From 6f1d18bd478c4963543f8b8d80aefcb5adb38774 Mon Sep 17 00:00:00 2001 From: Jitendra Nath Pandey Date: Thu, 6 Oct 2011 21:30:06 +0000 Subject: [PATCH] HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. Incorporates HDFS-2405 as well. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1179861 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 2 + .../org/apache/hadoop/hdfs/DFSConfigKeys.java | 2 + .../server/namenode/NameNodeHttpServer.java | 29 ++++++- .../apache/hadoop/hdfs/web/AuthFilter.java | 26 ++----- .../hdfs/web/resources/UserProvider.java | 6 +- .../hadoop/hdfs/web/TestAuthFilter.java | 78 +++++++++++++++++++ 6 files changed, 122 insertions(+), 21 deletions(-) create mode 100644 hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index 0e0995514d9..930444bec8c 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -100,6 +100,8 @@ Trunk (unreleased changes) HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use the renewer parameter. (szetszwo) + HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. (jitendra) + Release 0.23.0 - Unreleased INCOMPATIBLE CHANGES diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java index c10d185acfc..9c53bc08796 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java @@ -282,4 +282,6 @@ public class DFSConfigKeys extends CommonConfigurationKeys { public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved"; public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes"; + public static final String DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY = "dfs.web.authentication.kerberos.principal"; + public static final String DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY = "dfs.web.authentication.kerberos.keytab"; } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java index 2aa1fba5bcd..56191433ff1 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java @@ -20,6 +20,8 @@ package org.apache.hadoop.hdfs.server.namenode; import java.io.IOException; import java.net.InetSocketAddress; import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; import javax.servlet.ServletContext; @@ -108,7 +110,8 @@ public class NameNodeHttpServer { final String name = "SPNEGO"; final String classname = AuthFilter.class.getName(); final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*"; - defineFilter(webAppContext, name, classname, null, + Map params = getAuthFilterParams(conf); + defineFilter(webAppContext, name, classname, params, new String[]{pathSpec}); LOG.info("Added filter '" + name + "' (class=" + classname + ")"); @@ -118,6 +121,30 @@ public class NameNodeHttpServer { + ";" + Param.class.getPackage().getName(), pathSpec); } } + + private Map getAuthFilterParams(Configuration conf) + throws IOException { + Map params = new HashMap(); + String principalInConf = conf + .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY); + if (principalInConf != null && !principalInConf.isEmpty()) { + params + .put( + DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + SecurityUtil.getServerPrincipal(principalInConf, + infoHost)); + } + String httpKeytab = conf + .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY); + if (httpKeytab != null && !httpKeytab.isEmpty()) { + params.put( + DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY, + httpKeytab); + } + params.put("kerberos.name.rules", + conf.get("hadoop.security.auth_to_local", "DEFAULT")); + return params; + } }; boolean certSSL = conf.getBoolean("dfs.https.enable", false); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java index 6e5a8dd1d9e..6c3f8006688 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java @@ -17,12 +17,11 @@ */ package org.apache.hadoop.hdfs.web; -import java.util.Map; import java.util.Properties; import javax.servlet.FilterConfig; +import javax.servlet.ServletException; -import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; @@ -41,30 +40,21 @@ public class AuthFilter extends AuthenticationFilter { * The prefix is removed from the returned property names. * * @param prefix parameter not used. - * @param config parameter not used. + * @param config parameter contains the initialization values. * @return Hadoop-Auth configuration properties. + * @throws ServletException */ @Override - protected Properties getConfiguration(String prefix, FilterConfig config) { - final Configuration conf = new Configuration(); - final Properties p = new Properties(); - - //set authentication type + protected Properties getConfiguration(String prefix, FilterConfig config) + throws ServletException { + final Properties p = super.getConfiguration(CONF_PREFIX, config); + // set authentication type p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); //For Pseudo Authentication, allow anonymous. p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); //set cookie path p.setProperty(COOKIE_PATH, "/"); - - //set other configurations with CONF_PREFIX - for (Map.Entry entry : conf) { - final String key = entry.getKey(); - if (key.startsWith(CONF_PREFIX)) { - //remove prefix from the key and set property - p.setProperty(key.substring(CONF_PREFIX.length()), conf.get(key)); - } - } - return p; + return p; } } \ No newline at end of file diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java index 813b64bfcce..8906fbfcf1e 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java @@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.web.resources; import java.io.IOException; import java.lang.reflect.Type; +import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.ext.Provider; @@ -42,11 +43,12 @@ public class UserProvider extends AbstractHttpContextInjectable implements InjectableProvider { @Context HttpServletRequest request; + @Context ServletContext servletcontext; @Override public UserGroupInformation getValue(final HttpContext context) { - final Configuration conf = (Configuration)context.getProperties().get( - JspHelper.CURRENT_CONF); + final Configuration conf = (Configuration) servletcontext + .getAttribute(JspHelper.CURRENT_CONF); try { return JspHelper.getUGI(null, request, conf, AuthenticationMethod.KERBEROS, false); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java new file mode 100644 index 00000000000..0d6ff189edc --- /dev/null +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java @@ -0,0 +1,78 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hdfs.web; + +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; + +import org.apache.hadoop.hdfs.DFSConfigKeys; +import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; +import org.junit.Assert; +import org.junit.Test; + +public class TestAuthFilter { + + private static class DummyFilterConfig implements FilterConfig { + final Map map; + + DummyFilterConfig(Map map) { + this.map = map; + } + + @Override + public String getFilterName() { + return "dummy"; + } + @Override + public String getInitParameter(String arg0) { + return map.get(arg0); + } + @Override + public Enumeration getInitParameterNames() { + return Collections.enumeration(map.keySet()); + } + @Override + public ServletContext getServletContext() { + return null; + } + } + + @Test + public void testGetConfiguration() throws ServletException { + AuthFilter filter = new AuthFilter(); + Map m = new HashMap(); + m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + "xyz/thehost@REALM"); + m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY, + "thekeytab"); + FilterConfig config = new DummyFilterConfig(m); + Properties p = filter.getConfiguration("random", config); + Assert.assertEquals("xyz/thehost@REALM", + p.getProperty("kerberos.principal")); + Assert.assertEquals("thekeytab", p.getProperty("kerberos.keytab")); + Assert.assertEquals("true", + p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED)); + } +}