HADOOP-8561. Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes. (Yu Gao via llu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1422429 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8329fae686
commit
db09dba7ae
@ -81,6 +81,7 @@ public class UserGroupInformation {
|
||||
*/
|
||||
private static final float TICKET_RENEW_WINDOW = 0.80f;
|
||||
static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
|
||||
static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
|
||||
|
||||
/**
|
||||
* UgiMetrics maintains UGI activity statistics
|
||||
@ -641,10 +642,18 @@ static UserGroupInformation getLoginUser() throws IOException {
|
||||
newLoginContext(authenticationMethod.getLoginAppName(),
|
||||
subject, new HadoopConfiguration());
|
||||
login.login();
|
||||
loginUser = new UserGroupInformation(subject);
|
||||
loginUser.setLogin(login);
|
||||
loginUser.setAuthenticationMethod(authenticationMethod);
|
||||
loginUser = new UserGroupInformation(login.getSubject());
|
||||
UserGroupInformation realUser = new UserGroupInformation(subject);
|
||||
realUser.setLogin(login);
|
||||
realUser.setAuthenticationMethod(authenticationMethod);
|
||||
realUser = new UserGroupInformation(login.getSubject());
|
||||
// If the HADOOP_PROXY_USER environment variable or property
|
||||
// is specified, create a proxy user as the logged in user.
|
||||
String proxyUser = System.getenv(HADOOP_PROXY_USER);
|
||||
if (proxyUser == null) {
|
||||
proxyUser = System.getProperty(HADOOP_PROXY_USER);
|
||||
}
|
||||
loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser);
|
||||
|
||||
String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
|
||||
if (fileLocation != null) {
|
||||
// load the token storage file and put all of the tokens into the
|
||||
|
@ -0,0 +1,47 @@
|
||||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with this
|
||||
* work for additional information regarding copyright ownership. The ASF
|
||||
* licenses this file to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations under
|
||||
* the License.
|
||||
*/
|
||||
|
||||
package org.apache.hadoop.security;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStreamReader;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
public class TestProxyUserFromEnv {
|
||||
/** Test HADOOP_PROXY_USER for impersonation */
|
||||
@Test
|
||||
public void testProxyUserFromEnvironment() throws IOException {
|
||||
String proxyUser = "foo.bar";
|
||||
System.setProperty(UserGroupInformation.HADOOP_PROXY_USER, proxyUser);
|
||||
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
|
||||
assertEquals(proxyUser, ugi.getUserName());
|
||||
|
||||
UserGroupInformation realUgi = ugi.getRealUser();
|
||||
assertNotNull(realUgi);
|
||||
// get the expected real user name
|
||||
Process pp = Runtime.getRuntime().exec("whoami");
|
||||
BufferedReader br = new BufferedReader
|
||||
(new InputStreamReader(pp.getInputStream()));
|
||||
String realUser = br.readLine().trim();
|
||||
assertEquals(realUser, realUgi.getUserName());
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user