HADOOP-16457. Fixed Kerberos activation in ServiceAuthorizationManager.

Contributed by Prabhu Joseph
This commit is contained in:
Eric Yang 2019-08-06 17:04:17 -04:00
parent f51702d539
commit 22430c10e2
2 changed files with 69 additions and 15 deletions

View File

@ -98,9 +98,10 @@ public class ServiceAuthorizationManager {
" is not known."); " is not known.");
} }
String clientPrincipal = null;
if (UserGroupInformation.isSecurityEnabled()) {
// get client principal key to verify (if available) // get client principal key to verify (if available)
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf); KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
String clientPrincipal = null;
if (krbInfo != null) { if (krbInfo != null) {
String clientKey = krbInfo.clientPrincipal(); String clientKey = krbInfo.clientPrincipal();
if (clientKey != null && !clientKey.isEmpty()) { if (clientKey != null && !clientKey.isEmpty()) {
@ -115,6 +116,7 @@ public class ServiceAuthorizationManager {
} }
} }
} }
}
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
String cause = clientPrincipal != null ? String cause = clientPrincipal != null ?

View File

@ -20,13 +20,18 @@ package org.apache.hadoop.security.authorize;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import java.lang.annotation.Annotation;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.ipc.TestRPC.TestProtocol; import org.apache.hadoop.ipc.TestRPC.TestProtocol;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.SecurityInfo;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.TokenInfo;
import org.junit.Test; import org.junit.Test;
public class TestServiceAuthorization { public class TestServiceAuthorization {
@ -52,6 +57,53 @@ public class TestServiceAuthorization {
} }
} }
private static class CustomSecurityInfo extends SecurityInfo {
@Override
public KerberosInfo getKerberosInfo(Class<?> protocol,
Configuration conf) {
return new KerberosInfo() {
@Override
public Class<? extends Annotation> annotationType() {
return null;
}
@Override
public String serverPrincipal() {
return null;
}
@Override
public String clientPrincipal() {
return "dfs.datanode.kerberos.principal";
}
};
}
@Override
public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
return null;
}
}
@Test
public void testWithClientPrincipalOnUnsecureMode()
throws UnknownHostException {
UserGroupInformation hdfsUser = UserGroupInformation.createUserForTesting(
"hdfs", new String[] {"hadoop"});
ServiceAuthorizationManager serviceAuthorizationManager =
new ServiceAuthorizationManager();
SecurityUtil.setSecurityInfoProviders(new CustomSecurityInfo());
Configuration conf = new Configuration();
conf.set("dfs.datanode.kerberos.principal", "dn/_HOST@EXAMPLE.COM");
conf.set(ACL_CONFIG, "user1 hadoop");
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
try {
serviceAuthorizationManager.authorize(hdfsUser, TestProtocol.class, conf,
InetAddress.getByName(ADDRESS));
} catch (AuthorizationException e) {
fail();
}
}
@Test @Test
public void testDefaultAcl() { public void testDefaultAcl() {
ServiceAuthorizationManager serviceAuthorizationManager = ServiceAuthorizationManager serviceAuthorizationManager =