diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java index 95c494206d9..cf9048528b6 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java @@ -49,6 +49,7 @@ import org.apache.hadoop.lib.service.ProxyUser; import org.apache.hadoop.lib.servlet.FileSystemReleaseFilter; import org.apache.hadoop.lib.servlet.HostnameFilter; import org.apache.hadoop.lib.wsrs.InputStreamEntity; +import org.apache.hadoop.security.authentication.server.AuthenticationToken; import org.json.simple.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -145,9 +146,15 @@ public class HttpFSServer { String effectiveUser = user.getName(); if (doAs != null && !doAs.equals(user.getName())) { ProxyUser proxyUser = HttpFSServerWebApp.get().get(ProxyUser.class); - proxyUser.validate(user.getName(), HostnameFilter.get(), doAs); + String proxyUserName; + if (user instanceof AuthenticationToken) { + proxyUserName = ((AuthenticationToken)user).getUserName(); + } else { + proxyUserName = user.getName(); + } + proxyUser.validate(proxyUserName, HostnameFilter.get(), doAs); effectiveUser = doAs; - AUDIT_LOG.info("Proxy user [{}] DoAs user [{}]", user.getName(), doAs); + AUDIT_LOG.info("Proxy user [{}] DoAs user [{}]", proxyUserName, doAs); } return effectiveUser; } diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index a8996db6fe0..6d0b6c02bd2 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -254,6 +254,9 @@ Release 2.0.1-alpha - UNRELEASED use the stored generation stamp to check if the block is valid. (Vinay via szetszwo) + HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full + principal name. (tucu) + Release 2.0.0-alpha - UNRELEASED INCOMPATIBLE CHANGES