HDFS-2361. hftp is broken, fixed username checks in JspHelper.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1176729 13f79535-47bb-0310-9956-ffa450edef68
2011-09-28 05:29:09 +00:00 · 2011-09-28 05:29:09 +00:00 · 825f9c80a4
parent 59265d6ed8
commit 825f9c80a4
2 changed files with 16 additions and 6 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@ -78,6 +78,8 @@ Trunk (unreleased changes)
    HDFS-2373. Commands using webhdfs and hftp print unnecessary debug 
    info on the console with security enabled. (Arpit Gupta via suresh)

+    HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra)
+
 Release 0.23.0 - Unreleased

  INCOMPATIBLE CHANGES
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
@ -60,6 +60,7 @@ import org.apache.hadoop.http.HtmlQuoting;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
@ -552,7 +553,8 @@ public class JspHelper {
        DelegationTokenIdentifier id = new DelegationTokenIdentifier();
        id.readFields(in);
        ugi = id.getUser();
-        checkUsername(ugi.getUserName(), user);
+        checkUsername(ugi.getShortUserName(), usernameFromQuery);
+        checkUsername(ugi.getShortUserName(), user);
        ugi.addToken(token);
        ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
      } else {
@ -561,13 +563,11 @@ public class JspHelper {
                                "authenticated by filter");
        }
        ugi = UserGroupInformation.createRemoteUser(user);
+        checkUsername(ugi.getShortUserName(), usernameFromQuery);
        // This is not necessarily true, could have been auth'ed by user-facing
        // filter
        ugi.setAuthenticationMethod(secureAuthMethod);
      }
-
-      checkUsername(user, usernameFromQuery);
-
    } else { // Security's not on, pull from url
      ugi = usernameFromQuery == null?
          getDefaultWebUser(conf) // not specified in request
@ -580,10 +580,18 @@ public class JspHelper {
    return ugi;
  }

+  /**
+   * Expected user name should be a short name.
+   */
  private static void checkUsername(final String expected, final String name
      ) throws IOException {
-    if (name != null && !name.equals(expected)) {
-      throw new IOException("Usernames not matched: name=" + name
+    if (name == null) {
+      return;
+    }
+    KerberosName u = new KerberosName(name);
+    String shortName = u.getShortName();
+    if (!shortName.equals(expected)) {
+      throw new IOException("Usernames not matched: name=" + shortName
          + " != expected=" + expected);
    }
  }