Merge -r 1294756:1294757 from trunk to branch. FIXES: HADOOP-8098

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1294775 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Alejandro Abdelnur 2012-02-28 18:47:03 +00:00
parent ee11677f8a
commit 7e77bd806a
6 changed files with 33 additions and 5 deletions

View File

@ -56,6 +56,10 @@ Release 0.23.3 - UNRELEASED
HADOOP-7621. alfredo config should be in a file not readable by users HADOOP-7621. alfredo config should be in a file not readable by users
(Alejandro Abdelnur via atm) (Alejandro Abdelnur via atm)
HADOOP-8098. KerberosAuthenticatorHandler should use _HOST replacement to
resolve principal name (tucu)
>>>>>>> .merge-right.r1294757
OPTIMIZATIONS OPTIMIZATIONS
BUG FIXES BUG FIXES

View File

@ -111,7 +111,8 @@
<p><code>hadoop.http.authentication.kerberos.principal</code>: Indicates the Kerberos <p><code>hadoop.http.authentication.kerberos.principal</code>: Indicates the Kerberos
principal to be used for HTTP endpoint when using 'kerberos' authentication. principal to be used for HTTP endpoint when using 'kerberos' authentication.
The principal short name must be <code>HTTP</code> per Kerberos HTTP SPENGO specification. The principal short name must be <code>HTTP</code> per Kerberos HTTP SPENGO specification.
The default value is <code>HTTP/localhost@$LOCALHOST</code>. The default value is <code>HTTP/_HOST@$LOCALHOST</code>, where <code>_HOST</code> -if present-
is replaced with bind address of the HTTP server.
</p> </p>
<p><code>hadoop.http.authentication.kerberos.keytab</code>: Location of the keytab file <p><code>hadoop.http.authentication.kerberos.keytab</code>: Location of the keytab file

View File

@ -99,6 +99,8 @@ public class HttpServer implements FilterContainer {
public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf"; public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf";
static final String ADMINS_ACL = "admins.acl"; static final String ADMINS_ACL = "admins.acl";
public static final String BIND_ADDRESS = "bind.address";
private AccessControlList adminsAcl; private AccessControlList adminsAcl;
protected final Server webServer; protected final Server webServer;
@ -242,6 +244,8 @@ public class HttpServer implements FilterContainer {
addGlobalFilter("safety", QuotingInputFilter.class.getName(), null); addGlobalFilter("safety", QuotingInputFilter.class.getName(), null);
final FilterInitializer[] initializers = getFilterInitializers(conf); final FilterInitializer[] initializers = getFilterInitializers(conf);
if (initializers != null) { if (initializers != null) {
conf = new Configuration(conf);
conf.set(BIND_ADDRESS, bindAddress);
for(FilterInitializer c : initializers) { for(FilterInitializer c : initializers) {
c.initFilter(this, conf); c.initFilter(this, conf);
} }

View File

@ -17,10 +17,12 @@
*/ */
package org.apache.hadoop.security; package org.apache.hadoop.security;
import org.apache.hadoop.http.HttpServer;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.FilterInitializer;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import java.io.FileReader; import java.io.FileReader;
import java.io.IOException; import java.io.IOException;
@ -91,6 +93,19 @@ public class AuthenticationFilterInitializer extends FilterInitializer {
throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile); throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);
} }
//Resolve _HOST into bind address
String bindAddress = conf.get(HttpServer.BIND_ADDRESS);
String principal = filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
if (principal != null) {
try {
principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
}
catch (IOException ex) {
throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.toString(), ex);
}
filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
}
container.addFilter("authentication", container.addFilter("authentication",
AuthenticationFilter.class.getName(), AuthenticationFilter.class.getName(),
filterConfig); filterConfig);

View File

@ -833,7 +833,7 @@
<property> <property>
<name>hadoop.http.authentication.kerberos.principal</name> <name>hadoop.http.authentication.kerberos.principal</name>
<value>HTTP/localhost@LOCALHOST</value> <value>HTTP/_HOST@LOCALHOST</value>
<description> <description>
Indicates the Kerberos principal to be used for HTTP endpoint. Indicates the Kerberos principal to be used for HTTP endpoint.
The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification. The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.

View File

@ -18,9 +18,11 @@ package org.apache.hadoop.security;
import junit.framework.TestCase; import junit.framework.TestCase;
import org.apache.hadoop.http.HttpServer;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.mockito.Mockito; import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock; import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer; import org.mockito.stubbing.Answer;
@ -48,6 +50,8 @@ public class TestAuthenticationFilter extends TestCase {
AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE, AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE,
secretFile.getAbsolutePath()); secretFile.getAbsolutePath());
conf.set(HttpServer.BIND_ADDRESS, "barhost");
FilterContainer container = Mockito.mock(FilterContainer.class); FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer( Mockito.doAnswer(
new Answer() { new Answer() {
@ -67,7 +71,7 @@ public class TestAuthenticationFilter extends TestCase {
assertEquals("hadoop", conf.get("signature.secret")); assertEquals("hadoop", conf.get("signature.secret"));
assertNull(conf.get("cookie.domain")); assertNull(conf.get("cookie.domain"));
assertEquals("true", conf.get("simple.anonymous.allowed")); assertEquals("true", conf.get("simple.anonymous.allowed"));
assertEquals("HTTP/localhost@LOCALHOST", assertEquals("HTTP/barhost@LOCALHOST",
conf.get("kerberos.principal")); conf.get("kerberos.principal"));
assertEquals(System.getProperty("user.home") + assertEquals(System.getProperty("user.home") +
"/hadoop.keytab", conf.get("kerberos.keytab")); "/hadoop.keytab", conf.get("kerberos.keytab"));