HADOOP-10905. LdapGroupsMapping Should use configuration.getPassword for SSL and LDAP Passwords. Contributed by Larry McCay
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1616054 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
4869fa2cfa
commit
a4f1292a53
|
@ -540,6 +540,9 @@ Release 2.6.0 - UNRELEASED
|
||||||
|
|
||||||
HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
|
HADOOP-10759. Remove hardcoded JAVA_HEAP_MAX. (Sam Liu via Eric Yang)
|
||||||
|
|
||||||
|
HADOOP-10905. LdapGroupsMapping Should use configuration.getPassword for SSL
|
||||||
|
and LDAP Passwords. (lmccay via brandonli)
|
||||||
|
|
||||||
Release 2.5.0 - UNRELEASED
|
Release 2.5.0 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -312,15 +312,15 @@ public class LdapGroupsMapping
|
||||||
useSsl = conf.getBoolean(LDAP_USE_SSL_KEY, LDAP_USE_SSL_DEFAULT);
|
useSsl = conf.getBoolean(LDAP_USE_SSL_KEY, LDAP_USE_SSL_DEFAULT);
|
||||||
keystore = conf.get(LDAP_KEYSTORE_KEY, LDAP_KEYSTORE_DEFAULT);
|
keystore = conf.get(LDAP_KEYSTORE_KEY, LDAP_KEYSTORE_DEFAULT);
|
||||||
|
|
||||||
keystorePass =
|
keystorePass = getPassword(conf, LDAP_KEYSTORE_PASSWORD_KEY,
|
||||||
conf.get(LDAP_KEYSTORE_PASSWORD_KEY, LDAP_KEYSTORE_PASSWORD_DEFAULT);
|
LDAP_KEYSTORE_PASSWORD_DEFAULT);
|
||||||
if (keystorePass.isEmpty()) {
|
if (keystorePass.isEmpty()) {
|
||||||
keystorePass = extractPassword(conf.get(LDAP_KEYSTORE_PASSWORD_FILE_KEY,
|
keystorePass = extractPassword(conf.get(LDAP_KEYSTORE_PASSWORD_FILE_KEY,
|
||||||
LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT));
|
LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT));
|
||||||
}
|
}
|
||||||
|
|
||||||
bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
|
bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
|
||||||
bindPassword = conf.get(BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
|
bindPassword = getPassword(conf, BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
|
||||||
if (bindPassword.isEmpty()) {
|
if (bindPassword.isEmpty()) {
|
||||||
bindPassword = extractPassword(
|
bindPassword = extractPassword(
|
||||||
conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
|
conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
|
||||||
|
@ -341,7 +341,25 @@ public class LdapGroupsMapping
|
||||||
|
|
||||||
this.conf = conf;
|
this.conf = conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String getPassword(Configuration conf, String alias, String defaultPass) {
|
||||||
|
String password = null;
|
||||||
|
try {
|
||||||
|
char[] passchars = conf.getPassword(alias);
|
||||||
|
if (passchars != null) {
|
||||||
|
password = new String(passchars);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
password = defaultPass;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (IOException ioe) {
|
||||||
|
LOG.warn("Exception while trying to password for alias " + alias + ": "
|
||||||
|
+ ioe.getMessage());
|
||||||
|
}
|
||||||
|
return password;
|
||||||
|
}
|
||||||
|
|
||||||
String extractPassword(String pwFile) {
|
String extractPassword(String pwFile) {
|
||||||
if (pwFile.isEmpty()) {
|
if (pwFile.isEmpty()) {
|
||||||
// If there is no password file defined, we'll assume that we should do
|
// If there is no password file defined, we'll assume that we should do
|
||||||
|
|
|
@ -17,6 +17,8 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.security;
|
package org.apache.hadoop.security;
|
||||||
|
|
||||||
|
import static org.junit.Assert.assertArrayEquals;
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.mockito.Mockito.*;
|
import static org.mockito.Mockito.*;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
@ -38,6 +40,9 @@ import javax.naming.directory.SearchControls;
|
||||||
import javax.naming.directory.SearchResult;
|
import javax.naming.directory.SearchResult;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.alias.CredentialProvider;
|
||||||
|
import org.apache.hadoop.security.alias.CredentialProviderFactory;
|
||||||
|
import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
|
||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
@ -154,4 +159,57 @@ public class TestLdapGroupsMapping {
|
||||||
Assert.assertEquals("hadoop",
|
Assert.assertEquals("hadoop",
|
||||||
mapping.extractPassword(secretFile.getPath()));
|
mapping.extractPassword(secretFile.getPath()));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testConfGetPassword() throws Exception {
|
||||||
|
File testDir = new File(System.getProperty("test.build.data",
|
||||||
|
"target/test-dir"));
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
final String ourUrl =
|
||||||
|
JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";
|
||||||
|
|
||||||
|
File file = new File(testDir, "test.jks");
|
||||||
|
file.delete();
|
||||||
|
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
|
||||||
|
|
||||||
|
CredentialProvider provider =
|
||||||
|
CredentialProviderFactory.getProviders(conf).get(0);
|
||||||
|
char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
|
||||||
|
char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};
|
||||||
|
|
||||||
|
// ensure that we get nulls when the key isn't there
|
||||||
|
assertEquals(null, provider.getCredentialEntry(
|
||||||
|
LdapGroupsMapping.BIND_PASSWORD_KEY));
|
||||||
|
assertEquals(null, provider.getCredentialEntry
|
||||||
|
(LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));
|
||||||
|
|
||||||
|
// create new aliases
|
||||||
|
try {
|
||||||
|
provider.createCredentialEntry(
|
||||||
|
LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);
|
||||||
|
|
||||||
|
provider.createCredentialEntry(
|
||||||
|
LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
|
||||||
|
provider.flush();
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
// make sure we get back the right key
|
||||||
|
assertArrayEquals(bindpass, provider.getCredentialEntry(
|
||||||
|
LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
|
||||||
|
assertArrayEquals(storepass, provider.getCredentialEntry(
|
||||||
|
LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());
|
||||||
|
|
||||||
|
LdapGroupsMapping mapping = new LdapGroupsMapping();
|
||||||
|
Assert.assertEquals("bindpass",
|
||||||
|
mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
|
||||||
|
Assert.assertEquals("storepass",
|
||||||
|
mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
|
||||||
|
""));
|
||||||
|
// let's make sure that a password that doesn't exist returns an
|
||||||
|
// empty string as currently expected and used to trigger a call to
|
||||||
|
// extract password
|
||||||
|
Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue