HADOOP-16457. Fixed Kerberos activation in ServiceAuthorizationManager.
Contributed by Prabhu Joseph
This commit is contained in:
parent
f51702d539
commit
22430c10e2
|
@ -98,9 +98,10 @@ public class ServiceAuthorizationManager {
|
||||||
" is not known.");
|
" is not known.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String clientPrincipal = null;
|
||||||
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
// get client principal key to verify (if available)
|
// get client principal key to verify (if available)
|
||||||
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
|
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
|
||||||
String clientPrincipal = null;
|
|
||||||
if (krbInfo != null) {
|
if (krbInfo != null) {
|
||||||
String clientKey = krbInfo.clientPrincipal();
|
String clientKey = krbInfo.clientPrincipal();
|
||||||
if (clientKey != null && !clientKey.isEmpty()) {
|
if (clientKey != null && !clientKey.isEmpty()) {
|
||||||
|
@ -115,6 +116,7 @@ public class ServiceAuthorizationManager {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
|
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
|
||||||
acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
|
acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
|
||||||
String cause = clientPrincipal != null ?
|
String cause = clientPrincipal != null ?
|
||||||
|
|
|
@ -20,13 +20,18 @@ package org.apache.hadoop.security.authorize;
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
|
import java.lang.annotation.Annotation;
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
import java.net.UnknownHostException;
|
import java.net.UnknownHostException;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||||
import org.apache.hadoop.ipc.TestRPC.TestProtocol;
|
import org.apache.hadoop.ipc.TestRPC.TestProtocol;
|
||||||
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
|
import org.apache.hadoop.security.SecurityInfo;
|
||||||
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.token.TokenInfo;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
public class TestServiceAuthorization {
|
public class TestServiceAuthorization {
|
||||||
|
@ -52,6 +57,53 @@ public class TestServiceAuthorization {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static class CustomSecurityInfo extends SecurityInfo {
|
||||||
|
@Override
|
||||||
|
public KerberosInfo getKerberosInfo(Class<?> protocol,
|
||||||
|
Configuration conf) {
|
||||||
|
return new KerberosInfo() {
|
||||||
|
@Override
|
||||||
|
public Class<? extends Annotation> annotationType() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public String serverPrincipal() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public String clientPrincipal() {
|
||||||
|
return "dfs.datanode.kerberos.principal";
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testWithClientPrincipalOnUnsecureMode()
|
||||||
|
throws UnknownHostException {
|
||||||
|
UserGroupInformation hdfsUser = UserGroupInformation.createUserForTesting(
|
||||||
|
"hdfs", new String[] {"hadoop"});
|
||||||
|
ServiceAuthorizationManager serviceAuthorizationManager =
|
||||||
|
new ServiceAuthorizationManager();
|
||||||
|
SecurityUtil.setSecurityInfoProviders(new CustomSecurityInfo());
|
||||||
|
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.set("dfs.datanode.kerberos.principal", "dn/_HOST@EXAMPLE.COM");
|
||||||
|
conf.set(ACL_CONFIG, "user1 hadoop");
|
||||||
|
serviceAuthorizationManager.refresh(conf, new TestPolicyProvider());
|
||||||
|
try {
|
||||||
|
serviceAuthorizationManager.authorize(hdfsUser, TestProtocol.class, conf,
|
||||||
|
InetAddress.getByName(ADDRESS));
|
||||||
|
} catch (AuthorizationException e) {
|
||||||
|
fail();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testDefaultAcl() {
|
public void testDefaultAcl() {
|
||||||
ServiceAuthorizationManager serviceAuthorizationManager =
|
ServiceAuthorizationManager serviceAuthorizationManager =
|
||||||
|
|
Loading…
Reference in New Issue