HADOOP-9010. Map UGI authenticationMethod to RPC authMethod (daryn via bobby)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1405910 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8303175db8
commit
b1aa62a848
|
@ -336,6 +336,9 @@ Release 2.0.3-alpha - Unreleased
|
||||||
HADOOP-9009. Add SecurityUtil methods to get/set authentication method
|
HADOOP-9009. Add SecurityUtil methods to get/set authentication method
|
||||||
(daryn via bobby)
|
(daryn via bobby)
|
||||||
|
|
||||||
|
HADOOP-9010. Map UGI authenticationMethod to RPC authMethod (daryn via
|
||||||
|
bobby)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
|
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
|
||||||
|
|
|
@ -69,6 +69,7 @@ import org.apache.hadoop.security.SaslRpcClient;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.security.token.TokenInfo;
|
import org.apache.hadoop.security.token.TokenInfo;
|
||||||
|
@ -295,8 +296,9 @@ public class Client {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (token != null) {
|
if (token != null) {
|
||||||
authMethod = AuthMethod.DIGEST;
|
authMethod = AuthenticationMethod.TOKEN.getAuthMethod();
|
||||||
} else if (UserGroupInformation.isSecurityEnabled()) {
|
} else if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
|
// eventually just use the ticket's authMethod
|
||||||
authMethod = AuthMethod.KERBEROS;
|
authMethod = AuthMethod.KERBEROS;
|
||||||
} else {
|
} else {
|
||||||
authMethod = AuthMethod.SIMPLE;
|
authMethod = AuthMethod.SIMPLE;
|
||||||
|
|
|
@ -1526,11 +1526,11 @@ public abstract class Server {
|
||||||
if (!useSasl) {
|
if (!useSasl) {
|
||||||
user = protocolUser;
|
user = protocolUser;
|
||||||
if (user != null) {
|
if (user != null) {
|
||||||
user.setAuthenticationMethod(AuthMethod.SIMPLE.authenticationMethod);
|
user.setAuthenticationMethod(AuthMethod.SIMPLE);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// user is authenticated
|
// user is authenticated
|
||||||
user.setAuthenticationMethod(authMethod.authenticationMethod);
|
user.setAuthenticationMethod(authMethod);
|
||||||
//Now we check if this is a proxy user case. If the protocol user is
|
//Now we check if this is a proxy user case. If the protocol user is
|
||||||
//different from the 'user', it is a proxy user scenario. However,
|
//different from the 'user', it is a proxy user scenario. However,
|
||||||
//this is not allowed if user authenticated with DIGEST.
|
//this is not allowed if user authenticated with DIGEST.
|
||||||
|
|
|
@ -42,7 +42,6 @@ import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.classification.InterfaceStability;
|
import org.apache.hadoop.classification.InterfaceStability;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.ipc.Server;
|
import org.apache.hadoop.ipc.Server;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
|
||||||
import org.apache.hadoop.security.token.SecretManager;
|
import org.apache.hadoop.security.token.SecretManager;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
|
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
|
||||||
|
@ -137,20 +136,17 @@ public class SaslRpcServer {
|
||||||
/** Authentication method */
|
/** Authentication method */
|
||||||
@InterfaceStability.Evolving
|
@InterfaceStability.Evolving
|
||||||
public static enum AuthMethod {
|
public static enum AuthMethod {
|
||||||
SIMPLE((byte) 80, "", AuthenticationMethod.SIMPLE),
|
SIMPLE((byte) 80, ""),
|
||||||
KERBEROS((byte) 81, "GSSAPI", AuthenticationMethod.KERBEROS),
|
KERBEROS((byte) 81, "GSSAPI"),
|
||||||
DIGEST((byte) 82, "DIGEST-MD5", AuthenticationMethod.TOKEN);
|
DIGEST((byte) 82, "DIGEST-MD5");
|
||||||
|
|
||||||
/** The code for this method. */
|
/** The code for this method. */
|
||||||
public final byte code;
|
public final byte code;
|
||||||
public final String mechanismName;
|
public final String mechanismName;
|
||||||
public final AuthenticationMethod authenticationMethod;
|
|
||||||
|
|
||||||
private AuthMethod(byte code, String mechanismName,
|
private AuthMethod(byte code, String mechanismName) {
|
||||||
AuthenticationMethod authMethod) {
|
|
||||||
this.code = code;
|
this.code = code;
|
||||||
this.mechanismName = mechanismName;
|
this.mechanismName = mechanismName;
|
||||||
this.authenticationMethod = authMethod;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static final int FIRST_CODE = values()[0].code;
|
private static final int FIRST_CODE = values()[0].code;
|
||||||
|
|
|
@ -59,6 +59,7 @@ import org.apache.hadoop.metrics2.annotation.Metric;
|
||||||
import org.apache.hadoop.metrics2.annotation.Metrics;
|
import org.apache.hadoop.metrics2.annotation.Metrics;
|
||||||
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
|
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
|
||||||
import org.apache.hadoop.metrics2.lib.MutableRate;
|
import org.apache.hadoop.metrics2.lib.MutableRate;
|
||||||
|
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
||||||
import org.apache.hadoop.security.authentication.util.KerberosName;
|
import org.apache.hadoop.security.authentication.util.KerberosName;
|
||||||
import org.apache.hadoop.security.authentication.util.KerberosUtil;
|
import org.apache.hadoop.security.authentication.util.KerberosUtil;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
|
@ -1019,13 +1020,34 @@ public class UserGroupInformation {
|
||||||
@InterfaceAudience.Public
|
@InterfaceAudience.Public
|
||||||
@InterfaceStability.Evolving
|
@InterfaceStability.Evolving
|
||||||
public static enum AuthenticationMethod {
|
public static enum AuthenticationMethod {
|
||||||
SIMPLE,
|
// currently we support only one auth per method, but eventually a
|
||||||
KERBEROS,
|
// subtype is needed to differentiate, ex. if digest is token or ldap
|
||||||
TOKEN,
|
SIMPLE(AuthMethod.SIMPLE),
|
||||||
CERTIFICATE,
|
KERBEROS(AuthMethod.KERBEROS),
|
||||||
KERBEROS_SSL,
|
TOKEN(AuthMethod.DIGEST),
|
||||||
PROXY;
|
CERTIFICATE(null),
|
||||||
}
|
KERBEROS_SSL(null),
|
||||||
|
PROXY(null);
|
||||||
|
|
||||||
|
private final AuthMethod authMethod;
|
||||||
|
private AuthenticationMethod(AuthMethod authMethod) {
|
||||||
|
this.authMethod = authMethod;
|
||||||
|
}
|
||||||
|
|
||||||
|
public AuthMethod getAuthMethod() {
|
||||||
|
return authMethod;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static AuthenticationMethod valueOf(AuthMethod authMethod) {
|
||||||
|
for (AuthenticationMethod value : values()) {
|
||||||
|
if (value.getAuthMethod() == authMethod) {
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
throw new IllegalArgumentException(
|
||||||
|
"no authentication method for " + authMethod);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a proxy user using username of the effective user and the ugi of the
|
* Create a proxy user using username of the effective user and the ugi of the
|
||||||
|
@ -1290,6 +1312,15 @@ public class UserGroupInformation {
|
||||||
user.setAuthenticationMethod(authMethod);
|
user.setAuthenticationMethod(authMethod);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the authentication method in the subject
|
||||||
|
*
|
||||||
|
* @param authMethod
|
||||||
|
*/
|
||||||
|
public void setAuthenticationMethod(AuthMethod authMethod) {
|
||||||
|
user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the authentication method from the subject
|
* Get the authentication method from the subject
|
||||||
*
|
*
|
||||||
|
|
|
@ -305,7 +305,6 @@ public class TestUserGroupInformation {
|
||||||
assertSame(secret, ugi.getCredentials().getSecretKey(secretKey));
|
assertSame(secret, ugi.getCredentials().getSecretKey(secretKey));
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("unchecked") // from Mockito mocks
|
|
||||||
@Test
|
@Test
|
||||||
public <T extends TokenIdentifier> void testGetCredsNotSame()
|
public <T extends TokenIdentifier> void testGetCredsNotSame()
|
||||||
throws Exception {
|
throws Exception {
|
||||||
|
@ -429,6 +428,18 @@ public class TestUserGroupInformation {
|
||||||
assertEquals(2, otherSet.size());
|
assertEquals(2, otherSet.size());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTestAuthMethod() throws Exception {
|
||||||
|
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
|
||||||
|
// verify the reverse mappings works
|
||||||
|
for (AuthenticationMethod am : AuthenticationMethod.values()) {
|
||||||
|
if (am.getAuthMethod() != null) {
|
||||||
|
ugi.setAuthenticationMethod(am.getAuthMethod());
|
||||||
|
assertEquals(am, ugi.getAuthenticationMethod());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUGIAuthMethod() throws Exception {
|
public void testUGIAuthMethod() throws Exception {
|
||||||
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
|
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
|
||||||
|
|
Loading…
Reference in New Issue