HADOOP-15922. Fixed doAsUser decoding for DelegationTokenAuthenticationFilter.

Contributed by He Xiaoqiao
This commit is contained in:
Eric Yang 2018-11-26 13:49:19 -05:00
parent b098281454
commit a9d96948ed
2 changed files with 71 additions and 1 deletions

View File

@ -51,6 +51,7 @@ import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URLDecoder;
import java.nio.charset.Charset;
import java.security.Principal;
import java.util.Enumeration;
@ -230,7 +231,12 @@ public class DelegationTokenAuthenticationFilter
for (NameValuePair nv : list) {
if (DelegationTokenAuthenticatedURL.DO_AS.
equalsIgnoreCase(nv.getName())) {
return nv.getValue();
String doAsUser = nv.getValue();
try {
doAsUser = URLDecoder.decode(nv.getValue(), UTF8_CHARSET.name());
} finally {
return doAsUser;
}
}
}
}

View File

@ -2115,6 +2115,70 @@ public class TestKMS {
});
}
@Test
public void testGetDelegationTokenByProxyUser() throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir();
conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath());
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
conf.set("hadoop.kms.proxyuser.client.users", "foo/localhost");
conf.set("hadoop.kms.proxyuser.client.hosts", "localhost");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kcc.ALL",
"foo/localhost");
writeConf(testDir, conf);
runServer(null, null, testDir, new KMSCallable<Void>() {
@Override
public Void call() throws Exception {
final Configuration conf = new Configuration();
final URI uri = createKMSUri(getKMSUrl());
// proxyuser client using kerberos credentials
UserGroupInformation proxyUgi = UserGroupInformation.
loginUserFromKeytabAndReturnUGI("client/host", keytab.getAbsolutePath());
UserGroupInformation foo = UserGroupInformation.createProxyUser(
"foo/localhost", proxyUgi);
final Credentials credentials = new Credentials();
foo.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final KeyProvider kp = createProvider(uri, conf);
KeyProviderDelegationTokenExtension keyProviderDelegationTokenExtension
= KeyProviderDelegationTokenExtension
.createKeyProviderDelegationTokenExtension(kp);
keyProviderDelegationTokenExtension.addDelegationTokens("client",
credentials);
Assert.assertNotNull(kp.createKey("kcc",
new KeyProvider.Options(conf)));
return null;
}
});
// current user client using token credentials for proxy user
UserGroupInformation nonKerberosUgi
= UserGroupInformation.getCurrentUser();
nonKerberosUgi.addCredentials(credentials);
nonKerberosUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final KeyProvider kp = createProvider(uri, conf);
Assert.assertNotNull(kp.getMetadata("kcc"));
return null;
}
});
return null;
}
});
}
private Configuration setupConfForKerberos(File confDir) throws Exception {
final Configuration conf = createBaseKMSConf(confDir, null);
conf.set("hadoop.security.authentication", "kerberos");