HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@963490 13f79535-47bb-0310-9956-ffa450edef68
2010-07-12 21:18:47 +00:00 · 2010-07-12 21:18:47 +00:00 · 6ba9b70d85
parent 4ff2991849
commit 6ba9b70d85
2 changed files with 20 additions and 1 deletions
--- a/CHANGES.txt
+++ b/CHANGES.txt
@ -118,6 +118,9 @@ Trunk (unreleased changes)
    HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
    (ddas)
 
+    HADOOP-6647. balancer fails with "is not authorized for protocol 
+    interface NamenodeProtocol" in secure environment (boryas)
+
 Release 0.21.0 - Unreleased

  INCOMPATIBLE CHANGES
--- a/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
+++ b/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
@ -17,6 +17,7 @@
 */
 package org.apache.hadoop.security.authorize;

+import java.io.IOException;
 import java.util.IdentityHashMap;
 import java.util.Map;

@ -27,6 +28,7 @@ import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.KerberosName;
 import org.apache.hadoop.security.UserGroupInformation;

 /**
@ -37,6 +39,8 @@ import org.apache.hadoop.security.UserGroupInformation;
@InterfaceStability.Evolving
 public class ServiceAuthorizationManager {
  private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
+  private static final Log LOG = LogFactory
+  .getLog(ServiceAuthorizationManager.class);

  private static Map<Class<?>, AccessControlList> protocolToAcl =
    new IdentityHashMap<Class<?>, AccessControlList>();
@ -85,7 +89,19 @@ public class ServiceAuthorizationManager {
        clientPrincipal = conf.get(clientKey);
      }
    }
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
+    // when authorizing use the short name only
+    String shortName = clientPrincipal;
+    if(clientPrincipal != null ) {
+      try {
+        shortName = new KerberosName(clientPrincipal).getShortName();
+      } catch (IOException e) {
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
+        // just keep going
+      }
+    }
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
        !acl.isUserAllowed(user)) {
      AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
      throw new AuthorizationException("User " + user +