HADOOP-8314. HttpServer#hasAdminAccess should return false if authorization is enabled but user is not authenticated. (tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1330086 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
ea32198db4
commit
e29ede3f72
@ -375,6 +375,9 @@ Release 2.0.0 - UNRELEASED
|
||||
HADOOP-8309. Pseudo & Kerberos AuthenticationHandler should use
|
||||
getType() to create token (tucu)
|
||||
|
||||
HADOOP-8314. HttpServer#hasAdminAccess should return false if
|
||||
authorization is enabled but user is not authenticated. (tucu)
|
||||
|
||||
BREAKDOWN OF HADOOP-7454 SUBTASKS
|
||||
|
||||
HADOOP-7455. HA: Introduce HA Service Protocol Interface. (suresh)
|
||||
|
@ -821,7 +821,10 @@ public static boolean hasAdministratorAccess(
|
||||
|
||||
String remoteUser = request.getRemoteUser();
|
||||
if (remoteUser == null) {
|
||||
return true;
|
||||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
|
||||
"Unauthenticated users are not " +
|
||||
"authorized to access this page.");
|
||||
return false;
|
||||
}
|
||||
AccessControlList adminsAcl = (AccessControlList) servletContext
|
||||
.getAttribute(ADMINS_ACL);
|
||||
@ -830,9 +833,7 @@ public static boolean hasAdministratorAccess(
|
||||
if (adminsAcl != null) {
|
||||
if (!adminsAcl.isUserAllowed(remoteUserUGI)) {
|
||||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
|
||||
+ remoteUser + " is unauthorized to access this page. "
|
||||
+ "AccessControlList for accessing this page : "
|
||||
+ adminsAcl.toString());
|
||||
+ remoteUser + " is unauthorized to access this page.");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
@ -35,6 +35,7 @@
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
@ -53,10 +54,12 @@
|
||||
import org.apache.hadoop.http.resource.JerseyResource;
|
||||
import org.apache.hadoop.security.Groups;
|
||||
import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.Mockito;
|
||||
import org.mortbay.util.ajax.JSON;
|
||||
|
||||
@ -422,4 +425,46 @@ private static Map<String, Object> parse(String jsonString) {
|
||||
assertEquals("bar", m.get(JerseyResource.OP));
|
||||
LOG.info("END testJersey()");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testHasAdministratorAccess() throws Exception {
|
||||
Configuration conf = new Configuration();
|
||||
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
|
||||
ServletContext context = Mockito.mock(ServletContext.class);
|
||||
Mockito.when(context.getAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf);
|
||||
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(null);
|
||||
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
||||
Mockito.when(request.getRemoteUser()).thenReturn(null);
|
||||
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
||||
|
||||
//authorization OFF
|
||||
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
|
||||
|
||||
//authorization ON & user NULL
|
||||
response = Mockito.mock(HttpServletResponse.class);
|
||||
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
|
||||
Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response));
|
||||
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
|
||||
|
||||
//authorization ON & user NOT NULL & ACLs NULL
|
||||
response = Mockito.mock(HttpServletResponse.class);
|
||||
Mockito.when(request.getRemoteUser()).thenReturn("foo");
|
||||
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
|
||||
|
||||
//authorization ON & user NOT NULL & ACLs NOT NULL & user not in ACLs
|
||||
response = Mockito.mock(HttpServletResponse.class);
|
||||
AccessControlList acls = Mockito.mock(AccessControlList.class);
|
||||
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
|
||||
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
|
||||
Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response));
|
||||
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
|
||||
|
||||
//authorization ON & user NOT NULL & ACLs NOT NULL & user in in ACLs
|
||||
response = Mockito.mock(HttpServletResponse.class);
|
||||
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(true);
|
||||
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
|
||||
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user