HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)

This commit is contained in:
Arun Suresh 2015-04-21 11:31:51 -07:00
parent dfc1c4c303
commit 424a00daa0
4 changed files with 60 additions and 3 deletions

View File

@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
(Brahma Reddy Battula via ozawa)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
Release 2.7.1 - UNRELEASED
INCOMPATIBLE CHANGES

View File

@ -239,7 +239,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
if (doAsUser != null) {
ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
try {
ProxyUsers.authorize(ugi, request.getRemoteHost());
ProxyUsers.authorize(ugi, request.getRemoteAddr());
} catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex);

View File

@ -199,7 +199,7 @@ public boolean managementOperation(AuthenticationToken token,
requestUgi = UserGroupInformation.createProxyUser(
doAsUser, requestUgi);
try {
ProxyUsers.authorize(requestUgi, request.getRemoteHost());
ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
} catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex);

View File

@ -35,6 +35,7 @@
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mortbay.jetty.AbstractConnector;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.servlet.Context;
@ -658,7 +659,7 @@ protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration(
org.apache.hadoop.conf.Configuration conf =
new org.apache.hadoop.conf.Configuration(false);
conf.set("proxyuser.client.users", OK_USER);
conf.set("proxyuser.client.hosts", "localhost");
conf.set("proxyuser.client.hosts", "127.0.0.1");
return conf;
}
}
@ -752,6 +753,7 @@ private void testKerberosDelegationTokenAuthenticator(
Context context = new Context();
context.setContextPath("/foo");
jetty.setHandler(context);
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
context.addServlet(new ServletHolder(UserServlet.class), "/bar");
try {
@ -969,4 +971,56 @@ public Void run() throws Exception {
}
}
public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
@Override
protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
(FilterConfig filterConfig) throws ServletException {
org.apache.hadoop.conf.Configuration configuration = super
.getProxyuserConfiguration(filterConfig);
configuration.set("proxyuser.foo.hosts", "127.0.0.1");
return configuration;
}
}
@Test
public void testIpaddressCheck() throws Exception {
final Server jetty = createJettyServer();
((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
Context context = new Context();
context.setContextPath("/foo");
jetty.setHandler(context);
context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
try {
jetty.start();
final URL url = new URL(getJettyURL() + "/foo/bar");
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
DelegationTokenAuthenticatedURL.Token token =
new DelegationTokenAuthenticatedURL.Token();
DelegationTokenAuthenticatedURL aUrl =
new DelegationTokenAuthenticatedURL();
// user ok-user via proxyuser foo
HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
Assert.assertEquals(HttpURLConnection.HTTP_OK,
conn.getResponseCode());
List<String> ret = IOUtils.readLines(conn.getInputStream());
Assert.assertEquals(1, ret.size());
Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
":ugi=" + OK_USER, ret.get(0));
return null;
}
});
} finally {
jetty.stop();
}
}
}