Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SPNEGO TLS verification 

Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
This commit is contained in:
Eric Yang 2020-06-15 10:55:26 +09:00 committed by Akira Ajisaka
parent f41a144077
commit 81d8a887b0
No known key found for this signature in database
GPG Key ID: C1EDBB9CA400FD50
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
View File

@ -152,6 +152,7 @@ public class WebHdfsFileSystem extends FileSystem
+ "/v" + VERSION; + "/v" + VERSION;
public static final String EZ_HEADER = "X-Hadoop-Accept-EZ"; public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
public static final String FEFINFO_HEADER = "X-Hadoop-feInfo"; public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
/** /**
* Default connection factory may be overridden in tests to use smaller * Default connection factory may be overridden in tests to use smaller
@ -181,6 +182,7 @@ public class WebHdfsFileSystem extends FileSystem
private DFSOpsCountStatistics storageStatistics; private DFSOpsCountStatistics storageStatistics;
private KeyProvider testProvider; private KeyProvider testProvider;
private boolean isTLSKrb;
/** /**
* Return the protocol scheme for the FileSystem. * Return the protocol scheme for the FileSystem.
@ -242,6 +244,7 @@ public class WebHdfsFileSystem extends FileSystem
.newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf); .newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
} }
this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
ugi = UserGroupInformation.getCurrentUser(); ugi = UserGroupInformation.getCurrentUser();
this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority()); this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
@ -699,6 +702,11 @@ public class WebHdfsFileSystem extends FileSystem
//redirect hostname and port //redirect hostname and port
redirectHost = null; redirectHost = null;
if (url.getProtocol().equals("http") &&
UserGroupInformation.isSecurityEnabled() &&
isTLSKrb) {
throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
}
// resolve redirects for a DN operation unless already resolved // resolve redirects for a DN operation unless already resolved
if (op.getRedirect() && !redirected) { if (op.getRedirect() && !redirected) {