big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-6590. Add a username check for hadoop sub-commands (John Smith via aw)

Browse Source
This commit is contained in:
Allen Wittenauer 2014-12-10 13:41:28 -08:00
parent a7c6c710b2
commit c536142699
7 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -24,6 +24,8 @@ Trunk (Unreleased)
(Dexter Bradshaw, Mostafa Elhemali, Xi Fang, Johannes Klein, David Lao, (Dexter Bradshaw, Mostafa Elhemali, Xi Fang, Johannes Klein, David Lao,
Mike Liddell, Chuan Liu, Lengning Liu, Ivan Mitic, Michael Rys, Mike Liddell, Chuan Liu, Lengning Liu, Ivan Mitic, Michael Rys,
Alexander Stojanovich, Brian Swan, and Min Wei via cnauroth) Alexander Stojanovich, Brian Swan, and Min Wei via cnauroth)
HADOOP-6590. Add a username check for hadoop sub-commands (John Smith via aw)
IMPROVEMENTS IMPROVEMENTS

2
hadoop-common-project/hadoop-common/src/main/bin/hadoop
View File

@ -179,6 +179,8 @@ case ${COMMAND} in
;; ;;
esac esac
hadoop_verify_user "${COMMAND}"
# Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS # Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS" hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}" HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"

12
hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
View File

@ -1154,3 +1154,15 @@ function hadoop_secure_daemon_handler
esac esac
} }
function hadoop_verify_user
{
local command=$1
local uservar="HADOOP_${command}_USER"
if [[ -n ${!uservar} ]]; then
if [[ ${!uservar} != ${USER} ]]; then
hadoop_error "ERROR: ${command} can only be executed by ${!uservar}."
exit 1
fi
fi
}

6
hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
View File

@ -398,3 +398,9 @@ esac
# via this special env var: # via this special env var:
# export HADOOP_ENABLE_BUILD_PATHS="true" # export HADOOP_ENABLE_BUILD_PATHS="true"
#
# To prevent accidents, shell commands be (superficially) locked
# to only allow certain users to execute certain subcommands.
#
# For example, to limit who can execute the namenode command,
# export HADOOP_namenode_USER=hdfs

2
hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
View File

@ -247,6 +247,8 @@ case ${COMMAND} in
;; ;;
esac esac
hadoop_verify_user "${COMMAND}"
if [[ -n "${secure_service}" ]]; then if [[ -n "${secure_service}" ]]; then
HADOOP_SECURE_USER="${secure_user}" HADOOP_SECURE_USER="${secure_user}"
hadoop_verify_secure_prereq hadoop_verify_secure_prereq

2
hadoop-mapreduce-project/bin/mapred
View File

@ -135,6 +135,8 @@ case ${COMMAND} in
;; ;;
esac esac
hadoop_verify_user "${COMMAND}"
daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out" daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}.pid" daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}.pid"

2
hadoop-yarn-project/hadoop-yarn/bin/yarn
View File

@ -184,6 +184,8 @@ case "${COMMAND}" in
;; ;;
esac esac
hadoop_verify_user "${COMMAND}"
# set HADOOP_OPTS to YARN_OPTS so that we can use # set HADOOP_OPTS to YARN_OPTS so that we can use
# finalize, etc, without doing anything funky # finalize, etc, without doing anything funky
hadoop_debug "Resetting HADOOP_OPTS=YARN_OPTS" hadoop_debug "Resetting HADOOP_OPTS=YARN_OPTS"