svn merge -c 1587962 from trunk to branch-2 to fix:HDFS-6219. Proxy superuser configuration should use true client IP for address checks. Contributed by Daryn Sharp.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1587964 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
46738ee92b
commit
4a13429dce
|
@ -49,6 +49,9 @@ Release 2.5.0 - UNRELEASED
|
||||||
HDFS-6194. Create new tests for ByteRangeInputStream.
|
HDFS-6194. Create new tests for ByteRangeInputStream.
|
||||||
(Akira Ajisaka via wheat9)
|
(Akira Ajisaka via wheat9)
|
||||||
|
|
||||||
|
HDFS-6219. Proxy superuser configuration should use true client IP for
|
||||||
|
address checks. (daryn via kihwal)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
HDFS-6214. Webhdfs has poor throughput for files >2GB (daryn)
|
HDFS-6214. Webhdfs has poor throughput for files >2GB (daryn)
|
||||||
|
|
|
@ -25,6 +25,7 @@ import java.io.ByteArrayInputStream;
|
||||||
import java.io.DataInputStream;
|
import java.io.DataInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.UnsupportedEncodingException;
|
import java.io.UnsupportedEncodingException;
|
||||||
|
import java.net.InetAddress;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
import java.net.Socket;
|
import java.net.Socket;
|
||||||
import java.net.URL;
|
import java.net.URL;
|
||||||
|
@ -625,7 +626,7 @@ public class JspHelper {
|
||||||
if (doAsUserFromQuery != null) {
|
if (doAsUserFromQuery != null) {
|
||||||
// create and attempt to authorize a proxy user
|
// create and attempt to authorize a proxy user
|
||||||
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
|
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
|
||||||
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
|
ProxyUsers.authorize(ugi, getRemoteAddr(request), conf);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -665,6 +666,22 @@ public class JspHelper {
|
||||||
return ugi;
|
return ugi;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// honor the X-Forwarded-For header set by a configured set of trusted
|
||||||
|
// proxy servers. allows audit logging and proxy user checks to work
|
||||||
|
// via an http proxy
|
||||||
|
static String getRemoteAddr(HttpServletRequest request) {
|
||||||
|
String remoteAddr = request.getRemoteAddr();
|
||||||
|
String proxyHeader = request.getHeader("X-Forwarded-For");
|
||||||
|
if (proxyHeader != null && ProxyUsers.isProxyServer(remoteAddr)) {
|
||||||
|
final String clientAddr = proxyHeader.split(",")[0].trim();
|
||||||
|
if (!clientAddr.isEmpty()) {
|
||||||
|
remoteAddr = clientAddr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return remoteAddr;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Expected user name should be a short name.
|
* Expected user name should be a short name.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -27,7 +27,6 @@ import static org.mockito.Mockito.*;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.StringReader;
|
import java.io.StringReader;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
import java.text.MessageFormat;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
|
||||||
import javax.servlet.ServletContext;
|
import javax.servlet.ServletContext;
|
||||||
|
@ -63,6 +62,7 @@ import org.apache.hadoop.security.authorize.ProxyUsers;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
|
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.mockito.ArgumentCaptor;
|
import org.mockito.ArgumentCaptor;
|
||||||
import org.mockito.Mockito;
|
import org.mockito.Mockito;
|
||||||
|
@ -76,6 +76,13 @@ public class TestJspHelper {
|
||||||
private final Configuration conf = new HdfsConfiguration();
|
private final Configuration conf = new HdfsConfiguration();
|
||||||
private String jspWriterOutput = "";
|
private String jspWriterOutput = "";
|
||||||
|
|
||||||
|
// allow user with TGT to run tests
|
||||||
|
@BeforeClass
|
||||||
|
public static void setupKerb() {
|
||||||
|
System.setProperty("java.security.krb5.kdc", "");
|
||||||
|
System.setProperty("java.security.krb5.realm", "NONE");
|
||||||
|
}
|
||||||
|
|
||||||
public static class DummySecretManager extends
|
public static class DummySecretManager extends
|
||||||
AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
|
AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
|
||||||
|
|
||||||
|
@ -600,5 +607,49 @@ public class TestJspHelper {
|
||||||
50020, 50075, 50076, 50010);
|
50020, 50075, 50076, 50010);
|
||||||
assertNotNull(JspHelper.Url.authority("http", dnWithEmptyIp));
|
assertNotNull(JspHelper.Url.authority("http", dnWithEmptyIp));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static String clientAddr = "1.1.1.1";
|
||||||
|
private static String chainedClientAddr = clientAddr+", 2.2.2.2";
|
||||||
|
private static String proxyAddr = "3.3.3.3";
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRemoteAddr() {
|
||||||
|
assertEquals(clientAddr, getRemoteAddr(clientAddr, null, false));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRemoteAddrWithUntrustedProxy() {
|
||||||
|
assertEquals(proxyAddr, getRemoteAddr(clientAddr, proxyAddr, false));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRemoteAddrWithTrustedProxy() {
|
||||||
|
assertEquals(clientAddr, getRemoteAddr(clientAddr, proxyAddr, true));
|
||||||
|
assertEquals(clientAddr, getRemoteAddr(chainedClientAddr, proxyAddr, true));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRemoteAddrWithTrustedProxyAndEmptyClient() {
|
||||||
|
assertEquals(proxyAddr, getRemoteAddr(null, proxyAddr, true));
|
||||||
|
assertEquals(proxyAddr, getRemoteAddr("", proxyAddr, true));
|
||||||
|
}
|
||||||
|
|
||||||
|
private String getRemoteAddr(String clientAddr, String proxyAddr, boolean trusted) {
|
||||||
|
HttpServletRequest req = mock(HttpServletRequest.class);
|
||||||
|
when(req.getRemoteAddr()).thenReturn("1.2.3.4");
|
||||||
|
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
if (proxyAddr == null) {
|
||||||
|
when(req.getRemoteAddr()).thenReturn(clientAddr);
|
||||||
|
} else {
|
||||||
|
when(req.getRemoteAddr()).thenReturn(proxyAddr);
|
||||||
|
when(req.getHeader("X-Forwarded-For")).thenReturn(clientAddr);
|
||||||
|
if (trusted) {
|
||||||
|
conf.set(ProxyUsers.CONF_HADOOP_PROXYSERVERS, proxyAddr);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
|
||||||
|
return JspHelper.getRemoteAddr(req);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue