From b9984e59d832cd4673dd0edb260a1aa65bb8758d Mon Sep 17 00:00:00 2001 From: Alejandro Abdelnur Date: Tue, 5 Aug 2014 20:58:25 +0000 Subject: [PATCH] HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616002 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 2 ++ .../org/apache/hadoop/http/HttpServer2.java | 4 +-- .../org/apache/hadoop/jmx/JMXJsonServlet.java | 9 +++-- .../apache/hadoop/http/TestHttpServer.java | 6 ++-- .../crypto/key/kms/server/KMSJMXServlet.java | 33 +++++++++++++++++++ .../src/main/webapp/WEB-INF/web.xml | 2 +- 6 files changed, 48 insertions(+), 8 deletions(-) create mode 100644 hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index f7f20ede41..601fe93fd2 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -527,6 +527,8 @@ Release 2.6.0 - UNRELEASED HADOOP-10937. Need to set version name correctly before decrypting EEK. (Arun Suresh via wang) + HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu) + Release 2.5.0 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java index d2664dcf2b..f84ade0037 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java @@ -1005,7 +1005,7 @@ public static boolean hasAdministratorAccess( String remoteUser = request.getRemoteUser(); if (remoteUser == null) { - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthenticated users are not " + "authorized to access this page."); return false; @@ -1013,7 +1013,7 @@ public static boolean hasAdministratorAccess( if (servletContext.getAttribute(ADMINS_ACL) != null && !userHasAdministratorAccess(servletContext, remoteUser)) { - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User " + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User " + remoteUser + " is unauthorized to access this page."); return false; } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java index 44ebbdd3f2..f775dd71be 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java @@ -143,6 +143,12 @@ public void init() throws ServletException { jsonFactory = new JsonFactory(); } + protected boolean isInstrumentationAccessAllowed(HttpServletRequest request, + HttpServletResponse response) throws IOException { + return HttpServer2.isInstrumentationAccessAllowed(getServletContext(), + request, response); + } + /** * Process a GET request for the specified resource. * @@ -154,8 +160,7 @@ public void init() throws ServletException { @Override public void doGet(HttpServletRequest request, HttpServletResponse response) { try { - if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(), - request, response)) { + if (!isInstrumentationAccessAllowed(request, response)) { return; } JsonGenerator jg = null; diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java index 64823fd743..ac03968c2d 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java @@ -414,7 +414,7 @@ public void testAuthorizationOfDefaultServlets() throws Exception { assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL + servlet, user)); } - assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, getHttpStatusCode( + assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode( serverURL + servlet, "userE")); } myServer.stop(); @@ -474,7 +474,7 @@ public void testHasAdministratorAccess() throws Exception { response = Mockito.mock(HttpServletResponse.class); conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true); Assert.assertFalse(HttpServer2.hasAdministratorAccess(context, request, response)); - Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString()); + Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString()); //authorization ON & user NOT NULL & ACLs NULL response = Mockito.mock(HttpServletResponse.class); @@ -487,7 +487,7 @@ public void testHasAdministratorAccess() throws Exception { Mockito.when(acls.isUserAllowed(Mockito.any())).thenReturn(false); Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls); Assert.assertFalse(HttpServer2.hasAdministratorAccess(context, request, response)); - Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString()); + Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString()); //authorization ON & user NOT NULL & ACLs NOT NULL & user in in ACLs response = Mockito.mock(HttpServletResponse.class); diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java new file mode 100644 index 0000000000..c8556af193 --- /dev/null +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJMXServlet.java @@ -0,0 +1,33 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.crypto.key.kms.server; + +import org.apache.hadoop.jmx.JMXJsonServlet; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +public class KMSJMXServlet extends JMXJsonServlet { + + @Override + protected boolean isInstrumentationAccessAllowed(HttpServletRequest request, + HttpServletResponse response) throws IOException { + return true; + } +} diff --git a/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml b/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml index 4ec5cffc8a..d081764217 100644 --- a/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml +++ b/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml @@ -42,7 +42,7 @@ jmx-servlet - org.apache.hadoop.jmx.JMXJsonServlet + org.apache.hadoop.crypto.key.kms.server.KMSJMXServlet