HADOOP-13707. If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed. Contributed by Yuanbo Liu.
This commit is contained in:
parent
026b39ad9d
commit
dbb133ccfc
@ -20,6 +20,7 @@
|
||||
import java.io.IOException;
|
||||
import java.io.Writer;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -58,7 +59,12 @@ private Configuration getConfFromContext() {
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
|
||||
// If user is a static user and auth Type is null, that means
|
||||
// there is a non-security environment and no need authorization,
|
||||
// otherwise, do the authorization.
|
||||
final ServletContext servletContext = getServletContext();
|
||||
if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
|
||||
!HttpServer2.isInstrumentationAccessAllowed(servletContext,
|
||||
request, response)) {
|
||||
return;
|
||||
}
|
||||
|
@ -19,6 +19,7 @@
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
@ -35,9 +36,13 @@ public class AdminAuthorizedServlet extends DefaultServlet {
|
||||
|
||||
@Override
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
// Do the authorization
|
||||
if (HttpServer2.hasAdministratorAccess(getServletContext(), request,
|
||||
throws ServletException, IOException {
|
||||
// If user is a static user and auth Type is null, that means
|
||||
// there is a non-security environment and no need authorization,
|
||||
// otherwise, do the authorization.
|
||||
final ServletContext servletContext = getServletContext();
|
||||
if (HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) ||
|
||||
HttpServer2.hasAdministratorAccess(servletContext, request,
|
||||
response)) {
|
||||
// Authorization is done. Just call super.
|
||||
super.doGet(request, response);
|
||||
|
@ -98,6 +98,9 @@
|
||||
import com.sun.jersey.spi.container.servlet.ServletContainer;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
|
||||
|
||||
/**
|
||||
* Create a Jetty embedded server to answer http requests. The primary goal is
|
||||
* to serve up status information for the server. There are three contexts:
|
||||
@ -1111,6 +1114,24 @@ public String toString() {
|
||||
return sb.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* check whether user is static and unauthenticated, if the
|
||||
* answer is TRUE, that means http sever is in non-security
|
||||
* environment.
|
||||
* @param servletContext the servlet context.
|
||||
* @param request the servlet request.
|
||||
* @return TRUE/FALSE based on the logic described above.
|
||||
*/
|
||||
public static boolean isStaticUserAndNoneAuthType(
|
||||
ServletContext servletContext, HttpServletRequest request) {
|
||||
Configuration conf =
|
||||
(Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
|
||||
final String authType = request.getAuthType();
|
||||
final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
|
||||
DEFAULT_HADOOP_HTTP_STATIC_USER);
|
||||
return authType == null && staticUser.equals(request.getRemoteUser());
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the user has privileges to access to instrumentation servlets.
|
||||
* <p/>
|
||||
@ -1208,9 +1229,14 @@ public static class StackServlet extends HttpServlet {
|
||||
|
||||
@Override
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
|
||||
request, response)) {
|
||||
throws ServletException, IOException {
|
||||
// If user is a static user and auth Type is null, that means
|
||||
// there is a non-security environment and no need authorization,
|
||||
// otherwise, do the authorization.
|
||||
final ServletContext servletContext = getServletContext();
|
||||
if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
|
||||
!HttpServer2.isInstrumentationAccessAllowed(servletContext,
|
||||
request, response)) {
|
||||
return;
|
||||
}
|
||||
response.setContentType("text/plain; charset=UTF-8");
|
||||
|
@ -38,6 +38,7 @@
|
||||
import javax.management.openmbean.CompositeData;
|
||||
import javax.management.openmbean.CompositeType;
|
||||
import javax.management.openmbean.TabularData;
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -168,7 +169,12 @@ protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
|
||||
@Override
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
if (!isInstrumentationAccessAllowed(request, response)) {
|
||||
// If user is a static user and auth Type is null, that means
|
||||
// there is a non-security environment and no need authorization,
|
||||
// otherwise, do the authorization.
|
||||
final ServletContext servletContext = getServletContext();
|
||||
if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
|
||||
!isInstrumentationAccessAllowed(request, response)) {
|
||||
return;
|
||||
}
|
||||
JsonGenerator jg = null;
|
||||
|
@ -27,6 +27,7 @@
|
||||
|
||||
import javax.net.ssl.HttpsURLConnection;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -323,9 +324,13 @@ public static class Servlet extends HttpServlet {
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response
|
||||
) throws ServletException, IOException {
|
||||
|
||||
// Do the authorization
|
||||
if (!HttpServer2.hasAdministratorAccess(getServletContext(), request,
|
||||
response)) {
|
||||
// If user is a static user and auth Type is null, that means
|
||||
// there is a non-security environment and no need authorization,
|
||||
// otherwise, do the authorization.
|
||||
final ServletContext servletContext = getServletContext();
|
||||
if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
|
||||
!HttpServer2.hasAdministratorAccess(servletContext,
|
||||
request, response)) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -67,6 +67,9 @@
|
||||
import java.util.concurrent.Executor;
|
||||
import java.util.concurrent.Executors;
|
||||
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
|
||||
|
||||
public class TestHttpServer extends HttpServerFunctionalTest {
|
||||
static final Log LOG = LogFactory.getLog(TestHttpServer.class);
|
||||
private static HttpServer2 server;
|
||||
@ -459,7 +462,7 @@ public void testAuthorizationOfDefaultServlets() throws Exception {
|
||||
String serverURL = "http://"
|
||||
+ NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
|
||||
for (String servlet : new String[] { "conf", "logs", "stacks",
|
||||
"logLevel" }) {
|
||||
"logLevel", "jmx" }) {
|
||||
for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
|
||||
assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
|
||||
+ servlet, user));
|
||||
@ -467,6 +470,18 @@ public void testAuthorizationOfDefaultServlets() throws Exception {
|
||||
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
|
||||
serverURL + servlet, "userE"));
|
||||
}
|
||||
|
||||
// hadoop.security.authorization is set as true while
|
||||
// hadoop.http.authentication.type's value is `simple`(default value)
|
||||
// in this case, static user has administrator access
|
||||
final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
|
||||
DEFAULT_HADOOP_HTTP_STATIC_USER);
|
||||
for (String servlet : new String[] {"conf", "logs", "stacks",
|
||||
"logLevel", "jmx"}) {
|
||||
assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(
|
||||
serverURL + servlet, staticUser));
|
||||
}
|
||||
|
||||
myServer.stop();
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user