diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 323862aad40..dae9fdbeaa4 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -57,6 +57,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10618. Remove SingleNodeSetup.apt.vm. (Akira Ajisaka via Arpit Agarwal) + HADOOP-10566. Refactor proxyservers out of ProxyUsers. (Benoy Antony via + Arpit Agarwal) + OPTIMIZATIONS BUG FIXES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyServers.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyServers.java new file mode 100644 index 00000000000..410e25f5839 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyServers.java @@ -0,0 +1,53 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.security.authorize; + +import java.net.InetSocketAddress; +import java.util.Collection; +import java.util.HashSet; + +import org.apache.hadoop.conf.Configuration; + +public class ProxyServers { + public static final String CONF_HADOOP_PROXYSERVERS = "hadoop.proxyservers"; + private static volatile Collection proxyServers; + + public static void refresh() { + refresh(new Configuration()); + } + + public static void refresh(Configuration conf){ + Collection tempServers = new HashSet(); + // trusted proxy servers such as http proxies + for (String host : conf.getTrimmedStrings(CONF_HADOOP_PROXYSERVERS)) { + InetSocketAddress addr = new InetSocketAddress(host, 0); + if (!addr.isUnresolved()) { + tempServers.add(addr.getAddress().getHostAddress()); + } + } + proxyServers = tempServers; + } + + public static boolean isProxyServer(String remoteAddr) { + if (proxyServers == null) { + refresh(); + } + return proxyServers.contains(remoteAddr); + } +} diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java index 4d14ece3e64..9fa232b184f 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java @@ -42,7 +42,6 @@ public class ProxyUsers { private static final String CONF_GROUPS = ".groups"; private static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser."; private static final String CONF_HADOOP_PROXYUSER_RE = "hadoop\\.proxyuser\\."; - public static final String CONF_HADOOP_PROXYSERVERS = "hadoop.proxyservers"; private static boolean init = false; //list of users, groups and hosts per proxyuser @@ -52,8 +51,6 @@ public class ProxyUsers { new HashMap>(); private static Map> proxyHosts = new HashMap>(); - private static Collection proxyServers = - new HashSet(); /** * reread the conf and get new values for "hadoop.proxyuser.*.groups/users/hosts" @@ -73,7 +70,6 @@ public class ProxyUsers { proxyGroups.clear(); proxyHosts.clear(); proxyUsers.clear(); - proxyServers.clear(); // get all the new keys for users String regex = CONF_HADOOP_PROXYUSER_RE+"[^.]*\\"+CONF_USERS; @@ -98,22 +94,8 @@ public class ProxyUsers { proxyHosts.put(entry.getKey(), StringUtils.getTrimmedStringCollection(entry.getValue())); } - - // trusted proxy servers such as http proxies - for (String host : conf.getTrimmedStrings(CONF_HADOOP_PROXYSERVERS)) { - InetSocketAddress addr = new InetSocketAddress(host, 0); - if (!addr.isUnresolved()) { - proxyServers.add(addr.getAddress().getHostAddress()); - } - } init = true; - } - - public static synchronized boolean isProxyServer(String remoteAddr) { - if(!init) { - refreshSuperUserGroupsConfiguration(); - } - return proxyServers.contains(remoteAddr); + ProxyServers.refresh(conf); } /** diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyServers.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyServers.java new file mode 100644 index 00000000000..858fb7b1a8b --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyServers.java @@ -0,0 +1,38 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.security.authorize; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import org.apache.hadoop.conf.Configuration; +import org.junit.Test; + +public class TestProxyServers { + + @Test + public void testProxyServer() { + Configuration conf = new Configuration(); + assertFalse(ProxyServers.isProxyServer("1.1.1.1")); + conf.set(ProxyServers.CONF_HADOOP_PROXYSERVERS, "2.2.2.2, 3.3.3.3"); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + assertFalse(ProxyServers.isProxyServer("1.1.1.1")); + assertTrue(ProxyServers.isProxyServer("2.2.2.2")); + assertTrue(ProxyServers.isProxyServer("3.3.3.3")); + } +} diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java index b57bd49b385..06504807726 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java @@ -238,17 +238,6 @@ public class TestProxyUsers { assertEquals (1,hosts.size()); } - @Test - public void testProxyServer() { - Configuration conf = new Configuration(); - assertFalse(ProxyUsers.isProxyServer("1.1.1.1")); - conf.set(ProxyUsers.CONF_HADOOP_PROXYSERVERS, "2.2.2.2, 3.3.3.3"); - ProxyUsers.refreshSuperUserGroupsConfiguration(conf); - assertFalse(ProxyUsers.isProxyServer("1.1.1.1")); - assertTrue(ProxyUsers.isProxyServer("2.2.2.2")); - assertTrue(ProxyUsers.isProxyServer("3.3.3.3")); - } - private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { try { ProxyUsers.authorize(proxyUgi, host); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java index cc12ad7b370..6c0d23f3e49 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java @@ -76,6 +76,7 @@ import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authentication.util.KerberosName; +import org.apache.hadoop.security.authorize.ProxyServers; import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.util.VersionInfo; @@ -672,7 +673,7 @@ public class JspHelper { public static String getRemoteAddr(HttpServletRequest request) { String remoteAddr = request.getRemoteAddr(); String proxyHeader = request.getHeader("X-Forwarded-For"); - if (proxyHeader != null && ProxyUsers.isProxyServer(remoteAddr)) { + if (proxyHeader != null && ProxyServers.isProxyServer(remoteAddr)) { final String clientAddr = proxyHeader.split(",")[0].trim(); if (!clientAddr.isEmpty()) { remoteAddr = clientAddr; diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestJspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestJspHelper.java index 6d24c20533b..ee81432f29a 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestJspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestJspHelper.java @@ -58,6 +58,7 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authorize.AuthorizationException; +import org.apache.hadoop.security.authorize.ProxyServers; import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; @@ -645,7 +646,7 @@ public class TestJspHelper { when(req.getRemoteAddr()).thenReturn(proxyAddr); when(req.getHeader("X-Forwarded-For")).thenReturn(clientAddr); if (trusted) { - conf.set(ProxyUsers.CONF_HADOOP_PROXYSERVERS, proxyAddr); + conf.set(ProxyServers.CONF_HADOOP_PROXYSERVERS, proxyAddr); } } ProxyUsers.refreshSuperUserGroupsConfiguration(conf); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java index 8d1a70ec854..8d40cd01c5e 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogger.java @@ -32,14 +32,15 @@ import java.net.URISyntaxException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hdfs.HdfsConfiguration; import org.apache.hadoop.hdfs.MiniDFSCluster; import org.apache.hadoop.hdfs.web.resources.GetOpParam; import org.apache.hadoop.ipc.RemoteException; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.authorize.ProxyUsers; +import org.apache.hadoop.security.authorize.ProxyServers; import org.junit.Before; import org.junit.Test; @@ -120,7 +121,7 @@ public class TestAuditLogger { assertEquals("127.0.0.1", DummyAuditLogger.remoteAddr); // trusted proxied request - conf.set(ProxyUsers.CONF_HADOOP_PROXYSERVERS, "127.0.0.1"); + conf.set(ProxyServers.CONF_HADOOP_PROXYSERVERS, "127.0.0.1"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); conn = (HttpURLConnection) uri.toURL().openConnection(); conn.setRequestMethod(op.getType().toString());