From 825f9c80a4f2788040cc17455bea96ffaa08cb5a Mon Sep 17 00:00:00 2001 From: Jitendra Nath Pandey Date: Wed, 28 Sep 2011 05:29:09 +0000 Subject: [PATCH] HDFS-2361. hftp is broken, fixed username checks in JspHelper. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1176729 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 2 ++ .../hadoop/hdfs/server/common/JspHelper.java | 20 +++++++++++++------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index f1bbd49ed17..c6a78355aa9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -78,6 +78,8 @@ Trunk (unreleased changes) HDFS-2373. Commands using webhdfs and hftp print unnecessary debug info on the console with security enabled. (Arpit Gupta via suresh) + HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra) + Release 0.23.0 - Unreleased INCOMPATIBLE CHANGES diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java index 82ec3bd7711..67f67c03958 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java @@ -60,6 +60,7 @@ import org.apache.hadoop.http.HtmlQuoting; import org.apache.hadoop.io.Text; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.Token; @@ -552,7 +553,8 @@ public class JspHelper { DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.readFields(in); ugi = id.getUser(); - checkUsername(ugi.getUserName(), user); + checkUsername(ugi.getShortUserName(), usernameFromQuery); + checkUsername(ugi.getShortUserName(), user); ugi.addToken(token); ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN); } else { @@ -561,13 +563,11 @@ public class JspHelper { "authenticated by filter"); } ugi = UserGroupInformation.createRemoteUser(user); + checkUsername(ugi.getShortUserName(), usernameFromQuery); // This is not necessarily true, could have been auth'ed by user-facing // filter ugi.setAuthenticationMethod(secureAuthMethod); } - - checkUsername(user, usernameFromQuery); - } else { // Security's not on, pull from url ugi = usernameFromQuery == null? getDefaultWebUser(conf) // not specified in request @@ -580,10 +580,18 @@ public class JspHelper { return ugi; } + /** + * Expected user name should be a short name. + */ private static void checkUsername(final String expected, final String name ) throws IOException { - if (name != null && !name.equals(expected)) { - throw new IOException("Usernames not matched: name=" + name + if (name == null) { + return; + } + KerberosName u = new KerberosName(name); + String shortName = u.getShortName(); + if (!shortName.equals(expected)) { + throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected); } }