svn merge -c 1405910 FIXES: HADOOP-9010. Map UGI authenticationMethod to RPC authMethod (daryn via bobby)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1405911 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Robert Joseph Evans 2012-11-05 18:40:39 +00:00
parent 310e59acd5
commit 32c70d9ac1
6 changed files with 62 additions and 19 deletions

View File

@ -64,6 +64,9 @@ Release 2.0.3-alpha - Unreleased
HADOOP-9009. Add SecurityUtil methods to get/set authentication method HADOOP-9009. Add SecurityUtil methods to get/set authentication method
(daryn via bobby) (daryn via bobby)
HADOOP-9010. Map UGI authenticationMethod to RPC authMethod (daryn via
bobby)
OPTIMIZATIONS OPTIMIZATIONS
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang

View File

@ -69,6 +69,7 @@ import org.apache.hadoop.security.SaslRpcClient;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenInfo; import org.apache.hadoop.security.token.TokenInfo;
@ -293,8 +294,9 @@ public class Client {
} }
if (token != null) { if (token != null) {
authMethod = AuthMethod.DIGEST; authMethod = AuthenticationMethod.TOKEN.getAuthMethod();
} else if (UserGroupInformation.isSecurityEnabled()) { } else if (UserGroupInformation.isSecurityEnabled()) {
// eventually just use the ticket's authMethod
authMethod = AuthMethod.KERBEROS; authMethod = AuthMethod.KERBEROS;
} else { } else {
authMethod = AuthMethod.SIMPLE; authMethod = AuthMethod.SIMPLE;

View File

@ -1485,11 +1485,11 @@ public abstract class Server {
if (!useSasl) { if (!useSasl) {
user = protocolUser; user = protocolUser;
if (user != null) { if (user != null) {
user.setAuthenticationMethod(AuthMethod.SIMPLE.authenticationMethod); user.setAuthenticationMethod(AuthMethod.SIMPLE);
} }
} else { } else {
// user is authenticated // user is authenticated
user.setAuthenticationMethod(authMethod.authenticationMethod); user.setAuthenticationMethod(authMethod);
//Now we check if this is a proxy user case. If the protocol user is //Now we check if this is a proxy user case. If the protocol user is
//different from the 'user', it is a proxy user scenario. However, //different from the 'user', it is a proxy user scenario. However,
//this is not allowed if user authenticated with DIGEST. //this is not allowed if user authenticated with DIGEST.

View File

@ -42,7 +42,6 @@ import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ipc.Server; import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.token.SecretManager; import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.SecretManager.InvalidToken; import org.apache.hadoop.security.token.SecretManager.InvalidToken;
@ -137,20 +136,17 @@ public class SaslRpcServer {
/** Authentication method */ /** Authentication method */
@InterfaceStability.Evolving @InterfaceStability.Evolving
public static enum AuthMethod { public static enum AuthMethod {
SIMPLE((byte) 80, "", AuthenticationMethod.SIMPLE), SIMPLE((byte) 80, ""),
KERBEROS((byte) 81, "GSSAPI", AuthenticationMethod.KERBEROS), KERBEROS((byte) 81, "GSSAPI"),
DIGEST((byte) 82, "DIGEST-MD5", AuthenticationMethod.TOKEN); DIGEST((byte) 82, "DIGEST-MD5");
/** The code for this method. */ /** The code for this method. */
public final byte code; public final byte code;
public final String mechanismName; public final String mechanismName;
public final AuthenticationMethod authenticationMethod;
private AuthMethod(byte code, String mechanismName, private AuthMethod(byte code, String mechanismName) {
AuthenticationMethod authMethod) {
this.code = code; this.code = code;
this.mechanismName = mechanismName; this.mechanismName = mechanismName;
this.authenticationMethod = authMethod;
} }
private static final int FIRST_CODE = values()[0].code; private static final int FIRST_CODE = values()[0].code;

View File

@ -57,6 +57,7 @@ import org.apache.hadoop.metrics2.annotation.Metric;
import org.apache.hadoop.metrics2.annotation.Metrics; import org.apache.hadoop.metrics2.annotation.Metrics;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.metrics2.lib.MutableRate; import org.apache.hadoop.metrics2.lib.MutableRate;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
@ -1008,14 +1009,35 @@ public class UserGroupInformation {
@InterfaceAudience.Public @InterfaceAudience.Public
@InterfaceStability.Evolving @InterfaceStability.Evolving
public static enum AuthenticationMethod { public static enum AuthenticationMethod {
SIMPLE, // currently we support only one auth per method, but eventually a
KERBEROS, // subtype is needed to differentiate, ex. if digest is token or ldap
TOKEN, SIMPLE(AuthMethod.SIMPLE),
CERTIFICATE, KERBEROS(AuthMethod.KERBEROS),
KERBEROS_SSL, TOKEN(AuthMethod.DIGEST),
PROXY; CERTIFICATE(null),
KERBEROS_SSL(null),
PROXY(null);
private final AuthMethod authMethod;
private AuthenticationMethod(AuthMethod authMethod) {
this.authMethod = authMethod;
} }
public AuthMethod getAuthMethod() {
return authMethod;
}
public static AuthenticationMethod valueOf(AuthMethod authMethod) {
for (AuthenticationMethod value : values()) {
if (value.getAuthMethod() == authMethod) {
return value;
}
}
throw new IllegalArgumentException(
"no authentication method for " + authMethod);
}
};
/** /**
* Create a proxy user using username of the effective user and the ugi of the * Create a proxy user using username of the effective user and the ugi of the
* real user. * real user.
@ -1279,6 +1301,15 @@ public class UserGroupInformation {
user.setAuthenticationMethod(authMethod); user.setAuthenticationMethod(authMethod);
} }
/**
* Sets the authentication method in the subject
*
* @param authMethod
*/
public void setAuthenticationMethod(AuthMethod authMethod) {
user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod));
}
/** /**
* Get the authentication method from the subject * Get the authentication method from the subject
* *

View File

@ -303,7 +303,6 @@ public class TestUserGroupInformation {
assertSame(secret, ugi.getCredentials().getSecretKey(secretKey)); assertSame(secret, ugi.getCredentials().getSecretKey(secretKey));
} }
@SuppressWarnings("unchecked") // from Mockito mocks
@Test @Test
public <T extends TokenIdentifier> void testGetCredsNotSame() public <T extends TokenIdentifier> void testGetCredsNotSame()
throws Exception { throws Exception {
@ -427,6 +426,18 @@ public class TestUserGroupInformation {
assertEquals(2, otherSet.size()); assertEquals(2, otherSet.size());
} }
@Test
public void testTestAuthMethod() throws Exception {
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// verify the reverse mappings works
for (AuthenticationMethod am : AuthenticationMethod.values()) {
if (am.getAuthMethod() != null) {
ugi.setAuthenticationMethod(am.getAuthMethod());
assertEquals(am, ugi.getAuthenticationMethod());
}
}
}
@Test @Test
public void testUGIAuthMethod() throws Exception { public void testUGIAuthMethod() throws Exception {
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();