HADOOP-8783. Improve RPC.Server's digest auth (daryn)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1393498 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
9f3f66375e
commit
594176ed04
|
@ -28,6 +28,8 @@ Release 2.0.3-alpha - Unreleased
|
||||||
HADOOP-8851. Use -XX:+HeapDumpOnOutOfMemoryError JVM option in the forked
|
HADOOP-8851. Use -XX:+HeapDumpOnOutOfMemoryError JVM option in the forked
|
||||||
tests. (Ivan A. Veselovsky via atm)
|
tests. (Ivan A. Veselovsky via atm)
|
||||||
|
|
||||||
|
HADOOP-8783. Improve RPC.Server's digest auth (daryn)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
|
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
|
||||||
|
|
|
@ -84,7 +84,6 @@ import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
|
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
|
import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
|
||||||
import org.apache.hadoop.security.authorize.AuthorizationException;
|
import org.apache.hadoop.security.authorize.AuthorizationException;
|
||||||
import org.apache.hadoop.security.authorize.PolicyProvider;
|
import org.apache.hadoop.security.authorize.PolicyProvider;
|
||||||
import org.apache.hadoop.security.authorize.ProxyUsers;
|
import org.apache.hadoop.security.authorize.ProxyUsers;
|
||||||
|
@ -1334,7 +1333,10 @@ public abstract class Server {
|
||||||
if (authMethod == null) {
|
if (authMethod == null) {
|
||||||
throw new IOException("Unable to read authentication method");
|
throw new IOException("Unable to read authentication method");
|
||||||
}
|
}
|
||||||
if (isSecurityEnabled && authMethod == AuthMethod.SIMPLE) {
|
final boolean clientUsingSasl;
|
||||||
|
switch (authMethod) {
|
||||||
|
case SIMPLE: { // no sasl for simple
|
||||||
|
if (isSecurityEnabled) {
|
||||||
AccessControlException ae = new AccessControlException("Authorization ("
|
AccessControlException ae = new AccessControlException("Authorization ("
|
||||||
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
|
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
|
||||||
+ ") is enabled but authentication ("
|
+ ") is enabled but authentication ("
|
||||||
|
@ -1346,7 +1348,22 @@ public abstract class Server {
|
||||||
responder.doRespond(authFailedCall);
|
responder.doRespond(authFailedCall);
|
||||||
throw ae;
|
throw ae;
|
||||||
}
|
}
|
||||||
if (!isSecurityEnabled && authMethod != AuthMethod.SIMPLE) {
|
clientUsingSasl = false;
|
||||||
|
useSasl = false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case DIGEST: {
|
||||||
|
clientUsingSasl = true;
|
||||||
|
useSasl = (secretManager != null);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
clientUsingSasl = true;
|
||||||
|
useSasl = isSecurityEnabled;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (clientUsingSasl && !useSasl) {
|
||||||
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
|
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
|
||||||
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
|
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
|
||||||
authMethod = AuthMethod.SIMPLE;
|
authMethod = AuthMethod.SIMPLE;
|
||||||
|
@ -1355,9 +1372,6 @@ public abstract class Server {
|
||||||
// to simple auth from now on.
|
// to simple auth from now on.
|
||||||
skipInitialSaslHandshake = true;
|
skipInitialSaslHandshake = true;
|
||||||
}
|
}
|
||||||
if (authMethod != AuthMethod.SIMPLE) {
|
|
||||||
useSasl = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
connectionHeaderBuf = null;
|
connectionHeaderBuf = null;
|
||||||
connectionHeaderRead = true;
|
connectionHeaderRead = true;
|
||||||
|
@ -1491,8 +1505,6 @@ public abstract class Server {
|
||||||
UserGroupInformation realUser = user;
|
UserGroupInformation realUser = user;
|
||||||
user = UserGroupInformation.createProxyUser(protocolUser
|
user = UserGroupInformation.createProxyUser(protocolUser
|
||||||
.getUserName(), realUser);
|
.getUserName(), realUser);
|
||||||
// Now the user is a proxy user, set Authentication method Proxy.
|
|
||||||
user.setAuthenticationMethod(AuthenticationMethod.PROXY);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1842,7 +1854,7 @@ public abstract class Server {
|
||||||
// Create the responder here
|
// Create the responder here
|
||||||
responder = new Responder();
|
responder = new Responder();
|
||||||
|
|
||||||
if (isSecurityEnabled) {
|
if (secretManager != null) {
|
||||||
SaslRpcServer.init(conf);
|
SaslRpcServer.init(conf);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -60,6 +60,7 @@ import org.apache.hadoop.security.token.TokenInfo;
|
||||||
import org.apache.hadoop.security.token.TokenSelector;
|
import org.apache.hadoop.security.token.TokenSelector;
|
||||||
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
|
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
|
||||||
import org.apache.log4j.Level;
|
import org.apache.log4j.Level;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
/** Unit tests for using Sasl over RPC. */
|
/** Unit tests for using Sasl over RPC. */
|
||||||
|
@ -76,7 +77,8 @@ public class TestSaslRPC {
|
||||||
static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR";
|
static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR";
|
||||||
|
|
||||||
private static Configuration conf;
|
private static Configuration conf;
|
||||||
static {
|
@BeforeClass
|
||||||
|
public static void setup() {
|
||||||
conf = new Configuration();
|
conf = new Configuration();
|
||||||
conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
|
conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
|
||||||
UserGroupInformation.setConfiguration(conf);
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
@ -449,11 +451,25 @@ public class TestSaslRPC {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testDigestAuthMethod() throws Exception {
|
public void testDigestAuthMethodSecureServer() throws Exception {
|
||||||
|
checkDigestAuthMethod(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDigestAuthMethodInsecureServer() throws Exception {
|
||||||
|
checkDigestAuthMethod(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void checkDigestAuthMethod(boolean secureServer) throws Exception {
|
||||||
TestTokenSecretManager sm = new TestTokenSecretManager();
|
TestTokenSecretManager sm = new TestTokenSecretManager();
|
||||||
Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class)
|
Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class)
|
||||||
.setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0)
|
.setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0)
|
||||||
.setNumHandlers(5).setVerbose(true).setSecretManager(sm).build();
|
.setNumHandlers(5).setVerbose(true).setSecretManager(sm).build();
|
||||||
|
if (secureServer) {
|
||||||
|
server.enableSecurity();
|
||||||
|
} else {
|
||||||
|
server.disableSecurity();
|
||||||
|
}
|
||||||
server.start();
|
server.start();
|
||||||
|
|
||||||
final UserGroupInformation current = UserGroupInformation.getCurrentUser();
|
final UserGroupInformation current = UserGroupInformation.getCurrentUser();
|
||||||
|
|
Loading…
Reference in New Issue