HADOOP-15922. Fixed DelegationTokenAuthenticator URL decoding for doAs user.

Contributed by He Xiaoqiao

(cherry picked from commit 0dd35e218f)
This commit is contained in:
Eric Yang 2019-01-22 18:59:36 -05:00
parent 29de303e0a
commit 65d2b13dc2
2 changed files with 65 additions and 2 deletions

View File

@ -292,8 +292,7 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
} }
// proxyuser // proxyuser
if (doAsUser != null) { if (doAsUser != null) {
params.put(DelegationTokenAuthenticatedURL.DO_AS, params.put(DelegationTokenAuthenticatedURL.DO_AS, doAsUser);
URLEncoder.encode(doAsUser, "UTF-8"));
} }
String urlStr = url.toExternalForm(); String urlStr = url.toExternalForm();
StringBuilder sb = new StringBuilder(urlStr); StringBuilder sb = new StringBuilder(urlStr);

View File

@ -2115,6 +2115,70 @@ public class TestKMS {
}); });
} }
@Test
public void testGetDelegationTokenByProxyUser() throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.security.auth_to_local.mechanism", "mit");
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir();
conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath());
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
conf.set("hadoop.kms.proxyuser.client.users", "foo/localhost");
conf.set("hadoop.kms.proxyuser.client.hosts", "localhost");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kcc.ALL",
"foo/localhost");
writeConf(testDir, conf);
runServer(null, null, testDir, new KMSCallable<Void>() {
@Override
public Void call() throws Exception {
final Configuration conf = new Configuration();
final URI uri = createKMSUri(getKMSUrl());
// proxyuser client using kerberos credentials
UserGroupInformation proxyUgi = UserGroupInformation.
loginUserFromKeytabAndReturnUGI("client/host", keytab.getAbsolutePath());
UserGroupInformation foo = UserGroupInformation.createProxyUser(
"foo/localhost", proxyUgi);
final Credentials credentials = new Credentials();
foo.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final KeyProvider kp = createProvider(uri, conf);
KeyProviderDelegationTokenExtension keyProviderDelegationTokenExtension
= KeyProviderDelegationTokenExtension
.createKeyProviderDelegationTokenExtension(kp);
keyProviderDelegationTokenExtension.addDelegationTokens("client",
credentials);
Assert.assertNotNull(kp.createKey("kcc",
new KeyProvider.Options(conf)));
return null;
}
});
// current user client using token credentials for proxy user
UserGroupInformation nonKerberosUgi
= UserGroupInformation.getCurrentUser();
nonKerberosUgi.addCredentials(credentials);
nonKerberosUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final KeyProvider kp = createProvider(uri, conf);
Assert.assertNotNull(kp.getMetadata("kcc"));
return null;
}
});
return null;
}
});
}
private Configuration setupConfForKerberos(File confDir) throws Exception { private Configuration setupConfForKerberos(File confDir) throws Exception {
final Configuration conf = createBaseKMSConf(confDir, null); final Configuration conf = createBaseKMSConf(confDir, null);
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");