svn merge -c 1176729 from trunk for HDFS-2361.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1189440 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
d374650dac
commit
a86d4addb4
|
@ -1082,6 +1082,8 @@ Release 0.23.0 - Unreleased
|
||||||
HDFS-2366. Initialize WebHdfsFileSystem.ugi in object construction.
|
HDFS-2366. Initialize WebHdfsFileSystem.ugi in object construction.
|
||||||
(szetszwo)
|
(szetszwo)
|
||||||
|
|
||||||
|
HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra)
|
||||||
|
|
||||||
BREAKDOWN OF HDFS-1073 SUBTASKS
|
BREAKDOWN OF HDFS-1073 SUBTASKS
|
||||||
|
|
||||||
HDFS-1521. Persist transaction ID on disk between NN restarts.
|
HDFS-1521. Persist transaction ID on disk between NN restarts.
|
||||||
|
|
|
@ -60,6 +60,7 @@ import org.apache.hadoop.http.HtmlQuoting;
|
||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.AccessControlException;
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
|
import org.apache.hadoop.security.authentication.util.KerberosName;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
|
@ -552,7 +553,8 @@ public class JspHelper {
|
||||||
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
|
||||||
id.readFields(in);
|
id.readFields(in);
|
||||||
ugi = id.getUser();
|
ugi = id.getUser();
|
||||||
checkUsername(ugi.getUserName(), user);
|
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
||||||
|
checkUsername(ugi.getShortUserName(), user);
|
||||||
ugi.addToken(token);
|
ugi.addToken(token);
|
||||||
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
|
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
|
||||||
} else {
|
} else {
|
||||||
|
@ -561,13 +563,11 @@ public class JspHelper {
|
||||||
"authenticated by filter");
|
"authenticated by filter");
|
||||||
}
|
}
|
||||||
ugi = UserGroupInformation.createRemoteUser(user);
|
ugi = UserGroupInformation.createRemoteUser(user);
|
||||||
|
checkUsername(ugi.getShortUserName(), usernameFromQuery);
|
||||||
// This is not necessarily true, could have been auth'ed by user-facing
|
// This is not necessarily true, could have been auth'ed by user-facing
|
||||||
// filter
|
// filter
|
||||||
ugi.setAuthenticationMethod(secureAuthMethod);
|
ugi.setAuthenticationMethod(secureAuthMethod);
|
||||||
}
|
}
|
||||||
|
|
||||||
checkUsername(user, usernameFromQuery);
|
|
||||||
|
|
||||||
} else { // Security's not on, pull from url
|
} else { // Security's not on, pull from url
|
||||||
ugi = usernameFromQuery == null?
|
ugi = usernameFromQuery == null?
|
||||||
getDefaultWebUser(conf) // not specified in request
|
getDefaultWebUser(conf) // not specified in request
|
||||||
|
@ -580,10 +580,18 @@ public class JspHelper {
|
||||||
return ugi;
|
return ugi;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Expected user name should be a short name.
|
||||||
|
*/
|
||||||
private static void checkUsername(final String expected, final String name
|
private static void checkUsername(final String expected, final String name
|
||||||
) throws IOException {
|
) throws IOException {
|
||||||
if (name != null && !name.equals(expected)) {
|
if (name == null) {
|
||||||
throw new IOException("Usernames not matched: name=" + name
|
return;
|
||||||
|
}
|
||||||
|
KerberosName u = new KerberosName(name);
|
||||||
|
String shortName = u.getShortName();
|
||||||
|
if (!shortName.equals(expected)) {
|
||||||
|
throw new IOException("Usernames not matched: name=" + shortName
|
||||||
+ " != expected=" + expected);
|
+ " != expected=" + expected);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue