From 6ba9b70d85a89f1a28c5b159ad553ab6ffef80b2 Mon Sep 17 00:00:00 2001
From: Boris Shkolnik <boryas@apache.org>
Date: Mon, 12 Jul 2010 21:18:47 +0000
Subject: [PATCH] HADOOP-6647. balancer fails with "is not authorized for
 protocol interface NamenodeProtocol" in secure environment

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@963490 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES.txt                                    |  3 +++
 .../authorize/ServiceAuthorizationManager.java | 18 +++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index b4107375510..9eb1bf68515 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -117,6 +117,9 @@ Trunk (unreleased changes)
 
     HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
     (ddas)
+ 
+    HADOOP-6647. balancer fails with "is not authorized for protocol 
+    interface NamenodeProtocol" in secure environment (boryas)
 
 Release 0.21.0 - Unreleased
 
diff --git a/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java b/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
index e6bd5afc645..1c4e504e04c 100644
--- a/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
+++ b/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.security.authorize;
 
+import java.io.IOException;
 import java.util.IdentityHashMap;
 import java.util.Map;
 
@@ -27,6 +28,7 @@ import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.KerberosName;
 import org.apache.hadoop.security.UserGroupInformation;
 
 /**
@@ -37,6 +39,8 @@ import org.apache.hadoop.security.UserGroupInformation;
 @InterfaceStability.Evolving
 public class ServiceAuthorizationManager {
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
+  private static final Log LOG = LogFactory
+  .getLog(ServiceAuthorizationManager.class);
 
   private static Map<Class<?>, AccessControlList> protocolToAcl =
     new IdentityHashMap<Class<?>, AccessControlList>();
@@ -85,7 +89,19 @@ public class ServiceAuthorizationManager {
         clientPrincipal = conf.get(clientKey);
       }
     }
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
+    // when authorizing use the short name only
+    String shortName = clientPrincipal;
+    if(clientPrincipal != null ) {
+      try {
+        shortName = new KerberosName(clientPrincipal).getShortName();
+      } catch (IOException e) {
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
+        // just keep going
+      }
+    }
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
         !acl.isUserAllowed(user)) {
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
       throw new AuthorizationException("User " + user +