HADOOP-8098. KerberosAuthenticatorHandler should use _HOST replacement to resolve principal name (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1294757 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Alejandro Abdelnur 2012-02-28 18:26:53 +00:00
parent 7decf112c0
commit e43656c711
6 changed files with 32 additions and 5 deletions

View File

@ -154,6 +154,9 @@ Release 0.23.3 - UNRELEASED
HADOOP-8085. Add RPC metrics to ProtobufRpcEngine. (Hari Mankude via HADOOP-8085. Add RPC metrics to ProtobufRpcEngine. (Hari Mankude via
suresh) suresh)
HADOOP-8098. KerberosAuthenticatorHandler should use _HOST replacement to
resolve principal name (tucu)
OPTIMIZATIONS OPTIMIZATIONS
BUG FIXES BUG FIXES

View File

@ -111,7 +111,8 @@
<p><code>hadoop.http.authentication.kerberos.principal</code>: Indicates the Kerberos <p><code>hadoop.http.authentication.kerberos.principal</code>: Indicates the Kerberos
principal to be used for HTTP endpoint when using 'kerberos' authentication. principal to be used for HTTP endpoint when using 'kerberos' authentication.
The principal short name must be <code>HTTP</code> per Kerberos HTTP SPENGO specification. The principal short name must be <code>HTTP</code> per Kerberos HTTP SPENGO specification.
The default value is <code>HTTP/localhost@$LOCALHOST</code>. The default value is <code>HTTP/_HOST@$LOCALHOST</code>, where <code>_HOST</code> -if present-
is replaced with bind address of the HTTP server.
</p> </p>
<p><code>hadoop.http.authentication.kerberos.keytab</code>: Location of the keytab file <p><code>hadoop.http.authentication.kerberos.keytab</code>: Location of the keytab file

View File

@ -100,6 +100,8 @@ public class HttpServer implements FilterContainer {
public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf"; public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf";
static final String ADMINS_ACL = "admins.acl"; static final String ADMINS_ACL = "admins.acl";
public static final String BIND_ADDRESS = "bind.address";
private AccessControlList adminsAcl; private AccessControlList adminsAcl;
protected final Server webServer; protected final Server webServer;
@ -243,6 +245,8 @@ public HttpServer(String name, String bindAddress, int port,
addGlobalFilter("safety", QuotingInputFilter.class.getName(), null); addGlobalFilter("safety", QuotingInputFilter.class.getName(), null);
final FilterInitializer[] initializers = getFilterInitializers(conf); final FilterInitializer[] initializers = getFilterInitializers(conf);
if (initializers != null) { if (initializers != null) {
conf = new Configuration(conf);
conf.set(BIND_ADDRESS, bindAddress);
for(FilterInitializer c : initializers) { for(FilterInitializer c : initializers) {
c.initFilter(this, conf); c.initFilter(this, conf);
} }

View File

@ -17,10 +17,12 @@
*/ */
package org.apache.hadoop.security; package org.apache.hadoop.security;
import org.apache.hadoop.http.HttpServer;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.FilterInitializer;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import java.io.FileReader; import java.io.FileReader;
import java.io.IOException; import java.io.IOException;
@ -91,6 +93,19 @@ public void initFilter(FilterContainer container, Configuration conf) {
throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile); throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);
} }
//Resolve _HOST into bind address
String bindAddress = conf.get(HttpServer.BIND_ADDRESS);
String principal = filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
if (principal != null) {
try {
principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
}
catch (IOException ex) {
throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.toString(), ex);
}
filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
}
container.addFilter("authentication", container.addFilter("authentication",
AuthenticationFilter.class.getName(), AuthenticationFilter.class.getName(),
filterConfig); filterConfig);

View File

@ -833,7 +833,7 @@
<property> <property>
<name>hadoop.http.authentication.kerberos.principal</name> <name>hadoop.http.authentication.kerberos.principal</name>
<value>HTTP/localhost@LOCALHOST</value> <value>HTTP/_HOST@LOCALHOST</value>
<description> <description>
Indicates the Kerberos principal to be used for HTTP endpoint. Indicates the Kerberos principal to be used for HTTP endpoint.
The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification. The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.

View File

@ -18,9 +18,11 @@
import junit.framework.TestCase; import junit.framework.TestCase;
import org.apache.hadoop.http.HttpServer;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.mockito.Mockito; import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock; import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer; import org.mockito.stubbing.Answer;
@ -48,6 +50,8 @@ public void testConfiguration() throws Exception {
AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE, AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE,
secretFile.getAbsolutePath()); secretFile.getAbsolutePath());
conf.set(HttpServer.BIND_ADDRESS, "barhost");
FilterContainer container = Mockito.mock(FilterContainer.class); FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer( Mockito.doAnswer(
new Answer() { new Answer() {
@ -67,7 +71,7 @@ public Object answer(InvocationOnMock invocationOnMock)
assertEquals("hadoop", conf.get("signature.secret")); assertEquals("hadoop", conf.get("signature.secret"));
assertNull(conf.get("cookie.domain")); assertNull(conf.get("cookie.domain"));
assertEquals("true", conf.get("simple.anonymous.allowed")); assertEquals("true", conf.get("simple.anonymous.allowed"));
assertEquals("HTTP/localhost@LOCALHOST", assertEquals("HTTP/barhost@LOCALHOST",
conf.get("kerberos.principal")); conf.get("kerberos.principal"));
assertEquals(System.getProperty("user.home") + assertEquals(System.getProperty("user.home") +
"/hadoop.keytab", conf.get("kerberos.keytab")); "/hadoop.keytab", conf.get("kerberos.keytab"));