big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HDFS-16979. RBF: Add proxyuser port in hdfsauditlog (#5552). Contributed by liuguanghua.

Browse Source 
Reviewed-by: Inigo Goiri <inigoiri@apache.org>
Reviewed-by: Simbarashe Dzinamarira <sdzinamarira@linkedin.com>
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
This commit is contained in:
LiuGuH 2023-05-19 07:32:16 +08:00 committed by GitHub
parent bba663038d
commit f6770dee47
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/CallerContext.java
View File

@ -50,7 +50,7 @@ public final class CallerContext {
public static final String CLIENT_ID_STR = "clientId"; public static final String CLIENT_ID_STR = "clientId";
public static final String CLIENT_CALL_ID_STR = "clientCallId"; public static final String CLIENT_CALL_ID_STR = "clientCallId";
public static final String REAL_USER_STR = "realUser"; public static final String REAL_USER_STR = "realUser";
public static final String PROXY_USER_PORT = "proxyUserPort";
/** The caller context. /** The caller context.
* *
* It will be truncated if it exceeds the maximum allowed length in * It will be truncated if it exceeds the maximum allowed length in

7
hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/router/TestRouterRpc.java
View File

@ -17,6 +17,8 @@
*/ */
package org.apache.hadoop.hdfs.server.federation.router; package org.apache.hadoop.hdfs.server.federation.router;
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY;
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_AUDIT_LOG_WITH_REMOTE_PORT_KEY;
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_REDUNDANCY_CONSIDERLOAD_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_REDUNDANCY_CONSIDERLOAD_KEY;
import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.addDirectory; import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.addDirectory;
import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.countContents; import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.countContents;
@ -25,6 +27,7 @@
import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.getFileStatus; import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.getFileStatus;
import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.verifyFileExists; import static org.apache.hadoop.hdfs.server.federation.FederationTestUtils.verifyFileExists;
import static org.apache.hadoop.hdfs.server.federation.MiniRouterDFSCluster.TEST_STRING; import static org.apache.hadoop.hdfs.server.federation.MiniRouterDFSCluster.TEST_STRING;
import static org.apache.hadoop.ipc.CallerContext.PROXY_USER_PORT;
import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains; import static org.apache.hadoop.test.GenericTestUtils.assertExceptionContains;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertArrayEquals;
@ -209,10 +212,12 @@ public static void globalSetUp() throws Exception {
Configuration namenodeConf = new Configuration(); Configuration namenodeConf = new Configuration();
namenodeConf.setBoolean(DFSConfigKeys.HADOOP_CALLER_CONTEXT_ENABLED_KEY, namenodeConf.setBoolean(DFSConfigKeys.HADOOP_CALLER_CONTEXT_ENABLED_KEY,
true); true);
namenodeConf.set(HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY, "256");
// It's very easy to become overloaded for some specific dn in this small // It's very easy to become overloaded for some specific dn in this small
// cluster, which will cause the EC file block allocation failure. To avoid // cluster, which will cause the EC file block allocation failure. To avoid
// this issue, we disable considerLoad option. // this issue, we disable considerLoad option.
namenodeConf.setBoolean(DFS_NAMENODE_REDUNDANCY_CONSIDERLOAD_KEY, false); namenodeConf.setBoolean(DFS_NAMENODE_REDUNDANCY_CONSIDERLOAD_KEY, false);
namenodeConf.setBoolean(DFS_NAMENODE_AUDIT_LOG_WITH_REMOTE_PORT_KEY, true);
cluster = new MiniRouterDFSCluster(false, NUM_SUBCLUSTERS); cluster = new MiniRouterDFSCluster(false, NUM_SUBCLUSTERS);
cluster.setNumDatanodesPerNameservice(NUM_DNS); cluster.setNumDatanodesPerNameservice(NUM_DNS);
cluster.addNamenodeOverrides(namenodeConf); cluster.addNamenodeOverrides(namenodeConf);
@ -2116,6 +2121,8 @@ public void testRealUserPropagationInCallerContext()
// Real user is added to the caller context. // Real user is added to the caller context.
assertTrue("The audit log should contain the real user.", assertTrue("The audit log should contain the real user.",
logOutput.contains(String.format("realUser:%s", realUser.getUserName()))); logOutput.contains(String.format("realUser:%s", realUser.getUserName())));
assertTrue("The audit log should contain the proxyuser port.",
logOutput.contains(PROXY_USER_PORT));
} }
@Test @Test

14
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
View File

@ -452,7 +452,7 @@ private void logAuditEvent(boolean succeeded,
} }
private void appendClientPortToCallerContextIfAbsent() { private void appendClientPortToCallerContextIfAbsent() {
final CallerContext ctx = CallerContext.getCurrent(); CallerContext ctx = CallerContext.getCurrent();
if (isClientPortInfoAbsent(ctx)) { if (isClientPortInfoAbsent(ctx)) {
String origContext = ctx == null ? null : ctx.getContext(); String origContext = ctx == null ? null : ctx.getContext();
byte[] origSignature = ctx == null ? null : ctx.getSignature(); byte[] origSignature = ctx == null ? null : ctx.getSignature();
@ -462,6 +462,14 @@ private void appendClientPortToCallerContextIfAbsent() {
.setSignature(origSignature) .setSignature(origSignature)
.build()); .build());
} }
ctx = CallerContext.getCurrent();
if (isFromProxyUser(ctx)) {
CallerContext.setCurrent(
new CallerContext.Builder(ctx.getContext(), contextFieldSeparator)
.append(CallerContext.PROXY_USER_PORT, String.valueOf(Server.getRemotePort()))
.setSignature(ctx.getSignature())
.build());
}
} }
private boolean isClientPortInfoAbsent(CallerContext ctx){ private boolean isClientPortInfoAbsent(CallerContext ctx){
@ -469,6 +477,10 @@ private boolean isClientPortInfoAbsent(CallerContext ctx){
|| !ctx.getContext().contains(CallerContext.CLIENT_PORT_STR); || !ctx.getContext().contains(CallerContext.CLIENT_PORT_STR);
} }
private boolean isFromProxyUser(CallerContext ctx) {
return ctx != null && ctx.getContext() != null &&
ctx.getContext().contains(CallerContext.REAL_USER_STR);
}
/** /**
* Logger for audit events, noting successful FSNamesystem operations. Emits * Logger for audit events, noting successful FSNamesystem operations. Emits
* to FSNamesystem.audit at INFO. Each event causes a set of tab-separated * to FSNamesystem.audit at INFO. Each event causes a set of tab-separated