HDFS-14006. Refactor name node to allow different token verification implementations. Contributed by CR Hota.

(cherry picked from commit 00d5e631b5)
This commit is contained in:
Giovanni Matteo Fumarola 2018-12-14 11:10:54 -08:00 committed by Wei-Chiu Chuang
parent 152cbc6457
commit eca7bc7ac4
4 changed files with 53 additions and 5 deletions

View File

@ -23,7 +23,6 @@ import org.slf4j.LoggerFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer;
import org.apache.hadoop.hdfs.web.resources.DelegationParam;
import org.apache.hadoop.hdfs.web.resources.DoAsParam;
@ -176,10 +175,11 @@ public class JspHelper {
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in);
if (context != null) {
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
if (nn != null) {
final TokenVerifier<DelegationTokenIdentifier> tokenVerifier =
NameNodeHttpServer.getTokenVerifierFromContext(context);
if (tokenVerifier != null) {
// Verify the token.
nn.getNamesystem().verifyToken(id, token.getPassword());
tokenVerifier.verifyToken(id, token.getPassword());
}
}
UserGroupInformation ugi = id.getUser();

View File

@ -0,0 +1,35 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hdfs.server.common;
import java.io.IOException;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
/**
* Interface to verify delegation tokens passed through WebHDFS.
* Implementations are intercepted by JspHelper that pass delegation token
* for verification.
*/
public interface TokenVerifier<T extends AbstractDelegationTokenIdentifier> {
/* Verify delegation token passed through WebHDFS
* Name node, Router implement this for JspHelper to verify token
*/
void verifyToken(T t, byte[] password) throws IOException;
}

View File

@ -47,6 +47,7 @@ import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
import org.apache.hadoop.hdfs.protocol.ClientProtocol;
import org.apache.hadoop.hdfs.protocol.HdfsConstants;
import org.apache.hadoop.hdfs.protocol.HdfsConstants.StoragePolicySatisfierMode;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap;
import org.apache.hadoop.hdfs.server.aliasmap.InMemoryLevelDBAliasMapServer;
import org.apache.hadoop.hdfs.server.blockmanagement.BlockManager;
@ -56,6 +57,7 @@ import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.RollingUpgradeSt
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption;
import org.apache.hadoop.hdfs.server.common.MetricsLoggerTask;
import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory;
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
import org.apache.hadoop.hdfs.server.namenode.ha.ActiveState;
import org.apache.hadoop.hdfs.server.namenode.ha.BootstrapStandby;
import org.apache.hadoop.hdfs.server.namenode.ha.HAContext;
@ -217,7 +219,7 @@ import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_BACKOFF_ENABLE_DE
**********************************************************/
@InterfaceAudience.Private
public class NameNode extends ReconfigurableBase implements
NameNodeStatusMXBean {
NameNodeStatusMXBean, TokenVerifier<DelegationTokenIdentifier> {
static{
HdfsConfiguration.init();
}
@ -674,6 +676,11 @@ public class NameNode extends ReconfigurableBase implements
return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser();
}
@Override
public void verifyToken(DelegationTokenIdentifier id, byte[] password)
throws IOException {
namesystem.verifyToken(id, password);
}
/**
* Login as the configured user for the NameNode.

View File

@ -37,6 +37,7 @@ import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys;
import org.apache.hadoop.hdfs.server.common.JspHelper;
import org.apache.hadoop.hdfs.server.common.TokenVerifier;
import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress;
import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
import org.apache.hadoop.hdfs.web.AuthFilter;
@ -311,6 +312,11 @@ public class NameNodeHttpServer {
return (NameNode)context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
}
public static TokenVerifier
getTokenVerifierFromContext(ServletContext context) {
return (TokenVerifier) context.getAttribute(NAMENODE_ATTRIBUTE_KEY);
}
static Configuration getConfFromContext(ServletContext context) {
return (Configuration)context.getAttribute(JspHelper.CURRENT_CONF);
}