HDFS-3572. Cleanup code which inits SPNEGO in HttpServer. Contributed by Todd Lipcon.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1354766 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
0b4c8a5875
commit
3fe00a6c77
|
@ -51,7 +51,9 @@ import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||||
import org.apache.hadoop.jmx.JMXJsonServlet;
|
import org.apache.hadoop.jmx.JMXJsonServlet;
|
||||||
import org.apache.hadoop.log.LogLevel;
|
import org.apache.hadoop.log.LogLevel;
|
||||||
import org.apache.hadoop.metrics.MetricsServlet;
|
import org.apache.hadoop.metrics.MetricsServlet;
|
||||||
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
import org.apache.hadoop.util.ReflectionUtils;
|
import org.apache.hadoop.util.ReflectionUtils;
|
||||||
import org.mortbay.io.Buffer;
|
import org.mortbay.io.Buffer;
|
||||||
|
@ -605,6 +607,24 @@ public class HttpServer implements FilterContainer {
|
||||||
sslListener.setNeedClientAuth(needCertsAuth);
|
sslListener.setNeedClientAuth(needCertsAuth);
|
||||||
webServer.addConnector(sslListener);
|
webServer.addConnector(sslListener);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected void initSpnego(Configuration conf,
|
||||||
|
String usernameConfKey, String keytabConfKey) throws IOException {
|
||||||
|
Map<String, String> params = new HashMap<String, String>();
|
||||||
|
String principalInConf = conf.get(usernameConfKey);
|
||||||
|
if (principalInConf != null && !principalInConf.isEmpty()) {
|
||||||
|
params.put("kerberos.principal",
|
||||||
|
SecurityUtil.getServerPrincipal(principalInConf, listener.getHost()));
|
||||||
|
}
|
||||||
|
String httpKeytab = conf.get(keytabConfKey);
|
||||||
|
if (httpKeytab != null && !httpKeytab.isEmpty()) {
|
||||||
|
params.put("kerberos.keytab", httpKeytab);
|
||||||
|
}
|
||||||
|
params.put(AuthenticationFilter.AUTH_TYPE, "kerberos");
|
||||||
|
|
||||||
|
defineFilter(webAppContext, SPNEGO_FILTER,
|
||||||
|
AuthenticationFilter.class.getName(), params, null);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Start the server. Does not wait for the server to start.
|
* Start the server. Does not wait for the server to start.
|
||||||
|
|
|
@ -86,6 +86,8 @@ Release 2.0.1-alpha - UNRELEASED
|
||||||
|
|
||||||
HDFS-3481. Refactor HttpFS handling of JAX-RS query string parameters (tucu)
|
HDFS-3481. Refactor HttpFS handling of JAX-RS query string parameters (tucu)
|
||||||
|
|
||||||
|
HDFS-3572. Cleanup code which inits SPNEGO in HttpServer (todd)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
HDFS-2982. Startup performance suffers when there are many edit log
|
HDFS-2982. Startup performance suffers when there are many edit log
|
||||||
|
|
|
@ -152,7 +152,7 @@
|
||||||
<tr><td><code>dfs.web.authentication.kerberos.principal</code></td>
|
<tr><td><code>dfs.web.authentication.kerberos.principal</code></td>
|
||||||
<td>The HTTP Kerberos principal used by Hadoop-Auth in the HTTP endpoint.
|
<td>The HTTP Kerberos principal used by Hadoop-Auth in the HTTP endpoint.
|
||||||
The HTTP Kerberos principal MUST start with 'HTTP/' per Kerberos
|
The HTTP Kerberos principal MUST start with 'HTTP/' per Kerberos
|
||||||
HTTP SPENGO specification.
|
HTTP SPNEGO specification.
|
||||||
</td></tr>
|
</td></tr>
|
||||||
<tr><td><code>dfs.web.authentication.kerberos.keytab</code></td>
|
<tr><td><code>dfs.web.authentication.kerberos.keytab</code></td>
|
||||||
<td>The Kerberos keytab file with the credentials for the
|
<td>The Kerberos keytab file with the credentials for the
|
||||||
|
|
|
@ -323,10 +323,10 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
|
||||||
public static final String DFS_DATANODE_USER_NAME_KEY = "dfs.datanode.kerberos.principal";
|
public static final String DFS_DATANODE_USER_NAME_KEY = "dfs.datanode.kerberos.principal";
|
||||||
public static final String DFS_NAMENODE_KEYTAB_FILE_KEY = "dfs.namenode.keytab.file";
|
public static final String DFS_NAMENODE_KEYTAB_FILE_KEY = "dfs.namenode.keytab.file";
|
||||||
public static final String DFS_NAMENODE_USER_NAME_KEY = "dfs.namenode.kerberos.principal";
|
public static final String DFS_NAMENODE_USER_NAME_KEY = "dfs.namenode.kerberos.principal";
|
||||||
public static final String DFS_NAMENODE_INTERNAL_SPENGO_USER_NAME_KEY = "dfs.namenode.kerberos.internal.spnego.principal";
|
public static final String DFS_NAMENODE_INTERNAL_SPNEGO_USER_NAME_KEY = "dfs.namenode.kerberos.internal.spnego.principal";
|
||||||
public static final String DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY = "dfs.secondary.namenode.keytab.file";
|
public static final String DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY = "dfs.secondary.namenode.keytab.file";
|
||||||
public static final String DFS_SECONDARY_NAMENODE_USER_NAME_KEY = "dfs.secondary.namenode.kerberos.principal";
|
public static final String DFS_SECONDARY_NAMENODE_USER_NAME_KEY = "dfs.secondary.namenode.kerberos.principal";
|
||||||
public static final String DFS_SECONDARY_NAMENODE_INTERNAL_SPENGO_USER_NAME_KEY = "dfs.secondary.namenode.kerberos.internal.spnego.principal";
|
public static final String DFS_SECONDARY_NAMENODE_INTERNAL_SPNEGO_USER_NAME_KEY = "dfs.secondary.namenode.kerberos.internal.spnego.principal";
|
||||||
public static final String DFS_NAMENODE_NAME_CACHE_THRESHOLD_KEY = "dfs.namenode.name.cache.threshold";
|
public static final String DFS_NAMENODE_NAME_CACHE_THRESHOLD_KEY = "dfs.namenode.name.cache.threshold";
|
||||||
public static final int DFS_NAMENODE_NAME_CACHE_THRESHOLD_DEFAULT = 10;
|
public static final int DFS_NAMENODE_NAME_CACHE_THRESHOLD_DEFAULT = 10;
|
||||||
|
|
||||||
|
|
|
@ -44,7 +44,6 @@ import org.apache.hadoop.http.HttpServer;
|
||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -91,22 +90,9 @@ public class NameNodeHttpServer {
|
||||||
{
|
{
|
||||||
// Add SPNEGO support to NameNode
|
// Add SPNEGO support to NameNode
|
||||||
if (UserGroupInformation.isSecurityEnabled()) {
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
Map<String, String> params = new HashMap<String, String>();
|
initSpnego(conf,
|
||||||
String principalInConf = conf.get(
|
DFSConfigKeys.DFS_NAMENODE_INTERNAL_SPNEGO_USER_NAME_KEY,
|
||||||
DFSConfigKeys.DFS_NAMENODE_INTERNAL_SPENGO_USER_NAME_KEY);
|
DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY);
|
||||||
if (principalInConf != null && !principalInConf.isEmpty()) {
|
|
||||||
params.put("kerberos.principal",
|
|
||||||
SecurityUtil.getServerPrincipal(principalInConf, infoHost));
|
|
||||||
String httpKeytab = conf.get(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY);
|
|
||||||
if (httpKeytab != null && !httpKeytab.isEmpty()) {
|
|
||||||
params.put("kerberos.keytab", httpKeytab);
|
|
||||||
}
|
|
||||||
|
|
||||||
params.put(AuthenticationFilter.AUTH_TYPE, "kerberos");
|
|
||||||
|
|
||||||
defineFilter(webAppContext, SPNEGO_FILTER,
|
|
||||||
AuthenticationFilter.class.getName(), params, null);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (WebHdfsFileSystem.isEnabled(conf, LOG)) {
|
if (WebHdfsFileSystem.isEnabled(conf, LOG)) {
|
||||||
//add SPNEGO authentication filter for webhdfs
|
//add SPNEGO authentication filter for webhdfs
|
||||||
|
|
|
@ -25,10 +25,8 @@ import java.security.PrivilegedAction;
|
||||||
import java.security.PrivilegedExceptionAction;
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
import org.apache.commons.cli.CommandLine;
|
||||||
import org.apache.commons.cli.CommandLineParser;
|
import org.apache.commons.cli.CommandLineParser;
|
||||||
|
@ -68,7 +66,6 @@ import org.apache.hadoop.metrics2.source.JvmMetrics;
|
||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
|
|
||||||
import org.apache.hadoop.util.Daemon;
|
import org.apache.hadoop.util.Daemon;
|
||||||
|
@ -239,20 +236,8 @@ public class SecondaryNameNode implements Runnable {
|
||||||
new AccessControlList(conf.get(DFS_ADMIN, " "))) {
|
new AccessControlList(conf.get(DFS_ADMIN, " "))) {
|
||||||
{
|
{
|
||||||
if (UserGroupInformation.isSecurityEnabled()) {
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
Map<String, String> params = new HashMap<String, String>();
|
initSpnego(conf, DFSConfigKeys.DFS_SECONDARY_NAMENODE_INTERNAL_SPNEGO_USER_NAME_KEY,
|
||||||
String principalInConf = conf.get(DFSConfigKeys.DFS_SECONDARY_NAMENODE_INTERNAL_SPENGO_USER_NAME_KEY);
|
DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY);
|
||||||
if (principalInConf != null && !principalInConf.isEmpty()) {
|
|
||||||
params.put("kerberos.principal",
|
|
||||||
SecurityUtil.getServerPrincipal(principalInConf, infoSocAddr.getHostName()));
|
|
||||||
}
|
|
||||||
String httpKeytab = conf.get(DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY);
|
|
||||||
if (httpKeytab != null && !httpKeytab.isEmpty()) {
|
|
||||||
params.put("kerberos.keytab", httpKeytab);
|
|
||||||
}
|
|
||||||
params.put(AuthenticationFilter.AUTH_TYPE, "kerberos");
|
|
||||||
|
|
||||||
defineFilter(webAppContext, SPNEGO_FILTER, AuthenticationFilter.class.getName(),
|
|
||||||
params, null);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue