HDFS-14006. Refactor name node to allow different token verification implementations. Contributed by CR Hota.

This commit is contained in:
Giovanni Matteo Fumarola 2018-12-14 11:10:54 -08:00
parent f858f18554
commit 00d5e631b5
4 changed files with 53 additions and 5 deletions

View File

@ -23,7 +23,6 @@ import org.slf4j.LoggerFactory;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier; import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer; import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer;
import org.apache.hadoop.hdfs.web.resources.DelegationParam; import org.apache.hadoop.hdfs.web.resources.DelegationParam;
import org.apache.hadoop.hdfs.web.resources.DoAsParam; import org.apache.hadoop.hdfs.web.resources.DoAsParam;
@ -176,10 +175,11 @@ public class JspHelper {
DelegationTokenIdentifier id = new DelegationTokenIdentifier(); DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in); id.readFields(in);
if (context != null) { if (context != null) {
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context); final TokenVerifier<DelegationTokenIdentifier> tokenVerifier =
if (nn != null) { NameNodeHttpServer.getTokenVerifierFromContext(context);
if (tokenVerifier != null) {
// Verify the token. // Verify the token.
nn.getNamesystem().verifyToken(id, token.getPassword()); tokenVerifier.verifyToken(id, token.getPassword());
} }
} }
UserGroupInformation ugi = id.getUser(); UserGroupInformation ugi = id.getUser();

View File

@ -0,0 +1,35 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hdfs.server.common;
import java.io.IOException;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
/**
* Interface to verify delegation tokens passed through WebHDFS.
* Implementations are intercepted by JspHelper that pass delegation token
* for verification.
*/
public interface TokenVerifier<T extends AbstractDelegationTokenIdentifier> {
/* Verify delegation token passed through WebHDFS
* Name node, Router implement this for JspHelper to verify token
*/
void verifyToken(T t, byte[] password) throws IOException;
}

View File

@ -47,6 +47,7 @@ import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
import org.apache.hadoop.hdfs.protocol.ClientProtocol; import org.apache.hadoop.hdfs.protocol.ClientProtocol;
import org.apache.hadoop.hdfs.protocol.HdfsConstants; import org.apache.hadoop.hdfs.protocol.HdfsConstants;
import org.apache.hadoop.hdfs.protocol.HdfsConstants.StoragePolicySatisfierMode; import org.apache.hadoop.hdfs.protocol.HdfsConstants.StoragePolicySatisfierMode;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap; import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryLevelDBAliasMapServer; import org.apache.hadoop.hdfs.server.aliasmap.InMemoryLevelDBAliasMapServer;
import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager; import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager;
@ -55,6 +56,7 @@ import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.RollingUpgradeSt
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption; import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption;
import org.apache.hadoop.hdfs.server.common.MetricsLoggerTask; import org.apache.hadoop.hdfs.server.common.MetricsLoggerTask;
import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory; import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory;
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
import org.apache.hadoop.hdfs.server.namenode.ha.ActiveState; import org.apache.hadoop.hdfs.server.namenode.ha.ActiveState;
import org.apache.hadoop.hdfs.server.namenode.ha.BootstrapStandby; import org.apache.hadoop.hdfs.server.namenode.ha.BootstrapStandby;
import org.apache.hadoop.hdfs.server.namenode.ha.HAContext; import org.apache.hadoop.hdfs.server.namenode.ha.HAContext;
@ -208,7 +210,7 @@ import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_BACKOFF_ENABLE_DE
**********************************************************/ **********************************************************/
@InterfaceAudience.Private @InterfaceAudience.Private
public class NameNode extends ReconfigurableBase implements public class NameNode extends ReconfigurableBase implements
NameNodeStatusMXBean { NameNodeStatusMXBean, TokenVerifier<DelegationTokenIdentifier> {
static{ static{
HdfsConfiguration.init(); HdfsConfiguration.init();
} }
@ -656,6 +658,11 @@ public class NameNode extends ReconfigurableBase implements
return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser(); return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser();
} }
@Override
public void verifyToken(DelegationTokenIdentifier id, byte[] password)
throws IOException {
namesystem.verifyToken(id, password);
}
/** /**
* Login as the configured user for the NameNode. * Login as the configured user for the NameNode.

View File

@ -38,6 +38,7 @@ import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys; import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap; import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
import org.apache.hadoop.hdfs.server.common.JspHelper; import org.apache.hadoop.hdfs.server.common.JspHelper;
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress; import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress;
import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods; import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
import org.apache.hadoop.hdfs.web.AuthFilter; import org.apache.hadoop.hdfs.web.AuthFilter;
@ -319,6 +320,11 @@ public class NameNodeHttpServer {
return (NameNode)context.getAttribute(NAMENODE_ATTRIBUTE_KEY); return (NameNode)context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
} }
public static TokenVerifier
getTokenVerifierFromContext(ServletContext context) {
return (TokenVerifier) context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
}
static Configuration getConfFromContext(ServletContext context) { static Configuration getConfFromContext(ServletContext context) {
return (Configuration)context.getAttribute(JspHelper.CURRENT_CONF); return (Configuration)context.getAttribute(JspHelper.CURRENT_CONF);
} }