HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. Incorporates HDFS-2405 as well.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1179861 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
a2d7287873
commit
6f1d18bd47
|
@ -100,6 +100,8 @@ Trunk (unreleased changes)
|
||||||
HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use
|
HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use
|
||||||
the renewer parameter. (szetszwo)
|
the renewer parameter. (szetszwo)
|
||||||
|
|
||||||
|
HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. (jitendra)
|
||||||
|
|
||||||
Release 0.23.0 - Unreleased
|
Release 0.23.0 - Unreleased
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -282,4 +282,6 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
|
||||||
public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved";
|
public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved";
|
||||||
public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB
|
public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB
|
||||||
public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes";
|
public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes";
|
||||||
|
public static final String DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY = "dfs.web.authentication.kerberos.principal";
|
||||||
|
public static final String DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY = "dfs.web.authentication.kerberos.keytab";
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,8 @@ package org.apache.hadoop.hdfs.server.namenode;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
import java.security.PrivilegedExceptionAction;
|
import java.security.PrivilegedExceptionAction;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
import javax.servlet.ServletContext;
|
import javax.servlet.ServletContext;
|
||||||
|
|
||||||
|
@ -108,7 +110,8 @@ public class NameNodeHttpServer {
|
||||||
final String name = "SPNEGO";
|
final String name = "SPNEGO";
|
||||||
final String classname = AuthFilter.class.getName();
|
final String classname = AuthFilter.class.getName();
|
||||||
final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*";
|
final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*";
|
||||||
defineFilter(webAppContext, name, classname, null,
|
Map<String, String> params = getAuthFilterParams(conf);
|
||||||
|
defineFilter(webAppContext, name, classname, params,
|
||||||
new String[]{pathSpec});
|
new String[]{pathSpec});
|
||||||
LOG.info("Added filter '" + name + "' (class=" + classname + ")");
|
LOG.info("Added filter '" + name + "' (class=" + classname + ")");
|
||||||
|
|
||||||
|
@ -118,6 +121,30 @@ public class NameNodeHttpServer {
|
||||||
+ ";" + Param.class.getPackage().getName(), pathSpec);
|
+ ";" + Param.class.getPackage().getName(), pathSpec);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Map<String, String> getAuthFilterParams(Configuration conf)
|
||||||
|
throws IOException {
|
||||||
|
Map<String, String> params = new HashMap<String, String>();
|
||||||
|
String principalInConf = conf
|
||||||
|
.get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY);
|
||||||
|
if (principalInConf != null && !principalInConf.isEmpty()) {
|
||||||
|
params
|
||||||
|
.put(
|
||||||
|
DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
|
||||||
|
SecurityUtil.getServerPrincipal(principalInConf,
|
||||||
|
infoHost));
|
||||||
|
}
|
||||||
|
String httpKeytab = conf
|
||||||
|
.get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY);
|
||||||
|
if (httpKeytab != null && !httpKeytab.isEmpty()) {
|
||||||
|
params.put(
|
||||||
|
DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY,
|
||||||
|
httpKeytab);
|
||||||
|
}
|
||||||
|
params.put("kerberos.name.rules",
|
||||||
|
conf.get("hadoop.security.auth_to_local", "DEFAULT"));
|
||||||
|
return params;
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
boolean certSSL = conf.getBoolean("dfs.https.enable", false);
|
boolean certSSL = conf.getBoolean("dfs.https.enable", false);
|
||||||
|
|
|
@ -17,12 +17,11 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.hdfs.web;
|
package org.apache.hadoop.hdfs.web;
|
||||||
|
|
||||||
import java.util.Map;
|
|
||||||
import java.util.Properties;
|
import java.util.Properties;
|
||||||
|
|
||||||
import javax.servlet.FilterConfig;
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||||
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
|
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
|
||||||
|
@ -41,14 +40,14 @@ public class AuthFilter extends AuthenticationFilter {
|
||||||
* The prefix is removed from the returned property names.
|
* The prefix is removed from the returned property names.
|
||||||
*
|
*
|
||||||
* @param prefix parameter not used.
|
* @param prefix parameter not used.
|
||||||
* @param config parameter not used.
|
* @param config parameter contains the initialization values.
|
||||||
* @return Hadoop-Auth configuration properties.
|
* @return Hadoop-Auth configuration properties.
|
||||||
|
* @throws ServletException
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
protected Properties getConfiguration(String prefix, FilterConfig config) {
|
protected Properties getConfiguration(String prefix, FilterConfig config)
|
||||||
final Configuration conf = new Configuration();
|
throws ServletException {
|
||||||
final Properties p = new Properties();
|
final Properties p = super.getConfiguration(CONF_PREFIX, config);
|
||||||
|
|
||||||
// set authentication type
|
// set authentication type
|
||||||
p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()?
|
p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()?
|
||||||
KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE);
|
KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE);
|
||||||
|
@ -56,15 +55,6 @@ public class AuthFilter extends AuthenticationFilter {
|
||||||
p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
|
p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
|
||||||
//set cookie path
|
//set cookie path
|
||||||
p.setProperty(COOKIE_PATH, "/");
|
p.setProperty(COOKIE_PATH, "/");
|
||||||
|
|
||||||
//set other configurations with CONF_PREFIX
|
|
||||||
for (Map.Entry<String, String> entry : conf) {
|
|
||||||
final String key = entry.getKey();
|
|
||||||
if (key.startsWith(CONF_PREFIX)) {
|
|
||||||
//remove prefix from the key and set property
|
|
||||||
p.setProperty(key.substring(CONF_PREFIX.length()), conf.get(key));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return p;
|
return p;
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.web.resources;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.lang.reflect.Type;
|
import java.lang.reflect.Type;
|
||||||
|
|
||||||
|
import javax.servlet.ServletContext;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.ws.rs.core.Context;
|
import javax.ws.rs.core.Context;
|
||||||
import javax.ws.rs.ext.Provider;
|
import javax.ws.rs.ext.Provider;
|
||||||
|
@ -42,11 +43,12 @@ public class UserProvider
|
||||||
extends AbstractHttpContextInjectable<UserGroupInformation>
|
extends AbstractHttpContextInjectable<UserGroupInformation>
|
||||||
implements InjectableProvider<Context, Type> {
|
implements InjectableProvider<Context, Type> {
|
||||||
@Context HttpServletRequest request;
|
@Context HttpServletRequest request;
|
||||||
|
@Context ServletContext servletcontext;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public UserGroupInformation getValue(final HttpContext context) {
|
public UserGroupInformation getValue(final HttpContext context) {
|
||||||
final Configuration conf = (Configuration)context.getProperties().get(
|
final Configuration conf = (Configuration) servletcontext
|
||||||
JspHelper.CURRENT_CONF);
|
.getAttribute(JspHelper.CURRENT_CONF);
|
||||||
try {
|
try {
|
||||||
return JspHelper.getUGI(null, request, conf,
|
return JspHelper.getUGI(null, request, conf,
|
||||||
AuthenticationMethod.KERBEROS, false);
|
AuthenticationMethod.KERBEROS, false);
|
||||||
|
|
|
@ -0,0 +1,78 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.hdfs.web;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.Enumeration;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.ServletContext;
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.apache.hadoop.hdfs.DFSConfigKeys;
|
||||||
|
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class TestAuthFilter {
|
||||||
|
|
||||||
|
private static class DummyFilterConfig implements FilterConfig {
|
||||||
|
final Map<String, String> map;
|
||||||
|
|
||||||
|
DummyFilterConfig(Map<String,String> map) {
|
||||||
|
this.map = map;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getFilterName() {
|
||||||
|
return "dummy";
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public String getInitParameter(String arg0) {
|
||||||
|
return map.get(arg0);
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public Enumeration<String> getInitParameterNames() {
|
||||||
|
return Collections.enumeration(map.keySet());
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public ServletContext getServletContext() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetConfiguration() throws ServletException {
|
||||||
|
AuthFilter filter = new AuthFilter();
|
||||||
|
Map<String, String> m = new HashMap<String,String>();
|
||||||
|
m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
|
||||||
|
"xyz/thehost@REALM");
|
||||||
|
m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY,
|
||||||
|
"thekeytab");
|
||||||
|
FilterConfig config = new DummyFilterConfig(m);
|
||||||
|
Properties p = filter.getConfiguration("random", config);
|
||||||
|
Assert.assertEquals("xyz/thehost@REALM",
|
||||||
|
p.getProperty("kerberos.principal"));
|
||||||
|
Assert.assertEquals("thekeytab", p.getProperty("kerberos.keytab"));
|
||||||
|
Assert.assertEquals("true",
|
||||||
|
p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED));
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue