HADOOP-6580. UGI should contain authentication method.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@933810 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -68,6 +68,8 @@ Trunk (unreleased changes)
     HADOOP-6586. Log authentication and authorization failures and successes
     for RPC (boryas)
 
+    HADOOP-6580. UGI should contain authentication method. (jnp via boryas)
+
   IMPROVEMENTS
 
     HADOOP-6283. Improve the exception messages thrown by

src/java/org/apache/hadoop/ipc/Server.java

@@ -72,6 +72,7 @@ import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
 import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler;
 import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.authorize.AuthorizationException;
@@ -1084,18 +1085,32 @@ public abstract class Server {
       UserGroupInformation protocolUser = header.getUgi();
       if (!useSasl) {
         user = protocolUser;
-      } else if ((protocolUser != null)
-          && (!protocolUser.getUserName().equals(user.getUserName()))) {
-        if (authMethod == AuthMethod.DIGEST) {
-          // Not allowed to doAs if token authentication is used
-          throw new AccessControlException("Authenticated user (" + user
-              + ") doesn't match what the client claims to be (" + protocolUser
-              + ")");
-        } else {
-          //Effective user can be different from authenticated user
-          //for simple auth or kerberos auth
-          user = UserGroupInformation.createProxyUser(protocolUser
-              .getUserName(), user);
+        if (user != null) {
+          user.setAuthenticationMethod(AuthMethod.SIMPLE.authenticationMethod);
+        }
+      } else {
+        // user is authenticated
+        user.setAuthenticationMethod(authMethod.authenticationMethod);
+        //Now we check if this is a proxy user case. If the protocol user is
+        //different from the 'user', it is a proxy user scenario. However, 
+        //this is not allowed if user authenticated with DIGEST.
+        if ((protocolUser != null)
+            && (!protocolUser.getUserName().equals(user.getUserName()))) {
+          if (authMethod == AuthMethod.DIGEST) {
+            // Not allowed to doAs if token authentication is used
+            throw new AccessControlException("Authenticated user (" + user
+                + ") doesn't match what the client claims to be ("
+                + protocolUser + ")");
+          } else {
+            // Effective user can be different from authenticated user
+            // for simple auth or kerberos auth
+            // The user is the real user. Now we create a proxy user
+            UserGroupInformation realUser = user;
+            user = UserGroupInformation.createProxyUser(protocolUser
+                .getUserName(), realUser);
+            // Now the user is a proxy user, set Authentication method Proxy.
+            user.setAuthenticationMethod(AuthenticationMethod.PROXY);
+          }
         }
       }
     }

src/java/org/apache/hadoop/security/SaslRpcServer.java

@@ -41,6 +41,7 @@ import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.ipc.Server;
 import org.apache.hadoop.security.token.SecretManager;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 
 /**
@@ -102,17 +103,20 @@ public class SaslRpcServer {
   
   /** Authentication method */
   public static enum AuthMethod {
-    SIMPLE((byte) 80, ""), // no authentication
-    KERBEROS((byte) 81, "GSSAPI"), // SASL Kerberos authentication
-    DIGEST((byte) 82, "DIGEST-MD5"); // SASL DIGEST-MD5 authentication
+    SIMPLE((byte) 80, "", AuthenticationMethod.SIMPLE),
+    KERBEROS((byte) 81, "GSSAPI", AuthenticationMethod.KERBEROS),
+    DIGEST((byte) 82, "DIGEST-MD5", AuthenticationMethod.TOKEN);
 
     /** The code for this method. */
     public final byte code;
     public final String mechanismName;
+    public final AuthenticationMethod authenticationMethod;
 
-    private AuthMethod(byte code, String mechanismName) {
+    private AuthMethod(byte code, String mechanismName, 
+                       AuthenticationMethod authMethod) {
       this.code = code;
       this.mechanismName = mechanismName;
+      this.authenticationMethod = authMethod;
     }
 
     private static final int FIRST_CODE = values()[0].code;

src/java/org/apache/hadoop/security/User.java

@@ -19,6 +19,8 @@ package org.apache.hadoop.security;
 
 import java.security.Principal;
 
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+
 /**
  * Save the full and short name of the user as a principal. This allows us to
  * have a single type that we always look for when picking up user names.
@@ -26,8 +28,13 @@ import java.security.Principal;
 class User implements Principal {
   private final String fullName;
   private final String shortName;
+  private AuthenticationMethod authMethod = null;
 
   public User(String name) {
+    this(name, null);
+  }
+  
+  public User(String name, AuthenticationMethod authMethod) {
     fullName = name;
     int atIdx = name.indexOf('@');
     if (atIdx == -1) {
@@ -40,6 +47,7 @@ class User implements Principal {
         shortName = name.substring(0, slashIdx);
       }
     }
+    this.authMethod = authMethod;
   }
 
   /**
@@ -65,7 +73,7 @@ class User implements Principal {
     } else if (o == null || getClass() != o.getClass()) {
       return false;
     } else {
-      return fullName.equals(((User) o).fullName);
+      return ((fullName.equals(((User) o).fullName)) && (authMethod == ((User) o).authMethod));
     }
   }
   
@@ -78,4 +86,12 @@ class User implements Principal {
   public String toString() {
     return fullName;
   }
+
+  public void setAuthenticationMethod(AuthenticationMethod authMethod) {
+    this.authMethod = authMethod;
+  }
+
+  public AuthenticationMethod getAuthenticationMethod() {
+    return authMethod;
+  }
 }

src/java/org/apache/hadoop/security/UserGroupInformation.java

@@ -51,6 +51,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 
@@ -470,6 +471,15 @@ public class UserGroupInformation {
     return new UserGroupInformation(subject);
   }
 
+  public static enum AuthenticationMethod {
+    SIMPLE,
+    KERBEROS,
+    TOKEN,
+    CERTIFICATE,
+    KERBEROS_SSL,
+    PROXY;
+  }
+
   /* Create a proxy user using username of the effective user and the ugi of the
    * real user.
    *
@@ -649,6 +659,30 @@ public class UserGroupInformation {
     }
   }
 
+  /**
+   * Sets the authentication method in the subject
+   * 
+   * @param authMethod
+   */
+  public synchronized 
+  void setAuthenticationMethod(AuthenticationMethod authMethod) {
+    for (User p : subject.getPrincipals(User.class)) {
+      p.setAuthenticationMethod(authMethod);
+    }
+  }
+
+  /**
+   * Get the authentication method from the subject
+   * 
+   * @return AuthenticationMethod in the subject, null if not present.
+   */
+  public synchronized AuthenticationMethod getAuthenticationMethod() {
+    for (User p: subject.getPrincipals(User.class)) {
+      return p.getAuthenticationMethod();
+    }
+    return null;
+  }
+
   /**
    * Compare the subjects to see if they are equal to each other.
    */

src/test/core/org/apache/hadoop/ipc/TestSaslRPC.java

@@ -25,8 +25,11 @@ import java.io.DataInput;
 import java.io.DataOutput;
 import java.io.IOException;
 import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
 import java.util.Collection;
 
+import junit.framework.Assert;
+
 import org.apache.commons.logging.*;
 import org.apache.commons.logging.impl.Log4JLogger;
 
@@ -44,6 +47,7 @@ import org.apache.hadoop.security.SaslInputStream;
 import org.apache.hadoop.security.SaslRpcClient;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 
 import org.apache.log4j.Level;
 import org.junit.Test;
@@ -161,10 +165,14 @@ public class TestSaslRPC {
   @KerberosInfo(SERVER_PRINCIPAL_KEY)
   @TokenInfo(TestTokenSelector.class)
   public interface TestSaslProtocol extends TestRPC.TestProtocol {
+    public AuthenticationMethod getAuthMethod() throws IOException;
   }
   
   public static class TestSaslImpl extends TestRPC.TestImpl implements
       TestSaslProtocol {
+    public AuthenticationMethod getAuthMethod() throws IOException {
+      return UserGroupInformation.getCurrentUser().getAuthenticationMethod();
+    }
   }
 
   @Test
@@ -258,6 +266,43 @@ public class TestSaslRPC {
     }
   }
   
+  @Test
+  public void testDigestAuthMethod() throws Exception {
+    TestTokenSecretManager sm = new TestTokenSecretManager();
+    Server server = RPC.getServer(TestSaslProtocol.class,
+        new TestSaslImpl(), ADDRESS, 0, 5, true, conf, sm);
+    server.start();
+
+    final UserGroupInformation current = UserGroupInformation.getCurrentUser();
+    final InetSocketAddress addr = NetUtils.getConnectAddress(server);
+    TestTokenIdentifier tokenId = new TestTokenIdentifier(new Text(current
+        .getUserName()));
+    Token<TestTokenIdentifier> token = new Token<TestTokenIdentifier>(tokenId,
+        sm);
+    Text host = new Text(addr.getAddress().getHostAddress() + ":"
+        + addr.getPort());
+    token.setService(host);
+    LOG.info("Service IP address for token is " + host);
+    current.addToken(token);
+
+    current.doAs(new PrivilegedExceptionAction<Object>() {
+      public Object run() throws IOException {
+        TestSaslProtocol proxy = null;
+        try {
+          proxy = (TestSaslProtocol) RPC.getProxy(TestSaslProtocol.class,
+              TestSaslProtocol.versionID, addr, conf);
+          Assert.assertEquals(AuthenticationMethod.TOKEN, proxy.getAuthMethod());
+        } finally {
+          if (proxy != null) {
+            RPC.stopProxy(proxy);
+          }
+        }
+        return null;
+      }
+    });
+    server.stop();
+  }
+  
   public static void main(String[] args) throws Exception {
     System.out.println("Testing Kerberos authentication over RPC");
     if (args.length != 2) {

src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java

@@ -27,13 +27,15 @@ import static org.mockito.Mockito.mock;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
-import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.hadoop.conf.Configuration;
+import junit.framework.Assert;
+
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.junit.Test;
@@ -212,4 +214,51 @@ public class TestUserGroupInformation {
     assertTrue(otherSet.contains(t1));
     assertTrue(otherSet.contains(t2));
   }
+  
+  @Test
+  public void testUGIAuthMethod() throws Exception {
+    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
+    ugi.setAuthenticationMethod(am);
+    Assert.assertEquals(am, ugi.getAuthenticationMethod());
+    ugi.doAs(new PrivilegedExceptionAction<Object>() {
+      public Object run() throws IOException {
+        Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
+            .getAuthenticationMethod());
+        return null;
+      }
+    });
+  }
+  
+  @Test
+  public void testUGIAuthMethodInRealUser() throws Exception {
+    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
+        "proxy", ugi);
+    final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
+    ugi.setAuthenticationMethod(am);
+    Assert.assertEquals(am, ugi.getAuthenticationMethod());
+    Assert.assertEquals(null, proxyUgi.getAuthenticationMethod());
+    proxyUgi.setAuthenticationMethod(AuthenticationMethod.PROXY);
+    proxyUgi.doAs(new PrivilegedExceptionAction<Object>() {
+      public Object run() throws IOException {
+        Assert.assertEquals(AuthenticationMethod.PROXY, UserGroupInformation
+            .getCurrentUser().getAuthenticationMethod());
+        Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
+            .getRealUser().getAuthenticationMethod());
+        return null;
+      }
+    });
+    UserGroupInformation proxyUgi2 = UserGroupInformation.createProxyUser(
+        "proxy", ugi);
+    proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
+    Assert.assertEquals(proxyUgi, proxyUgi2);
+    // Equality should work if authMethod is null
+    UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
+    UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser(
+        "proxyAnother", realugi);
+    UserGroupInformation proxyUgi4 = UserGroupInformation.createProxyUser(
+        "proxyAnother", realugi);
+    Assert.assertEquals(proxyUgi3, proxyUgi4);
+  }
 }