From 05b8e8f7c17a7d011a6a918179ee2f112a436759 Mon Sep 17 00:00:00 2001 From: Chris Nauroth Date: Mon, 16 Jun 2014 20:30:04 +0000 Subject: [PATCH] HADOOP-10683. Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE. Contributed by Benoy Antony. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1602991 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../main/java/org/apache/hadoop/ipc/Server.java | 2 +- .../hadoop/security/UserGroupInformation.java | 14 +++++++++++++- .../hadoop/security/TestUserGroupInformation.java | 14 ++++++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 18137a081cf..d5f19cd4e61 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -553,6 +553,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10678. SecurityUtil has unnecessary synchronization on collection used for only tests. (Benoy Antony via cnauroth) + HADOOP-10683. Users authenticated with KERBEROS are recorded as being + authenticated with SIMPLE. (Benoy Antony via cnauroth) + BREAKDOWN OF HADOOP-10514 SUBTASKS AND RELATED JIRAS HADOOP-10520. Extended attributes definition and FileSystem APIs for diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java index f1afe192c8d..0f11c97c9eb 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java @@ -1221,7 +1221,7 @@ public abstract class Server { ugi.addTokenIdentifier(tokenId); return ugi; } else { - return UserGroupInformation.createRemoteUser(authorizedId); + return UserGroupInformation.createRemoteUser(authorizedId, authMethod); } } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index af552a798b1..1b024eb13ed 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1157,13 +1157,25 @@ public class UserGroupInformation { @InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user) { + return createRemoteUser(user, AuthMethod.SIMPLE); + } + + /** + * Create a user from a login name. It is intended to be used for remote + * users in RPC, since it won't have any credentials. + * @param user the full user principal name, must not be empty or null + * @return the UserGroupInformation for the remote user. + */ + @InterfaceAudience.Public + @InterfaceStability.Evolving + public static UserGroupInformation createRemoteUser(String user, AuthMethod authMethod) { if (user == null || user.isEmpty()) { throw new IllegalArgumentException("Null user"); } Subject subject = new Subject(); subject.getPrincipals().add(new User(user)); UserGroupInformation result = new UserGroupInformation(subject); - result.setAuthenticationMethod(AuthenticationMethod.SIMPLE); + result.setAuthenticationMethod(authMethod); return result; } diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index ed277627389..d6767825723 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -20,6 +20,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.io.Text; import org.apache.hadoop.metrics2.MetricsRecordBuilder; +import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.token.Token; @@ -31,6 +32,7 @@ import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.LoginContext; + import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; @@ -151,6 +153,18 @@ public class TestUserGroupInformation { assertEquals(AuthenticationMethod.PROXY, ugi.getAuthenticationMethod()); assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod()); } + + @Test (timeout = 30000) + public void testCreateRemoteUser() { + UserGroupInformation ugi = UserGroupInformation.createRemoteUser("user1"); + assertEquals(AuthenticationMethod.SIMPLE, ugi.getAuthenticationMethod()); + assertTrue (ugi.toString().contains("(auth:SIMPLE)")); + ugi = UserGroupInformation.createRemoteUser("user1", + AuthMethod.KERBEROS); + assertEquals(AuthenticationMethod.KERBEROS, ugi.getAuthenticationMethod()); + assertTrue (ugi.toString().contains("(auth:KERBEROS)")); + } + /** Test login method */ @Test (timeout = 30000) public void testLogin() throws Exception {