HADOOP-8314. HttpServer#hasAdminAccess should return false if authorization is enabled but user is not authenticated. (tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1330086 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
ea32198db4
commit
e29ede3f72
@ -375,6 +375,9 @@ Release 2.0.0 - UNRELEASED
|
|||||||
HADOOP-8309. Pseudo & Kerberos AuthenticationHandler should use
|
HADOOP-8309. Pseudo & Kerberos AuthenticationHandler should use
|
||||||
getType() to create token (tucu)
|
getType() to create token (tucu)
|
||||||
|
|
||||||
|
HADOOP-8314. HttpServer#hasAdminAccess should return false if
|
||||||
|
authorization is enabled but user is not authenticated. (tucu)
|
||||||
|
|
||||||
BREAKDOWN OF HADOOP-7454 SUBTASKS
|
BREAKDOWN OF HADOOP-7454 SUBTASKS
|
||||||
|
|
||||||
HADOOP-7455. HA: Introduce HA Service Protocol Interface. (suresh)
|
HADOOP-7455. HA: Introduce HA Service Protocol Interface. (suresh)
|
||||||
|
@ -821,7 +821,10 @@ public static boolean hasAdministratorAccess(
|
|||||||
|
|
||||||
String remoteUser = request.getRemoteUser();
|
String remoteUser = request.getRemoteUser();
|
||||||
if (remoteUser == null) {
|
if (remoteUser == null) {
|
||||||
return true;
|
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
|
||||||
|
"Unauthenticated users are not " +
|
||||||
|
"authorized to access this page.");
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
AccessControlList adminsAcl = (AccessControlList) servletContext
|
AccessControlList adminsAcl = (AccessControlList) servletContext
|
||||||
.getAttribute(ADMINS_ACL);
|
.getAttribute(ADMINS_ACL);
|
||||||
@ -830,9 +833,7 @@ public static boolean hasAdministratorAccess(
|
|||||||
if (adminsAcl != null) {
|
if (adminsAcl != null) {
|
||||||
if (!adminsAcl.isUserAllowed(remoteUserUGI)) {
|
if (!adminsAcl.isUserAllowed(remoteUserUGI)) {
|
||||||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
|
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
|
||||||
+ remoteUser + " is unauthorized to access this page. "
|
+ remoteUser + " is unauthorized to access this page.");
|
||||||
+ "AccessControlList for accessing this page : "
|
|
||||||
+ adminsAcl.toString());
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -35,6 +35,7 @@
|
|||||||
import javax.servlet.Filter;
|
import javax.servlet.Filter;
|
||||||
import javax.servlet.FilterChain;
|
import javax.servlet.FilterChain;
|
||||||
import javax.servlet.FilterConfig;
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.ServletContext;
|
||||||
import javax.servlet.ServletException;
|
import javax.servlet.ServletException;
|
||||||
import javax.servlet.ServletRequest;
|
import javax.servlet.ServletRequest;
|
||||||
import javax.servlet.ServletResponse;
|
import javax.servlet.ServletResponse;
|
||||||
@ -53,10 +54,12 @@
|
|||||||
import org.apache.hadoop.http.resource.JerseyResource;
|
import org.apache.hadoop.http.resource.JerseyResource;
|
||||||
import org.apache.hadoop.security.Groups;
|
import org.apache.hadoop.security.Groups;
|
||||||
import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
|
import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
import org.mockito.Mock;
|
||||||
import org.mockito.Mockito;
|
import org.mockito.Mockito;
|
||||||
import org.mortbay.util.ajax.JSON;
|
import org.mortbay.util.ajax.JSON;
|
||||||
|
|
||||||
@ -422,4 +425,46 @@ private static Map<String, Object> parse(String jsonString) {
|
|||||||
assertEquals("bar", m.get(JerseyResource.OP));
|
assertEquals("bar", m.get(JerseyResource.OP));
|
||||||
LOG.info("END testJersey()");
|
LOG.info("END testJersey()");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHasAdministratorAccess() throws Exception {
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
|
||||||
|
ServletContext context = Mockito.mock(ServletContext.class);
|
||||||
|
Mockito.when(context.getAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf);
|
||||||
|
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(null);
|
||||||
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
||||||
|
Mockito.when(request.getRemoteUser()).thenReturn(null);
|
||||||
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
||||||
|
|
||||||
|
//authorization OFF
|
||||||
|
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
|
||||||
|
|
||||||
|
//authorization ON & user NULL
|
||||||
|
response = Mockito.mock(HttpServletResponse.class);
|
||||||
|
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
|
||||||
|
Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response));
|
||||||
|
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
|
||||||
|
|
||||||
|
//authorization ON & user NOT NULL & ACLs NULL
|
||||||
|
response = Mockito.mock(HttpServletResponse.class);
|
||||||
|
Mockito.when(request.getRemoteUser()).thenReturn("foo");
|
||||||
|
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
|
||||||
|
|
||||||
|
//authorization ON & user NOT NULL & ACLs NOT NULL & user not in ACLs
|
||||||
|
response = Mockito.mock(HttpServletResponse.class);
|
||||||
|
AccessControlList acls = Mockito.mock(AccessControlList.class);
|
||||||
|
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
|
||||||
|
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
|
||||||
|
Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response));
|
||||||
|
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
|
||||||
|
|
||||||
|
//authorization ON & user NOT NULL & ACLs NOT NULL & user in in ACLs
|
||||||
|
response = Mockito.mock(HttpServletResponse.class);
|
||||||
|
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(true);
|
||||||
|
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
|
||||||
|
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user