HADOOP-17793. Better token validation (#3189)
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
(cherry picked from commit ba325a8ada
)
Conflicts:
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
This commit is contained in:
parent
cef04b40b6
commit
9241470dfd
|
@ -31,7 +31,7 @@ import org.slf4j.Logger;
|
|||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import java.io.*;
|
||||
import java.util.Arrays;
|
||||
import java.security.MessageDigest;
|
||||
import java.util.Map;
|
||||
import java.util.ServiceLoader;
|
||||
import java.util.UUID;
|
||||
|
@ -368,8 +368,8 @@ public class Token<T extends TokenIdentifier> implements Writable {
|
|||
return false;
|
||||
} else {
|
||||
Token<T> r = (Token<T>) right;
|
||||
return Arrays.equals(identifier, r.identifier) &&
|
||||
Arrays.equals(password, r.password) &&
|
||||
return MessageDigest.isEqual(identifier, r.identifier) &&
|
||||
MessageDigest.isEqual(password, r.password) &&
|
||||
kind.equals(r.kind) &&
|
||||
service.equals(r.service);
|
||||
}
|
||||
|
|
|
@ -22,8 +22,8 @@ import com.google.common.base.Charsets;
|
|||
import java.io.ByteArrayInputStream;
|
||||
import java.io.DataInputStream;
|
||||
import java.io.IOException;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.SecureRandom;
|
||||
import java.util.Arrays;
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
|
@ -326,8 +326,8 @@ public class BlockTokenSecretManager extends
|
|||
+ ", block=" + block + ", access mode=" + mode);
|
||||
}
|
||||
checkAccess(id, userId, block, mode);
|
||||
if (!Arrays.equals(retrievePassword(id), token.getPassword())) {
|
||||
throw new InvalidToken("Block token with " + id.toString()
|
||||
if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
|
||||
throw new InvalidToken("Block token with " + id
|
||||
+ " doesn't have the correct token password");
|
||||
}
|
||||
}
|
||||
|
|
|
@ -170,8 +170,8 @@ import java.io.IOException;
|
|||
import java.net.InetSocketAddress;
|
||||
import java.net.URISyntaxException;
|
||||
import java.nio.ByteBuffer;
|
||||
import java.security.MessageDigest;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashMap;
|
||||
|
@ -1196,7 +1196,7 @@ public class ContainerManagerImpl extends CompositeService implements
|
|||
containerTokenIdentifier);
|
||||
byte[] tokenPass = token.getPassword().array();
|
||||
if (password == null || tokenPass == null
|
||||
|| !Arrays.equals(password, tokenPass)) {
|
||||
|| !MessageDigest.isEqual(password, tokenPass)) {
|
||||
throw new InvalidToken(
|
||||
"Invalid container token used for starting container on : "
|
||||
+ context.getNodeId().toString());
|
||||
|
|
Loading…
Reference in New Issue