HADOOP-17793. Better token validation (#3189)
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
(cherry picked from commit ba325a8ada
)
This commit is contained in:
parent
6cc9549499
commit
c18ad9a007
|
@ -32,7 +32,7 @@ import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
import java.io.*;
|
import java.io.*;
|
||||||
import java.util.Arrays;
|
import java.security.MessageDigest;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.ServiceConfigurationError;
|
import java.util.ServiceConfigurationError;
|
||||||
|
@ -391,8 +391,8 @@ public class Token<T extends TokenIdentifier> implements Writable {
|
||||||
return false;
|
return false;
|
||||||
} else {
|
} else {
|
||||||
Token<T> r = (Token<T>) right;
|
Token<T> r = (Token<T>) right;
|
||||||
return Arrays.equals(identifier, r.identifier) &&
|
return MessageDigest.isEqual(identifier, r.identifier) &&
|
||||||
Arrays.equals(password, r.password) &&
|
MessageDigest.isEqual(password, r.password) &&
|
||||||
kind.equals(r.kind) &&
|
kind.equals(r.kind) &&
|
||||||
service.equals(r.service);
|
service.equals(r.service);
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,6 +22,7 @@ import org.apache.hadoop.thirdparty.com.google.common.base.Charsets;
|
||||||
import java.io.ByteArrayInputStream;
|
import java.io.ByteArrayInputStream;
|
||||||
import java.io.DataInputStream;
|
import java.io.DataInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.security.MessageDigest;
|
||||||
import java.security.SecureRandom;
|
import java.security.SecureRandom;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.EnumSet;
|
import java.util.EnumSet;
|
||||||
|
@ -407,7 +408,7 @@ public class BlockTokenSecretManager extends
|
||||||
+ ", block=" + block + ", access mode=" + mode);
|
+ ", block=" + block + ", access mode=" + mode);
|
||||||
}
|
}
|
||||||
checkAccess(id, userId, block, mode, storageTypes, storageIds);
|
checkAccess(id, userId, block, mode, storageTypes, storageIds);
|
||||||
if (!Arrays.equals(retrievePassword(id), token.getPassword())) {
|
if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
|
||||||
throw new InvalidToken("Block token with " + id
|
throw new InvalidToken("Block token with " + id
|
||||||
+ " doesn't have the correct token password");
|
+ " doesn't have the correct token password");
|
||||||
}
|
}
|
||||||
|
@ -427,7 +428,7 @@ public class BlockTokenSecretManager extends
|
||||||
+ ", block=" + block + ", access mode=" + mode);
|
+ ", block=" + block + ", access mode=" + mode);
|
||||||
}
|
}
|
||||||
checkAccess(id, userId, block, mode);
|
checkAccess(id, userId, block, mode);
|
||||||
if (!Arrays.equals(retrievePassword(id), token.getPassword())) {
|
if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
|
||||||
throw new InvalidToken("Block token with " + id
|
throw new InvalidToken("Block token with " + id
|
||||||
+ " doesn't have the correct token password");
|
+ " doesn't have the correct token password");
|
||||||
}
|
}
|
||||||
|
|
|
@ -174,8 +174,8 @@ import java.io.IOException;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
import java.nio.ByteBuffer;
|
import java.nio.ByteBuffer;
|
||||||
|
import java.security.MessageDigest;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -1231,7 +1231,7 @@ public class ContainerManagerImpl extends CompositeService implements
|
||||||
containerTokenIdentifier);
|
containerTokenIdentifier);
|
||||||
byte[] tokenPass = token.getPassword().array();
|
byte[] tokenPass = token.getPassword().array();
|
||||||
if (password == null || tokenPass == null
|
if (password == null || tokenPass == null
|
||||||
|| !Arrays.equals(password, tokenPass)) {
|
|| !MessageDigest.isEqual(password, tokenPass)) {
|
||||||
throw new InvalidToken(
|
throw new InvalidToken(
|
||||||
"Invalid container token used for starting container on : "
|
"Invalid container token used for starting container on : "
|
||||||
+ context.getNodeId().toString());
|
+ context.getNodeId().toString());
|
||||||
|
|
Loading…
Reference in New Issue