Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-10301. Merge r1582883 from trunk. 

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1582884 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jing Zhao 2014-03-28 21:22:39 +00:00
parent d8c11dc781
commit 0da50f6074
4 changed files with 113 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
View File

@ -332,7 +332,8 @@ protected AuthenticationToken getToken(HttpServletRequest request) throws IOExce
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
boolean unauthorizedResponse = true;
String unauthorizedMsg = "";
int errCode = HttpServletResponse.SC_UNAUTHORIZED;
AuthenticationException authenticationEx = null;
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
boolean isHttps = "https".equals(httpRequest.getScheme());
@ -344,6 +345,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
}
catch (AuthenticationException ex) {
LOG.warn("AuthenticationToken ignored: " + ex.getMessage());
// will be sent back in a 401 unless filter authenticates
authenticationEx = ex;
token = null;
}
if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
@ -392,15 +395,20 @@ public Principal getUserPrincipal() {
unauthorizedResponse = false;
}
} catch (AuthenticationException ex) {
unauthorizedMsg = ex.toString();
// exception from the filter itself is fatal
errCode = HttpServletResponse.SC_FORBIDDEN;
authenticationEx = ex;
LOG.warn("Authentication exception: " + ex.getMessage(), ex);
}
if (unauthorizedResponse) {
if (!httpResponse.isCommitted()) {
createAuthCookie(httpResponse, "", getCookieDomain(),
getCookiePath(), 0, isHttps);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
unauthorizedMsg);
if (authenticationEx == null) {
httpResponse.sendError(errCode, "Authentication required");
} else {
httpResponse.sendError(errCode, authenticationEx.getMessage());
}
}
}
}

3
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestPseudoAuthenticator.java
View File

@ -63,7 +63,8 @@ public void testAnonymousDisallowed() throws Exception {
URL url = new URL(auth.getBaseURL());
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.connect();
Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
Assert.assertEquals("Anonymous requests are disallowed", conn.getResponseMessage());
} finally {
auth.stop();
}

113
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
View File

@ -14,8 +14,10 @@
package org.apache.hadoop.security.authentication.server;
import java.io.IOException;
import java.net.HttpCookie;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import java.util.Vector;
@ -130,7 +132,11 @@ public AuthenticationToken authenticate(HttpServletRequest request, HttpServletR
token = new AuthenticationToken("u", "p", "t");
token.setExpires((expired) ? 0 : System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
} else {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
if (request.getHeader("WWW-Authenticate") == null) {
response.setHeader("WWW-Authenticate", "dummyauth");
} else {
throw new AuthenticationException("AUTH FAILED");
}
}
return token;
}
@ -303,7 +309,8 @@ public void testGetTokenExpired() throws Exception {
"management.operation.return")).elements());
filter.init(config);
AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
AuthenticationToken token =
new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC);
Signer signer = new Signer("secret".getBytes());
String tokenSigned = signer.sign(token.toString());
@ -312,13 +319,14 @@ public void testGetTokenExpired() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
boolean failed = false;
try {
filter.getToken(request);
Assert.fail();
} catch (AuthenticationException ex) {
// Expected
} catch (Exception ex) {
Assert.fail();
Assert.assertEquals("AuthenticationToken expired", ex.getMessage());
failed = true;
} finally {
Assert.assertTrue("token not expired", failed);
}
} finally {
filter.destroy();
@ -351,13 +359,14 @@ public void testGetTokenInvalidType() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
boolean failed = false;
try {
filter.getToken(request);
Assert.fail();
} catch (AuthenticationException ex) {
// Expected
} catch (Exception ex) {
Assert.fail();
Assert.assertEquals("Invalid AuthenticationToken type", ex.getMessage());
failed = true;
} finally {
Assert.assertTrue("token not invalid type", failed);
}
} finally {
filter.destroy();
@ -398,7 +407,9 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
filter.doFilter(request, response, chain);
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
Mockito.verify(response).sendError(
HttpServletResponse.SC_UNAUTHORIZED, "Authentication required");
Mockito.verify(response).setHeader("WWW-Authenticate", "dummyauth");
} finally {
filter.destroy();
}
@ -468,10 +479,10 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
if (expired) {
Mockito.verify(response, Mockito.never()).
addCookie(Mockito.any(Cookie.class));
addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString());
} else {
String v = cookieMap.get(AuthenticatedURL.AUTH_COOKIE);
Assert.assertNotNull(v);
Assert.assertNotNull("cookie missing", v);
Assert.assertTrue(v.contains("u=") && v.contains("p=") && v.contains
("t=") && v.contains("e=") && v.contains("s="));
Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class),
@ -586,7 +597,7 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
}
@Test
public void testDoFilterAuthenticatedExpired() throws Exception {
public void testDoFilterAuthenticationFailure() throws Exception {
AuthenticationFilter filter = new AuthenticationFilter();
try {
FilterConfig config = Mockito.mock(FilterConfig.class);
@ -600,12 +611,75 @@ public void testDoFilterAuthenticatedExpired() throws Exception {
"management.operation.return")).elements());
filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar"));
Mockito.when(request.getCookies()).thenReturn(new Cookie[]{});
Mockito.when(request.getHeader("WWW-Authenticate")).thenReturn("dummyauth");
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
FilterChain chain = Mockito.mock(FilterChain.class);
final HashMap<String, String> cookieMap = new HashMap<String, String>();
Mockito.doAnswer(
new Answer<Object>() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
Object[] args = invocation.getArguments();
parseCookieMap((String) args[1], cookieMap);
return null;
}
}
).when(response).addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString());
Mockito.doAnswer(
new Answer<Object>() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
Assert.fail("shouldn't get here");
return null;
}
}
).when(chain).doFilter(Mockito.<ServletRequest>anyObject(), Mockito.<ServletResponse>anyObject());
filter.doFilter(request, response, chain);
Mockito.verify(response).sendError(
HttpServletResponse.SC_FORBIDDEN, "AUTH FAILED");
Mockito.verify(response, Mockito.never()).setHeader(Mockito.eq("WWW-Authenticate"), Mockito.anyString());
String value = cookieMap.get(AuthenticatedURL.AUTH_COOKIE);
Assert.assertNotNull("cookie missing", value);
Assert.assertEquals("", value);
} finally {
filter.destroy();
}
}
@Test
public void testDoFilterAuthenticatedExpired() throws Exception {
String secret = "secret";
AuthenticationFilter filter = new AuthenticationFilter();
try {
FilterConfig config = Mockito.mock(FilterConfig.class);
Mockito.when(config.getInitParameter("management.operation.return")).
thenReturn("true");
Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
DummyAuthenticationHandler.class.getName());
Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn(
secret);
Mockito.when(config.getInitParameterNames()).thenReturn(
new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements());
filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar"));
AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC);
Signer signer = new Signer("secret".getBytes());
Signer signer = new Signer(secret.getBytes());
String tokenSigned = signer.sign(token.toString());
Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
@ -643,12 +717,14 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
Mockito.verify(chain, Mockito.never()).doFilter(Mockito.any
(ServletRequest.class), Mockito.any(ServletResponse.class));
Assert.assertTrue(cookieMap.containsKey(AuthenticatedURL.AUTH_COOKIE));
Assert.assertTrue("cookie is missing",
cookieMap.containsKey(AuthenticatedURL.AUTH_COOKIE));
Assert.assertEquals("", cookieMap.get(AuthenticatedURL.AUTH_COOKIE));
}
@Test
public void testDoFilterAuthenticatedInvalidType() throws Exception {
String secret = "secret";
AuthenticationFilter filter = new AuthenticationFilter();
try {
FilterConfig config = Mockito.mock(FilterConfig.class);
@ -656,9 +732,12 @@ public void testDoFilterAuthenticatedInvalidType() throws Exception {
thenReturn("true");
Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
DummyAuthenticationHandler.class.getName());
Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn(
secret);
Mockito.when(config.getInitParameterNames()).thenReturn(
new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements());
filter.init(config);
@ -667,7 +746,7 @@ public void testDoFilterAuthenticatedInvalidType() throws Exception {
AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
Signer signer = new Signer("secret".getBytes());
Signer signer = new Signer(secret.getBytes());
String tokenSigned = signer.sign(token.toString());
Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);

3
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -167,6 +167,9 @@ Release 2.4.0 - UNRELEASED
HADOOP-10450. Build zlib native code bindings in hadoop.dll for Windows.
(cnauroth)
HADOOP-10301. AuthenticationFilter should return Forbidden for failed
authentication. (Daryn Sharp via jing9)
BREAKDOWN OF HADOOP-10184 SUBTASKS AND RELATED JIRAS
HADOOP-10185. FileSystem API for ACLs. (cnauroth)