Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment 

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@963490 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Boris Shkolnik 2010-07-12 21:18:47 +00:00
parent 4ff2991849
commit 6ba9b70d85
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES.txt
View File

@ -117,6 +117,9 @@ Trunk (unreleased changes)
HADOOP-6648. Adds a check for null tokens in Credentials.addToken api. HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
(ddas) (ddas)
HADOOP-6647. balancer fails with "is not authorized for protocol
interface NamenodeProtocol" in secure environment (boryas)
Release 0.21.0 - Unreleased Release 0.21.0 - Unreleased

18
src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
View File

@ -17,6 +17,7 @@
*/ */
package org.apache.hadoop.security.authorize; package org.apache.hadoop.security.authorize;
import java.io.IOException;
import java.util.IdentityHashMap; import java.util.IdentityHashMap;
import java.util.Map; import java.util.Map;
@ -27,6 +28,7 @@ import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.KerberosInfo; import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.KerberosName;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
/** /**
@ -37,6 +39,8 @@ import org.apache.hadoop.security.UserGroupInformation;
@InterfaceStability.Evolving @InterfaceStability.Evolving
public class ServiceAuthorizationManager { public class ServiceAuthorizationManager {
private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml"; private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
private static final Log LOG = LogFactory
.getLog(ServiceAuthorizationManager.class);
private static Map<Class<?>, AccessControlList> protocolToAcl = private static Map<Class<?>, AccessControlList> protocolToAcl =
new IdentityHashMap<Class<?>, AccessControlList>(); new IdentityHashMap<Class<?>, AccessControlList>();
@ -85,7 +89,19 @@ public class ServiceAuthorizationManager {
clientPrincipal = conf.get(clientKey); clientPrincipal = conf.get(clientKey);
} }
} }
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || // when authorizing use the short name only
String shortName = clientPrincipal;
if(clientPrincipal != null ) {
try {
shortName = new KerberosName(clientPrincipal).getShortName();
} catch (IOException e) {
LOG.warn("couldn't get short name from " + clientPrincipal, e);
// just keep going
}
}
LOG.debug("for protocol authorization compare (" + clientPrincipal + "): "
+ shortName + " with " + user.getShortUserName());
if((shortName != null && !shortName.equals(user.getShortUserName())) ||
!acl.isUserAllowed(user)) { !acl.isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol); AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
throw new AuthorizationException("User " + user + throw new AuthorizationException("User " + user +