Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-11748. The secrets of auth cookies should not be specified in configuration in clear text. Contributed by Li Lu and Haohui Mai.

This commit is contained in:
Haohui Mai 2015-03-26 16:29:36 -07:00
parent 2a750c9aa6
commit c261d35b75
7 changed files with 106 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
View File

@ -279,14 +279,11 @@ public class AuthenticationFilter implements Filter {
= config.getProperty(SIGNER_SECRET_PROVIDER, null); = config.getProperty(SIGNER_SECRET_PROVIDER, null);
// fallback to old behavior // fallback to old behavior
if (signerSecretProviderName == null) { if (signerSecretProviderName == null) {
String signatureSecret = config.getProperty(SIGNATURE_SECRET, null);
String signatureSecretFile = config.getProperty( String signatureSecretFile = config.getProperty(
SIGNATURE_SECRET_FILE, null); SIGNATURE_SECRET_FILE, null);
// The precedence from high to low : file, inline string, random // The precedence from high to low : file, random
if (signatureSecretFile != null) { if (signatureSecretFile != null) {
providerClassName = FileSignerSecretProvider.class.getName(); providerClassName = FileSignerSecretProvider.class.getName();
} else if (signatureSecret != null) {
providerClassName = StringSignerSecretProvider.class.getName();
} else { } else {
providerClassName = RandomSignerSecretProvider.class.getName(); providerClassName = RandomSignerSecretProvider.class.getName();
randomSecret = true; randomSecret = true;
@ -295,8 +292,6 @@ public class AuthenticationFilter implements Filter {
if ("random".equals(signerSecretProviderName)) { if ("random".equals(signerSecretProviderName)) {
providerClassName = RandomSignerSecretProvider.class.getName(); providerClassName = RandomSignerSecretProvider.class.getName();
randomSecret = true; randomSecret = true;
} else if ("string".equals(signerSecretProviderName)) {
providerClassName = StringSignerSecretProvider.class.getName();
} else if ("file".equals(signerSecretProviderName)) { } else if ("file".equals(signerSecretProviderName)) {
providerClassName = FileSignerSecretProvider.class.getName(); providerClassName = FileSignerSecretProvider.class.getName();
} else if ("zookeeper".equals(signerSecretProviderName)) { } else if ("zookeeper".equals(signerSecretProviderName)) {

167
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
View File

@ -38,7 +38,7 @@ import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.Signer; import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider; import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.hadoop.security.authentication.util.StringSignerSecretProvider; import org.apache.hadoop.security.authentication.util.StringSignerSecretProviderCreator;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import org.mockito.Mockito; import org.mockito.Mockito;
@ -158,14 +158,14 @@ public class TestAuthenticationFilter {
try { try {
FilterConfig config = Mockito.mock(FilterConfig.class); FilterConfig config = Mockito.mock(FilterConfig.class);
Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn("simple"); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn("simple");
Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TOKEN_VALIDITY)).thenReturn( Mockito.when(config.getInitParameter(
AuthenticationFilter.AUTH_TOKEN_VALIDITY)).thenReturn(
(new Long(TOKEN_VALIDITY_SEC)).toString()); (new Long(TOKEN_VALIDITY_SEC)).toString());
Mockito.when(config.getInitParameterNames()).thenReturn( Mockito.when(config.getInitParameterNames()).thenReturn(
new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE, new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.AUTH_TOKEN_VALIDITY)).elements()); AuthenticationFilter.AUTH_TOKEN_VALIDITY)).elements());
ServletContext context = Mockito.mock(ServletContext.class); ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute( Mockito.when(context.getAttribute(AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null); .thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context); Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
@ -179,27 +179,6 @@ public class TestAuthenticationFilter {
filter.destroy(); filter.destroy();
} }
// string secret
filter = new AuthenticationFilter();
try {
FilterConfig config = Mockito.mock(FilterConfig.class);
Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn("simple");
Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret");
Mockito.when(config.getInitParameterNames()).thenReturn(
new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET)).elements());
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config);
Assert.assertFalse(filter.isRandomSecret());
Assert.assertFalse(filter.isCustomSignerSecretProvider());
} finally {
filter.destroy();
}
// custom secret as inline // custom secret as inline
filter = new AuthenticationFilter(); filter = new AuthenticationFilter();
try { try {
@ -278,11 +257,7 @@ public class TestAuthenticationFilter {
new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE, new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.COOKIE_DOMAIN, AuthenticationFilter.COOKIE_DOMAIN,
AuthenticationFilter.COOKIE_PATH)).elements()); AuthenticationFilter.COOKIE_PATH)).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
Assert.assertEquals(".foo.com", filter.getCookieDomain()); Assert.assertEquals(".foo.com", filter.getCookieDomain());
Assert.assertEquals("/bar", filter.getCookiePath()); Assert.assertEquals("/bar", filter.getCookiePath());
@ -303,11 +278,7 @@ public class TestAuthenticationFilter {
new Vector<String>( new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
Assert.assertTrue(DummyAuthenticationHandler.init); Assert.assertTrue(DummyAuthenticationHandler.init);
} finally { } finally {
@ -345,11 +316,7 @@ public class TestAuthenticationFilter {
Mockito.when(config.getInitParameterNames()).thenReturn( Mockito.when(config.getInitParameterNames()).thenReturn(
new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE, new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.AUTH_TOKEN_VALIDITY)).elements()); AuthenticationFilter.AUTH_TOKEN_VALIDITY)).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
Assert.assertEquals(PseudoAuthenticationHandler.class, Assert.assertEquals(PseudoAuthenticationHandler.class,
@ -372,11 +339,7 @@ public class TestAuthenticationFilter {
new Vector<String>( new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -392,6 +355,7 @@ public class TestAuthenticationFilter {
@Test @Test
public void testGetToken() throws Exception { public void testGetToken() throws Exception {
AuthenticationFilter filter = new AuthenticationFilter(); AuthenticationFilter filter = new AuthenticationFilter();
try { try {
FilterConfig config = Mockito.mock(FilterConfig.class); FilterConfig config = Mockito.mock(FilterConfig.class);
Mockito.when(config.getInitParameter("management.operation.return")). Mockito.when(config.getInitParameter("management.operation.return")).
@ -404,21 +368,13 @@ public class TestAuthenticationFilter {
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET, AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); SignerSecretProvider secretProvider =
Mockito.when(context.getAttribute( getMockedServletContextWithStringSigner(config);
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider
= new StringSignerSecretProvider();
Properties secretProviderProps = new Properties();
secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, "secret");
secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC);
Signer signer = new Signer(secretProvider); Signer signer = new Signer(secretProvider);
String tokenSigned = signer.sign(token.toString()); String tokenSigned = signer.sign(token.toString());
@ -448,18 +404,14 @@ public class TestAuthenticationFilter {
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET, AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
AuthenticationToken token = AuthenticationToken token =
new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, "secret"); AuthenticationFilter.SIGNATURE_SECRET, "secret");
@ -500,17 +452,13 @@ public class TestAuthenticationFilter {
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET, AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype"); AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, "secret"); AuthenticationFilter.SIGNATURE_SECRET, "secret");
@ -536,6 +484,23 @@ public class TestAuthenticationFilter {
} }
} }
private static SignerSecretProvider getMockedServletContextWithStringSigner(
FilterConfig config) throws Exception {
Properties secretProviderProps = new Properties();
secretProviderProps.setProperty(AuthenticationFilter.SIGNATURE_SECRET,
"secret");
SignerSecretProvider secretProvider =
StringSignerSecretProviderCreator.newStringSignerSecretProvider();
secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC);
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(secretProvider);
Mockito.when(config.getServletContext()).thenReturn(context);
return secretProvider;
}
@Test @Test
public void testDoFilterNotAuthenticated() throws Exception { public void testDoFilterNotAuthenticated() throws Exception {
AuthenticationFilter filter = new AuthenticationFilter(); AuthenticationFilter filter = new AuthenticationFilter();
@ -549,11 +514,7 @@ public class TestAuthenticationFilter {
new Vector<String>( new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -603,11 +564,7 @@ public class TestAuthenticationFilter {
AuthenticationFilter.AUTH_TOKEN_VALIDITY, AuthenticationFilter.AUTH_TOKEN_VALIDITY,
AuthenticationFilter.SIGNATURE_SECRET, "management.operation" + AuthenticationFilter.SIGNATURE_SECRET, "management.operation" +
".return", "expired.token")).elements()); ".return", "expired.token")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
if (withDomainPath) { if (withDomainPath) {
Mockito.when(config.getInitParameter(AuthenticationFilter Mockito.when(config.getInitParameter(AuthenticationFilter
@ -661,8 +618,8 @@ public class TestAuthenticationFilter {
Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class), Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class),
Mockito.any(ServletResponse.class)); Mockito.any(ServletResponse.class));
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, "secret"); AuthenticationFilter.SIGNATURE_SECRET, "secret");
@ -734,11 +691,7 @@ public class TestAuthenticationFilter {
new Vector<String>( new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -746,8 +699,8 @@ public class TestAuthenticationFilter {
AuthenticationToken token = new AuthenticationToken("u", "p", "t"); AuthenticationToken token = new AuthenticationToken("u", "p", "t");
token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, "secret"); AuthenticationFilter.SIGNATURE_SECRET, "secret");
@ -795,11 +748,7 @@ public class TestAuthenticationFilter {
new Vector<String>( new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -863,11 +812,7 @@ public class TestAuthenticationFilter {
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET, AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -875,8 +820,8 @@ public class TestAuthenticationFilter {
AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, secret); AuthenticationFilter.SIGNATURE_SECRET, secret);
@ -942,11 +887,7 @@ public class TestAuthenticationFilter {
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
AuthenticationFilter.SIGNATURE_SECRET, AuthenticationFilter.SIGNATURE_SECRET,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -954,8 +895,8 @@ public class TestAuthenticationFilter {
AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype"); AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, secret); AuthenticationFilter.SIGNATURE_SECRET, secret);
@ -989,11 +930,7 @@ public class TestAuthenticationFilter {
new Vector<String>( new Vector<String>(
Arrays.asList(AuthenticationFilter.AUTH_TYPE, Arrays.asList(AuthenticationFilter.AUTH_TYPE,
"management.operation.return")).elements()); "management.operation.return")).elements());
ServletContext context = Mockito.mock(ServletContext.class); getMockedServletContextWithStringSigner(config);
Mockito.when(context.getAttribute(
AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE))
.thenReturn(null);
Mockito.when(config.getServletContext()).thenReturn(context);
filter.init(config); filter.init(config);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
@ -1013,8 +950,8 @@ public class TestAuthenticationFilter {
AuthenticationToken token = new AuthenticationToken("u", "p", "t"); AuthenticationToken token = new AuthenticationToken("u", "p", "t");
token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);
StringSignerSecretProvider secretProvider SignerSecretProvider secretProvider =
= new StringSignerSecretProvider(); StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty( secretProviderProps.setProperty(
AuthenticationFilter.SIGNATURE_SECRET, "secret"); AuthenticationFilter.SIGNATURE_SECRET, "secret");

6
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProvider.java → hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProvider.java
View File

@ -16,6 +16,8 @@ package org.apache.hadoop.security.authentication.util;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import java.util.Properties; import java.util.Properties;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
@ -24,8 +26,8 @@ import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
* A SignerSecretProvider that simply creates a secret based on a given String. * A SignerSecretProvider that simply creates a secret based on a given String.
*/ */
@InterfaceStability.Unstable @InterfaceStability.Unstable
@InterfaceAudience.Private @VisibleForTesting
public class StringSignerSecretProvider extends SignerSecretProvider { class StringSignerSecretProvider extends SignerSecretProvider {
private byte[] secret; private byte[] secret;
private byte[][] secrets; private byte[][] secrets;

33
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/StringSignerSecretProviderCreator.java Normal file
View File

@ -0,0 +1,33 @@
/**
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License. See accompanying LICENSE file.
*/
package org.apache.hadoop.security.authentication.util;
import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.classification.InterfaceStability;
/**
* Helper class for creating StringSignerSecretProviders in unit tests
*/
@InterfaceStability.Unstable
@VisibleForTesting
public class StringSignerSecretProviderCreator {
/**
* @return a new StringSignerSecretProvider
* @throws Exception
*/
public static StringSignerSecretProvider newStringSignerSecretProvider()
throws Exception {
return new StringSignerSecretProvider();
}
}

3
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -747,6 +747,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11738. Fix a link of Protocol Buffers 2.5 for download in BUILDING.txt. HADOOP-11738. Fix a link of Protocol Buffers 2.5 for download in BUILDING.txt.
(ozawa) (ozawa)
HADOOP-11748. The secrets of auth cookies should not be specified in
configuration in clear text. (Li Lu and Haohui Mai via wheat9)
Release 2.6.1 - UNRELEASED Release 2.6.1 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

6
hadoop-hdfs-project/hadoop-hdfs-httpfs/pom.xml
View File

@ -195,6 +195,12 @@
<scope>test</scope> <scope>test</scope>
<type>test-jar</type> <type>test-jar</type>
</dependency> </dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-auth</artifactId>
<scope>test</scope>
<type>test-jar</type>
</dependency>
<dependency> <dependency>
<groupId>log4j</groupId> <groupId>log4j</groupId>
<artifactId>log4j</artifactId> <artifactId>log4j</artifactId>

6
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSServer.java
View File

@ -18,6 +18,8 @@
package org.apache.hadoop.fs.http.server; package org.apache.hadoop.fs.http.server;
import org.apache.hadoop.hdfs.DFSConfigKeys; import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.hadoop.security.authentication.util.StringSignerSecretProviderCreator;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator; import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator;
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler;
import org.json.simple.JSONArray; import org.json.simple.JSONArray;
@ -68,7 +70,6 @@ import org.mortbay.jetty.webapp.WebAppContext;
import com.google.common.collect.Maps; import com.google.common.collect.Maps;
import java.util.Properties; import java.util.Properties;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.util.StringSignerSecretProvider;
public class TestHttpFSServer extends HFSTestCase { public class TestHttpFSServer extends HFSTestCase {
@ -687,7 +688,8 @@ public class TestHttpFSServer extends HFSTestCase {
new AuthenticationToken("u", "p", new AuthenticationToken("u", "p",
new KerberosDelegationTokenAuthenticationHandler().getType()); new KerberosDelegationTokenAuthenticationHandler().getType());
token.setExpires(System.currentTimeMillis() + 100000000); token.setExpires(System.currentTimeMillis() + 100000000);
StringSignerSecretProvider secretProvider = new StringSignerSecretProvider(); SignerSecretProvider secretProvider =
StringSignerSecretProviderCreator.newStringSignerSecretProvider();
Properties secretProviderProps = new Properties(); Properties secretProviderProps = new Properties();
secretProviderProps.setProperty(AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProviderProps.setProperty(AuthenticationFilter.SIGNATURE_SECRET, "secret");
secretProvider.init(secretProviderProps, null, -1); secretProvider.init(secretProviderProps, null, -1);