diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index fc01792288e..69188dd0bf5 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -673,6 +673,9 @@ Release 0.23.3 - UNRELEASED HADOOP-8551. fs -mkdir creates parent directories without the -p option (John George via bobby) + HADOOP-8613. AbstractDelegationTokenIdentifier#getUser() should set token + auth type. (daryn) + Release 0.23.2 - UNRELEASED NEW FEATURES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java index 8c3c1b2d35f..b3e367bdf25 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java @@ -29,6 +29,7 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.io.WritableUtils; import org.apache.hadoop.security.HadoopKerberosName; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.TokenIdentifier; import com.google.common.annotations.VisibleForTesting; @@ -88,14 +89,17 @@ extends TokenIdentifier { if ( (owner == null) || ("".equals(owner.toString()))) { return null; } + final UserGroupInformation realUgi; + final UserGroupInformation ugi; if ((realUser == null) || ("".equals(realUser.toString())) || realUser.equals(owner)) { - return UserGroupInformation.createRemoteUser(owner.toString()); + ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString()); } else { - UserGroupInformation realUgi = UserGroupInformation - .createRemoteUser(realUser.toString()); - return UserGroupInformation.createProxyUser(owner.toString(), realUgi); + realUgi = UserGroupInformation.createRemoteUser(realUser.toString()); + ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi); } + realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN); + return ugi; } public Text getOwner() { diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/TestDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/TestDelegationToken.java index ed07c972b56..c1dd00a4d7d 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/TestDelegationToken.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/TestDelegationToken.java @@ -40,6 +40,8 @@ import org.apache.hadoop.io.DataOutputBuffer; import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Writable; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.SecretManager; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.SecretManager.InvalidToken; @@ -171,6 +173,52 @@ public class TestDelegationToken { } } + @Test + public void testGetUserNullOwner() { + TestDelegationTokenIdentifier ident = + new TestDelegationTokenIdentifier(null, null, null); + UserGroupInformation ugi = ident.getUser(); + assertNull(ugi); + } + + @Test + public void testGetUserWithOwner() { + TestDelegationTokenIdentifier ident = + new TestDelegationTokenIdentifier(new Text("owner"), null, null); + UserGroupInformation ugi = ident.getUser(); + assertNull(ugi.getRealUser()); + assertEquals("owner", ugi.getUserName()); + assertEquals(AuthenticationMethod.TOKEN, ugi.getAuthenticationMethod()); + } + + @Test + public void testGetUserWithOwnerEqualsReal() { + Text owner = new Text("owner"); + TestDelegationTokenIdentifier ident = + new TestDelegationTokenIdentifier(owner, null, owner); + UserGroupInformation ugi = ident.getUser(); + assertNull(ugi.getRealUser()); + assertEquals("owner", ugi.getUserName()); + assertEquals(AuthenticationMethod.TOKEN, ugi.getAuthenticationMethod()); + } + + @Test + public void testGetUserWithOwnerAndReal() { + Text owner = new Text("owner"); + Text realUser = new Text("realUser"); + TestDelegationTokenIdentifier ident = + new TestDelegationTokenIdentifier(owner, null, realUser); + UserGroupInformation ugi = ident.getUser(); + assertNotNull(ugi.getRealUser()); + assertNull(ugi.getRealUser().getRealUser()); + assertEquals("owner", ugi.getUserName()); + assertEquals("realUser", ugi.getRealUser().getUserName()); + assertEquals(AuthenticationMethod.PROXY, + ugi.getAuthenticationMethod()); + assertEquals(AuthenticationMethod.TOKEN, + ugi.getRealUser().getAuthenticationMethod()); + } + @Test public void testDelegationTokenSecretManager() throws Exception { final TestDelegationTokenSecretManager dtSecretManager = diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java index f8bfee73a7e..d153a8f48c9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java @@ -578,7 +578,6 @@ public class JspHelper { ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } ugi.addToken(token); - ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN); } else { if(remoteUser == null) { throw new IOException("Security enabled but user not " +