svn merge -c 1176729 from trunk for HDFS-2361.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1189440 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Tsz-wo Sze 2011-10-26 20:43:06 +00:00
parent d374650dac
commit a86d4addb4
2 changed files with 16 additions and 6 deletions

View File

@ -1082,6 +1082,8 @@ Release 0.23.0 - Unreleased
HDFS-2366. Initialize WebHdfsFileSystem.ugi in object construction. HDFS-2366. Initialize WebHdfsFileSystem.ugi in object construction.
(szetszwo) (szetszwo)
HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra)
BREAKDOWN OF HDFS-1073 SUBTASKS BREAKDOWN OF HDFS-1073 SUBTASKS
HDFS-1521. Persist transaction ID on disk between NN restarts. HDFS-1521. Persist transaction ID on disk between NN restarts.

View File

@ -60,6 +60,7 @@ import org.apache.hadoop.http.HtmlQuoting;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
@ -552,7 +553,8 @@ public class JspHelper {
DelegationTokenIdentifier id = new DelegationTokenIdentifier(); DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in); id.readFields(in);
ugi = id.getUser(); ugi = id.getUser();
checkUsername(ugi.getUserName(), user); checkUsername(ugi.getShortUserName(), usernameFromQuery);
checkUsername(ugi.getShortUserName(), user);
ugi.addToken(token); ugi.addToken(token);
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN); ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
} else { } else {
@ -561,13 +563,11 @@ public class JspHelper {
"authenticated by filter"); "authenticated by filter");
} }
ugi = UserGroupInformation.createRemoteUser(user); ugi = UserGroupInformation.createRemoteUser(user);
checkUsername(ugi.getShortUserName(), usernameFromQuery);
// This is not necessarily true, could have been auth'ed by user-facing // This is not necessarily true, could have been auth'ed by user-facing
// filter // filter
ugi.setAuthenticationMethod(secureAuthMethod); ugi.setAuthenticationMethod(secureAuthMethod);
} }
checkUsername(user, usernameFromQuery);
} else { // Security's not on, pull from url } else { // Security's not on, pull from url
ugi = usernameFromQuery == null? ugi = usernameFromQuery == null?
getDefaultWebUser(conf) // not specified in request getDefaultWebUser(conf) // not specified in request
@ -580,10 +580,18 @@ public class JspHelper {
return ugi; return ugi;
} }
/**
* Expected user name should be a short name.
*/
private static void checkUsername(final String expected, final String name private static void checkUsername(final String expected, final String name
) throws IOException { ) throws IOException {
if (name != null && !name.equals(expected)) { if (name == null) {
throw new IOException("Usernames not matched: name=" + name return;
}
KerberosName u = new KerberosName(name);
String shortName = u.getShortName();
if (!shortName.equals(expected)) {
throw new IOException("Usernames not matched: name=" + shortName
+ " != expected=" + expected); + " != expected=" + expected);
} }
} }