
|
||||
protected Authenticator getFallBackAuthenticator() {
|
||||
return new PseudoAuthenticator();
|
||||
Authenticator auth = new PseudoAuthenticator();
|
||||
if (connConfigurator != null) {
|
||||
auth.setConnectionConfigurator(connConfigurator);
|
||||
}
|
||||
return auth;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -197,11 +215,16 @@ private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException,
|
||||
AccessControlContext context = AccessController.getContext();
|
||||
Subject subject = Subject.getSubject(context);
|
||||
if (subject == null) {
|
||||
LOG.debug("No subject in context, logging in");
|
||||
subject = new Subject();
|
||||
LoginContext login = new LoginContext("", subject,
|
||||
null, new KerberosConfiguration());
|
||||
login.login();
|
||||
}
|
||||
|
||||
if (LOG.isDebugEnabled()) {
|
||||
LOG.debug("Using subject: " + subject);
|
||||
}
|
||||
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
|
||||
|
||||
@Override
|
||||
|
@ -579,6 +579,8 @@ Release 2.0.2-alpha - 2012-09-07
|
||||
|
||||
HADOOP-8781. hadoop-config.sh should add JAVA_LIBRARY_PATH to LD_LIBRARY_PATH. (tucu)
|
||||
|
||||
HADOOP-8855. SSL-based image transfer does not work when Kerberos is disabled. (todd via eli)
|
||||
|
||||
BREAKDOWN OF HDFS-3042 SUBTASKS
|
||||
|
||||
HADOOP-8220. ZKFailoverController doesn't handle failure to become active
|
||||
|
@ -499,7 +499,7 @@ private static <T> T doAsUser(UserGroupInformation ugi,
|
||||
* @throws IOException If unable to authenticate via SPNEGO
|
||||
*/
|
||||
public static URLConnection openSecureHttpConnection(URL url) throws IOException {
|
||||
if(!UserGroupInformation.isSecurityEnabled()) {
|
||||
if (!HttpConfig.isSecure() && !UserGroupInformation.isSecurityEnabled()) {
|
||||
return url.openConnection();
|
||||
}
|
||||
|
||||
|
@ -20,6 +20,7 @@
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
@ -53,6 +54,7 @@
|
||||
import org.apache.hadoop.ipc.RemoteException;
|
||||
import org.apache.hadoop.net.NetUtils;
|
||||
import org.apache.hadoop.security.RefreshUserMappingsProtocol;
|
||||
import org.apache.hadoop.security.SecurityUtil;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;
|
||||
import org.apache.hadoop.util.StringUtils;
|
||||
@ -511,11 +513,17 @@ public int setBalancerBandwidth(String[] argv, int idx) throws IOException {
|
||||
* @return an exit code indicating success or failure.
|
||||
* @throws IOException
|
||||
*/
|
||||
public int fetchImage(String[] argv, int idx) throws IOException {
|
||||
String infoServer = DFSUtil.getInfoServer(
|
||||
public int fetchImage(final String[] argv, final int idx) throws IOException {
|
||||
final String infoServer = DFSUtil.getInfoServer(
|
||||
HAUtil.getAddressOfActive(getDFS()), getConf(), false);
|
||||
TransferFsImage.downloadMostRecentImageToDirectory(infoServer,
|
||||
new File(argv[idx]));
|
||||
SecurityUtil.doAsCurrentUser(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
TransferFsImage.downloadMostRecentImageToDirectory(infoServer,
|
||||
new File(argv[idx]));
|
||||
return null;
|
||||
}
|
||||
});
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user