HADOOP-8783. Improve RPC.Server's digest auth (daryn)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1393498 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Daryn Sharp 2012-10-03 14:08:15 +00:00
parent 9f3f66375e
commit 594176ed04
3 changed files with 53 additions and 23 deletions

View File

@ -28,6 +28,8 @@ Release 2.0.3-alpha - Unreleased
HADOOP-8851. Use -XX:+HeapDumpOnOutOfMemoryError JVM option in the forked HADOOP-8851. Use -XX:+HeapDumpOnOutOfMemoryError JVM option in the forked
tests. (Ivan A. Veselovsky via atm) tests. (Ivan A. Veselovsky via atm)
HADOOP-8783. Improve RPC.Server's digest auth (daryn)
OPTIMIZATIONS OPTIMIZATIONS
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang

View File

@ -84,7 +84,6 @@ import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler;
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler; import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
import org.apache.hadoop.security.SaslRpcServer.SaslStatus; import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.PolicyProvider; import org.apache.hadoop.security.authorize.PolicyProvider;
import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.authorize.ProxyUsers;
@ -1334,7 +1333,10 @@ public abstract class Server {
if (authMethod == null) { if (authMethod == null) {
throw new IOException("Unable to read authentication method"); throw new IOException("Unable to read authentication method");
} }
if (isSecurityEnabled && authMethod == AuthMethod.SIMPLE) { final boolean clientUsingSasl;
switch (authMethod) {
case SIMPLE: { // no sasl for simple
if (isSecurityEnabled) {
AccessControlException ae = new AccessControlException("Authorization (" AccessControlException ae = new AccessControlException("Authorization ("
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION + CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
+ ") is enabled but authentication (" + ") is enabled but authentication ("
@ -1346,7 +1348,22 @@ public abstract class Server {
responder.doRespond(authFailedCall); responder.doRespond(authFailedCall);
throw ae; throw ae;
} }
if (!isSecurityEnabled && authMethod != AuthMethod.SIMPLE) { clientUsingSasl = false;
useSasl = false;
break;
}
case DIGEST: {
clientUsingSasl = true;
useSasl = (secretManager != null);
break;
}
default: {
clientUsingSasl = true;
useSasl = isSecurityEnabled;
break;
}
}
if (clientUsingSasl && !useSasl) {
doSaslReply(SaslStatus.SUCCESS, new IntWritable( doSaslReply(SaslStatus.SUCCESS, new IntWritable(
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null); SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
authMethod = AuthMethod.SIMPLE; authMethod = AuthMethod.SIMPLE;
@ -1355,9 +1372,6 @@ public abstract class Server {
// to simple auth from now on. // to simple auth from now on.
skipInitialSaslHandshake = true; skipInitialSaslHandshake = true;
} }
if (authMethod != AuthMethod.SIMPLE) {
useSasl = true;
}
connectionHeaderBuf = null; connectionHeaderBuf = null;
connectionHeaderRead = true; connectionHeaderRead = true;
@ -1491,8 +1505,6 @@ public abstract class Server {
UserGroupInformation realUser = user; UserGroupInformation realUser = user;
user = UserGroupInformation.createProxyUser(protocolUser user = UserGroupInformation.createProxyUser(protocolUser
.getUserName(), realUser); .getUserName(), realUser);
// Now the user is a proxy user, set Authentication method Proxy.
user.setAuthenticationMethod(AuthenticationMethod.PROXY);
} }
} }
} }
@ -1842,7 +1854,7 @@ public abstract class Server {
// Create the responder here // Create the responder here
responder = new Responder(); responder = new Responder();
if (isSecurityEnabled) { if (secretManager != null) {
SaslRpcServer.init(conf); SaslRpcServer.init(conf);
} }
} }

View File

@ -60,6 +60,7 @@ import org.apache.hadoop.security.token.TokenInfo;
import org.apache.hadoop.security.token.TokenSelector; import org.apache.hadoop.security.token.TokenSelector;
import org.apache.hadoop.security.token.SecretManager.InvalidToken; import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.log4j.Level; import org.apache.log4j.Level;
import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
/** Unit tests for using Sasl over RPC. */ /** Unit tests for using Sasl over RPC. */
@ -76,7 +77,8 @@ public class TestSaslRPC {
static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR"; static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR";
private static Configuration conf; private static Configuration conf;
static { @BeforeClass
public static void setup() {
conf = new Configuration(); conf = new Configuration();
conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos"); conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf); UserGroupInformation.setConfiguration(conf);
@ -449,11 +451,25 @@ public class TestSaslRPC {
} }
@Test @Test
public void testDigestAuthMethod() throws Exception { public void testDigestAuthMethodSecureServer() throws Exception {
checkDigestAuthMethod(true);
}
@Test
public void testDigestAuthMethodInsecureServer() throws Exception {
checkDigestAuthMethod(false);
}
private void checkDigestAuthMethod(boolean secureServer) throws Exception {
TestTokenSecretManager sm = new TestTokenSecretManager(); TestTokenSecretManager sm = new TestTokenSecretManager();
Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class) Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class)
.setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0) .setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0)
.setNumHandlers(5).setVerbose(true).setSecretManager(sm).build(); .setNumHandlers(5).setVerbose(true).setSecretManager(sm).build();
if (secureServer) {
server.enableSecurity();
} else {
server.disableSecurity();
}
server.start(); server.start();
final UserGroupInformation current = UserGroupInformation.getCurrentUser(); final UserGroupInformation current = UserGroupInformation.getCurrentUser();