HDFS-9760. WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler (Ryan Sasson via aw)

This commit is contained in:
Allen Wittenauer 2016-02-09 14:15:21 -08:00
parent 60d2011b7c
commit 401ae4ecdb
4 changed files with 35 additions and 4 deletions

View File

@ -2715,6 +2715,9 @@ Release 2.8.0 - UNRELEASED
HDFS-9713. DataXceiver#copyBlock should return if block is pinned. HDFS-9713. DataXceiver#copyBlock should return if block is pinned.
(umamahesh) (umamahesh)
HDFS-9760. WebHDFS AuthFilter cannot be configured with custom AltKerberos
auth handler (Ryan Sasson via aw)
Release 2.7.3 - UNRELEASED Release 2.7.3 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -21,7 +21,9 @@ package org.apache.hadoop.hdfs.server.namenode;
import java.io.IOException; import java.io.IOException;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator;
import java.util.Map; import java.util.Map;
import java.util.Map.Entry;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
@ -34,6 +36,7 @@ import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
import org.apache.hadoop.hdfs.server.common.JspHelper; import org.apache.hadoop.hdfs.server.common.JspHelper;
import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress; import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress;
import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods; import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
import org.apache.hadoop.hdfs.web.AuthFilter;
import org.apache.hadoop.hdfs.web.WebHdfsFileSystem; import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
import org.apache.hadoop.hdfs.web.resources.Param; import org.apache.hadoop.hdfs.web.resources.Param;
import org.apache.hadoop.hdfs.web.resources.UserParam; import org.apache.hadoop.hdfs.web.resources.UserParam;
@ -158,6 +161,14 @@ public class NameNodeHttpServer {
private Map<String, String> getAuthFilterParams(Configuration conf) private Map<String, String> getAuthFilterParams(Configuration conf)
throws IOException { throws IOException {
Map<String, String> params = new HashMap<String, String>(); Map<String, String> params = new HashMap<String, String>();
// Select configs beginning with 'dfs.web.authentication.'
Iterator<Map.Entry<String, String>> iterator = conf.iterator();
while (iterator.hasNext()) {
Entry<String, String> kvPair = iterator.next();
if (kvPair.getKey().startsWith(AuthFilter.CONF_PREFIX)) {
params.put(kvPair.getKey(), kvPair.getValue());
}
}
String principalInConf = conf String principalInConf = conf
.get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY); .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY);
if (principalInConf != null && !principalInConf.isEmpty()) { if (principalInConf != null && !principalInConf.isEmpty()) {

View File

@ -46,7 +46,7 @@ import org.apache.hadoop.util.StringUtils;
* obtains Hadoop-Auth configuration for webhdfs. * obtains Hadoop-Auth configuration for webhdfs.
*/ */
public class AuthFilter extends AuthenticationFilter { public class AuthFilter extends AuthenticationFilter {
private static final String CONF_PREFIX = "dfs.web.authentication."; public static final String CONF_PREFIX = "dfs.web.authentication.";
/** /**
* Returns the filter configuration properties, * Returns the filter configuration properties,
@ -62,9 +62,11 @@ public class AuthFilter extends AuthenticationFilter {
protected Properties getConfiguration(String prefix, FilterConfig config) protected Properties getConfiguration(String prefix, FilterConfig config)
throws ServletException { throws ServletException {
final Properties p = super.getConfiguration(CONF_PREFIX, config); final Properties p = super.getConfiguration(CONF_PREFIX, config);
// set authentication type // if not set, configure based on security enabled
if (p.getProperty(AUTH_TYPE) == null) {
p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()?
KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE);
}
// if not set, enable anonymous for pseudo authentication // if not set, enable anonymous for pseudo authentication
if (p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED) == null) { if (p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED) == null) {
p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");

View File

@ -98,4 +98,19 @@ public class TestAuthFilter {
Assert.assertEquals("true", Assert.assertEquals("true",
p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED)); p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED));
} }
@Test
public void testGetCustomAuthConfiguration() throws ServletException {
AuthFilter filter = new AuthFilter();
Map<String, String> m = new HashMap<String,String>();
m.put(AuthFilter.CONF_PREFIX + AuthFilter.AUTH_TYPE, "com.yourclass");
m.put(AuthFilter.CONF_PREFIX + "alt-kerberos.param", "value");
FilterConfig config = new DummyFilterConfig(m);
Properties p = filter.getConfiguration(AuthFilter.CONF_PREFIX, config);
Assert.assertEquals("com.yourclass", p.getProperty(AuthFilter.AUTH_TYPE));
Assert.assertEquals("value", p.getProperty("alt-kerberos.param"));
}
} }