Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-18573. Improve error reporting on non-standard kerberos names (#5221) 

The kerberos RPC does not declare any restriction on
characters used in kerberos names, though
implementations MAY be more restrictive.

If the kerberos controller supports use non-conventional
principal names *and the kerberos admin chooses to use them*
this can confuse some of the parsing.

The obvious solution is for the enterprise admins to "not do that"
as a lot of things break, bits of hadoop included.

Harden the hadoop code slightly so at least we fail more gracefully,
so people can then get in touch with their sysadmin and tell them
to stop it.
This commit is contained in:
Steve Loughran 2022-12-15 11:42:36 +00:00
parent 1009d2560f
commit 65892a7759
No known key found for this signature in database
GPG Key ID: D22CF846DBB162A0
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ShellBasedIdMapping.java
View File

@ -37,6 +37,8 @@ import org.apache.hadoop.thirdparty.com.google.common.collect.HashBiMap;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import static org.apache.hadoop.util.Shell.bashQuote;
/** /**
* A simple shell-based implementation of {@link IdMappingServiceProvider} * A simple shell-based implementation of {@link IdMappingServiceProvider}
* Map id to user name or group name. It does update every 15 minutes. Only a * Map id to user name or group name. It does update every 15 minutes. Only a
@ -471,26 +473,27 @@ public class ShellBasedIdMapping implements IdMappingServiceProvider {
boolean updated = false; boolean updated = false;
updateStaticMapping(); updateStaticMapping();
String name2 = bashQuote(name);
if (OS.startsWith("Linux") || OS.equals("SunOS") || OS.contains("BSD")) { if (OS.startsWith("Linux") || OS.equals("SunOS") || OS.contains("BSD")) {
if (isGrp) { if (isGrp) {
updated = updateMapInternal(gidNameMap, "group", updated = updateMapInternal(gidNameMap, "group",
getName2IdCmdNIX(name, true), ":", getName2IdCmdNIX(name2, true), ":",
staticMapping.gidMapping); staticMapping.gidMapping);
} else { } else {
updated = updateMapInternal(uidNameMap, "user", updated = updateMapInternal(uidNameMap, "user",
getName2IdCmdNIX(name, false), ":", getName2IdCmdNIX(name2, false), ":",
staticMapping.uidMapping); staticMapping.uidMapping);
} }
} else { } else {
// Mac // Mac
if (isGrp) { if (isGrp) {
updated = updateMapInternal(gidNameMap, "group", updated = updateMapInternal(gidNameMap, "group",
getName2IdCmdMac(name, true), "\\s+", getName2IdCmdMac(name2, true), "\\s+",
staticMapping.gidMapping); staticMapping.gidMapping);
} else { } else {
updated = updateMapInternal(uidNameMap, "user", updated = updateMapInternal(uidNameMap, "user",
getName2IdCmdMac(name, false), "\\s+", getName2IdCmdMac(name2, false), "\\s+",
staticMapping.uidMapping); staticMapping.uidMapping);
} }
} }

3
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Shell.java
View File

@ -145,7 +145,8 @@ public abstract class Shell {
* @param arg the argument to quote * @param arg the argument to quote
* @return the quoted string * @return the quoted string
*/ */
static String bashQuote(String arg) { @InterfaceAudience.Private
public static String bashQuote(String arg) {
StringBuilder buffer = new StringBuilder(arg.length() + 2); StringBuilder buffer = new StringBuilder(arg.length() + 2);
buffer.append('\'') buffer.append('\'')
.append(arg.replace("'", "'\\''")) .append(arg.replace("'", "'\\''"))