svn merge -c 1179861 from trunk for HDFS-2409.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1189468 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Tsz-wo Sze 2011-10-26 21:16:49 +00:00
parent d7986e9c29
commit 5afaf6a141
6 changed files with 122 additions and 21 deletions

View File

@ -1093,6 +1093,8 @@ Release 0.23.0 - Unreleased
HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use
the renewer parameter. (szetszwo) the renewer parameter. (szetszwo)
HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. (jitendra)
BREAKDOWN OF HDFS-1073 SUBTASKS BREAKDOWN OF HDFS-1073 SUBTASKS
HDFS-1521. Persist transaction ID on disk between NN restarts. HDFS-1521. Persist transaction ID on disk between NN restarts.

View File

@ -282,4 +282,6 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved"; public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved";
public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB
public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes"; public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes";
public static final String DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY = "dfs.web.authentication.kerberos.principal";
public static final String DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY = "dfs.web.authentication.kerberos.keytab";
} }

View File

@ -20,6 +20,8 @@ package org.apache.hadoop.hdfs.server.namenode;
import java.io.IOException; import java.io.IOException;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction; import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
@ -108,7 +110,8 @@ public class NameNodeHttpServer {
final String name = "SPNEGO"; final String name = "SPNEGO";
final String classname = AuthFilter.class.getName(); final String classname = AuthFilter.class.getName();
final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*"; final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*";
defineFilter(webAppContext, name, classname, null, Map<String, String> params = getAuthFilterParams(conf);
defineFilter(webAppContext, name, classname, params,
new String[]{pathSpec}); new String[]{pathSpec});
LOG.info("Added filter '" + name + "' (class=" + classname + ")"); LOG.info("Added filter '" + name + "' (class=" + classname + ")");
@ -118,6 +121,30 @@ public class NameNodeHttpServer {
+ ";" + Param.class.getPackage().getName(), pathSpec); + ";" + Param.class.getPackage().getName(), pathSpec);
} }
} }
private Map<String, String> getAuthFilterParams(Configuration conf)
throws IOException {
Map<String, String> params = new HashMap<String, String>();
String principalInConf = conf
.get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY);
if (principalInConf != null && !principalInConf.isEmpty()) {
params
.put(
DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
SecurityUtil.getServerPrincipal(principalInConf,
infoHost));
}
String httpKeytab = conf
.get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY);
if (httpKeytab != null && !httpKeytab.isEmpty()) {
params.put(
DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY,
httpKeytab);
}
params.put("kerberos.name.rules",
conf.get("hadoop.security.auth_to_local", "DEFAULT"));
return params;
}
}; };
boolean certSSL = conf.getBoolean("dfs.https.enable", false); boolean certSSL = conf.getBoolean("dfs.https.enable", false);

View File

@ -17,12 +17,11 @@
*/ */
package org.apache.hadoop.hdfs.web; package org.apache.hadoop.hdfs.web;
import java.util.Map;
import java.util.Properties; import java.util.Properties;
import javax.servlet.FilterConfig; import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
@ -41,30 +40,21 @@ public class AuthFilter extends AuthenticationFilter {
* The prefix is removed from the returned property names. * The prefix is removed from the returned property names.
* *
* @param prefix parameter not used. * @param prefix parameter not used.
* @param config parameter not used. * @param config parameter contains the initialization values.
* @return Hadoop-Auth configuration properties. * @return Hadoop-Auth configuration properties.
* @throws ServletException
*/ */
@Override @Override
protected Properties getConfiguration(String prefix, FilterConfig config) { protected Properties getConfiguration(String prefix, FilterConfig config)
final Configuration conf = new Configuration(); throws ServletException {
final Properties p = new Properties(); final Properties p = super.getConfiguration(CONF_PREFIX, config);
// set authentication type
//set authentication type
p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()?
KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE);
//For Pseudo Authentication, allow anonymous. //For Pseudo Authentication, allow anonymous.
p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
//set cookie path //set cookie path
p.setProperty(COOKIE_PATH, "/"); p.setProperty(COOKIE_PATH, "/");
return p;
//set other configurations with CONF_PREFIX
for (Map.Entry<String, String> entry : conf) {
final String key = entry.getKey();
if (key.startsWith(CONF_PREFIX)) {
//remove prefix from the key and set property
p.setProperty(key.substring(CONF_PREFIX.length()), conf.get(key));
}
}
return p;
} }
} }

View File

@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.web.resources;
import java.io.IOException; import java.io.IOException;
import java.lang.reflect.Type; import java.lang.reflect.Type;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context; import javax.ws.rs.core.Context;
import javax.ws.rs.ext.Provider; import javax.ws.rs.ext.Provider;
@ -42,11 +43,12 @@ public class UserProvider
extends AbstractHttpContextInjectable<UserGroupInformation> extends AbstractHttpContextInjectable<UserGroupInformation>
implements InjectableProvider<Context, Type> { implements InjectableProvider<Context, Type> {
@Context HttpServletRequest request; @Context HttpServletRequest request;
@Context ServletContext servletcontext;
@Override @Override
public UserGroupInformation getValue(final HttpContext context) { public UserGroupInformation getValue(final HttpContext context) {
final Configuration conf = (Configuration)context.getProperties().get( final Configuration conf = (Configuration) servletcontext
JspHelper.CURRENT_CONF); .getAttribute(JspHelper.CURRENT_CONF);
try { try {
return JspHelper.getUGI(null, request, conf, return JspHelper.getUGI(null, request, conf,
AuthenticationMethod.KERBEROS, false); AuthenticationMethod.KERBEROS, false);

View File

@ -0,0 +1,78 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hdfs.web;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.junit.Assert;
import org.junit.Test;
public class TestAuthFilter {
private static class DummyFilterConfig implements FilterConfig {
final Map<String, String> map;
DummyFilterConfig(Map<String,String> map) {
this.map = map;
}
@Override
public String getFilterName() {
return "dummy";
}
@Override
public String getInitParameter(String arg0) {
return map.get(arg0);
}
@Override
public Enumeration<String> getInitParameterNames() {
return Collections.enumeration(map.keySet());
}
@Override
public ServletContext getServletContext() {
return null;
}
}
@Test
public void testGetConfiguration() throws ServletException {
AuthFilter filter = new AuthFilter();
Map<String, String> m = new HashMap<String,String>();
m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
"xyz/thehost@REALM");
m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY,
"thekeytab");
FilterConfig config = new DummyFilterConfig(m);
Properties p = filter.getConfiguration("random", config);
Assert.assertEquals("xyz/thehost@REALM",
p.getProperty("kerberos.principal"));
Assert.assertEquals("thekeytab", p.getProperty("kerberos.keytab"));
Assert.assertEquals("true",
p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED));
}
}