Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-14001. Improve delegation token validity checking. 

(cherry picked from commit 1763467210)
(cherry picked from commit c6c29d0080)
This commit is contained in:
Akira Ajisaka 2017-01-19 17:56:39 +09:00
parent a6625e69a2
commit 1cf20b37ed
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -110,6 +110,8 @@ Release 2.7.4 - UNRELEASED
HADOOP-13839. Fix outdated tracing documentation. HADOOP-13839. Fix outdated tracing documentation.
(Elek, Marton via iwasakims) (Elek, Marton via iwasakims)
HADOOP-14001. Improve delegation token validity checking. (aajisaka)
Release 2.7.3 - 2016-08-25 Release 2.7.3 - 2016-08-25
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

6
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
View File

@ -21,7 +21,7 @@ package org.apache.hadoop.security.token.delegation;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.DataInputStream; import java.io.DataInputStream;
import java.io.IOException; import java.io.IOException;
import java.util.Arrays; import java.security.MessageDigest;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
@ -446,7 +446,7 @@ extends AbstractDelegationTokenIdentifier>
public synchronized void verifyToken(TokenIdent identifier, byte[] password) public synchronized void verifyToken(TokenIdent identifier, byte[] password)
throws InvalidToken { throws InvalidToken {
byte[] storedPassword = retrievePassword(identifier); byte[] storedPassword = retrievePassword(identifier);
if (!Arrays.equals(password, storedPassword)) { if (!MessageDigest.isEqual(password, storedPassword)) {
throw new InvalidToken("token (" + identifier throw new InvalidToken("token (" + identifier
+ ") is invalid, password doesn't match"); + ") is invalid, password doesn't match");
} }
@ -489,7 +489,7 @@ extends AbstractDelegationTokenIdentifier>
+ " with sequenceNumber=" + id.getSequenceNumber()); + " with sequenceNumber=" + id.getSequenceNumber());
} }
byte[] password = createPassword(token.getIdentifier(), key.getKey()); byte[] password = createPassword(token.getIdentifier(), key.getKey());
if (!Arrays.equals(password, token.getPassword())) { if (!MessageDigest.isEqual(password, token.getPassword())) {
throw new AccessControlException(renewer + throw new AccessControlException(renewer +
" is trying to renew a token with wrong password"); " is trying to renew a token with wrong password");
} }