HADOOP-6600. mechanism for authorization check for inter-server protocols
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@944012 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Boris Shkolnik
parent
21476f0b09
commit
d9b6103f8f
|
|
@ -4,6 +4,9 @@ Trunk (unreleased changes)
|
||||||
|
|
||||||
IMPROVEMENTS
|
IMPROVEMENTS
|
||||||
|
|
||||||
|
HADOOP-6600. mechanism for authorization check for inter-server
|
||||||
|
protocols. (boryas)
|
||||||
|
|
||||||
HADOOP-6623. Add StringUtils.split for non-escaped single-character
|
HADOOP-6623. Add StringUtils.split for non-escaped single-character
|
||||||
separator. (Todd Lipcon via tomwhite)
|
separator. (Todd Lipcon via tomwhite)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -253,7 +253,7 @@ public Connection(ConnectionId remoteId) throws IOException {
|
||||||
}
|
}
|
||||||
KerberosInfo krbInfo = protocol.getAnnotation(KerberosInfo.class);
|
KerberosInfo krbInfo = protocol.getAnnotation(KerberosInfo.class);
|
||||||
if (krbInfo != null) {
|
if (krbInfo != null) {
|
||||||
String serverKey = krbInfo.value();
|
String serverKey = krbInfo.serverPrincipal();
|
||||||
if (serverKey != null) {
|
if (serverKey != null) {
|
||||||
serverPrincipal = conf.get(serverKey);
|
serverPrincipal = conf.get(serverKey);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1615,7 +1615,7 @@ public void authorize(UserGroupInformation user,
|
||||||
throw new AuthorizationException("Unknown protocol: " +
|
throw new AuthorizationException("Unknown protocol: " +
|
||||||
connection.getProtocol());
|
connection.getProtocol());
|
||||||
}
|
}
|
||||||
ServiceAuthorizationManager.authorize(user, protocol);
|
ServiceAuthorizationManager.authorize(user, protocol, getConf());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -27,5 +27,6 @@
|
||||||
@Target(ElementType.TYPE)
|
@Target(ElementType.TYPE)
|
||||||
public @interface KerberosInfo {
|
public @interface KerberosInfo {
|
||||||
/** Key for getting server's Kerberos principal name from Configuration */
|
/** Key for getting server's Kerberos principal name from Configuration */
|
||||||
String value();
|
String serverPrincipal();
|
||||||
|
String clientPrincipal() default "";
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||||
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -62,18 +63,30 @@ public class ServiceAuthorizationManager {
|
||||||
* @throws AuthorizationException on authorization failure
|
* @throws AuthorizationException on authorization failure
|
||||||
*/
|
*/
|
||||||
public static void authorize(UserGroupInformation user,
|
public static void authorize(UserGroupInformation user,
|
||||||
Class<?> protocol
|
Class<?> protocol,
|
||||||
|
Configuration conf
|
||||||
) throws AuthorizationException {
|
) throws AuthorizationException {
|
||||||
AccessControlList acl = protocolToAcl.get(protocol);
|
AccessControlList acl = protocolToAcl.get(protocol);
|
||||||
if (acl == null) {
|
if (acl == null) {
|
||||||
throw new AuthorizationException("Protocol " + protocol +
|
throw new AuthorizationException("Protocol " + protocol +
|
||||||
" is not known.");
|
" is not known.");
|
||||||
}
|
}
|
||||||
if (!acl.isUserAllowed(user)) {
|
|
||||||
|
// get client principal key to verify (if available)
|
||||||
|
KerberosInfo krbInfo = protocol.getAnnotation(KerberosInfo.class);
|
||||||
|
String clientPrincipal = null;
|
||||||
|
if (krbInfo != null) {
|
||||||
|
String clientKey = krbInfo.clientPrincipal();
|
||||||
|
if (clientKey != null && !clientKey.equals("")) {
|
||||||
|
clientPrincipal = conf.get(clientKey);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
|
||||||
|
!acl.isUserAllowed(user)) {
|
||||||
auditLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
|
auditLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
|
||||||
throw new AuthorizationException("User " + user +
|
throw new AuthorizationException("User " + user +
|
||||||
" is not authorized for protocol " +
|
" is not authorized for protocol " +
|
||||||
protocol);
|
protocol);
|
||||||
}
|
}
|
||||||
auditLOG.info(AUTHZ_SUCCESSFULL_FOR + user + " for protocol="+protocol);
|
auditLOG.info(AUTHZ_SUCCESSFULL_FOR + user + " for protocol="+protocol);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -101,7 +101,8 @@ protected TestDelegationTokenSelector() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@KerberosInfo(USER_NAME_KEY)
|
@KerberosInfo(
|
||||||
|
serverPrincipal=USER_NAME_KEY)
|
||||||
@TokenInfo(TestDelegationTokenSelector.class)
|
@TokenInfo(TestDelegationTokenSelector.class)
|
||||||
public static interface MiniProtocol extends VersionedProtocol {
|
public static interface MiniProtocol extends VersionedProtocol {
|
||||||
public static final long versionID = 1L;
|
public static final long versionID = 1L;
|
||||||
|
|
|
||||||
|
|
@ -162,7 +162,8 @@ public Token<TestTokenIdentifier> selectToken(Text service,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@KerberosInfo(SERVER_PRINCIPAL_KEY)
|
@KerberosInfo(
|
||||||
|
serverPrincipal = SERVER_PRINCIPAL_KEY)
|
||||||
@TokenInfo(TestTokenSelector.class)
|
@TokenInfo(TestTokenSelector.class)
|
||||||
public interface TestSaslProtocol extends TestRPC.TestProtocol {
|
public interface TestSaslProtocol extends TestRPC.TestProtocol {
|
||||||
public AuthenticationMethod getAuthMethod() throws IOException;
|
public AuthenticationMethod getAuthMethod() throws IOException;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue