HADOOP-10941. Proxy user verification NPEs if remote host is unresolvable (Benoy Antony via stevel).

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -655,6 +655,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-11628. SPNEGO auth does not work with CNAMEs in JDK8.
     (Daryn Sharp via stevel).
 
+    HADOOP-10941. Proxy user verification NPEs if remote host is unresolvable.
+    (Benoy Antony via stevel).
+
   OPTIMIZATIONS
 
     HADOOP-12051. ProtobufRpcEngine.invoke() should use Exception.toString()

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java

@@ -108,6 +108,10 @@ public Configuration getConf() {
   public void authorize(UserGroupInformation user, 
       String remoteAddress) throws AuthorizationException {
     
+    if (user == null) {
+      throw new IllegalArgumentException("user is null.");
+    }
+
     UserGroupInformation realUser = user.getRealUser();
     if (realUser == null) {
       return;

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/MachineList.java

@@ -18,7 +18,6 @@
 package org.apache.hadoop.util;
 
 import java.net.InetAddress;
-
 import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -141,6 +140,10 @@ public boolean includes(String ipAddress) {
       return true;
     }
     
+    if (ipAddress == null) {
+      throw new IllegalArgumentException("ipAddress is null.");
+    }
+
     //check in the set of ipAddresses
     if ((ipAddresses != null) && ipAddresses.contains(ipAddress)) {
       return true;

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java

@@ -334,6 +334,45 @@ public void testIPRange() {
     assertNotAuthorized(proxyUserUgi, "10.221.0.0");
   }
 
+  @Test(expected = IllegalArgumentException.class)
+  public void testNullUser() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set(
+        DefaultImpersonationProvider.getTestProvider().
+            getProxySuperuserGroupConfKey(REAL_USER_NAME),
+        "*");
+    conf.set(
+        DefaultImpersonationProvider.getTestProvider().
+            getProxySuperuserIpConfKey(REAL_USER_NAME),
+        PROXY_IP_RANGE);
+    ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+    // user is null
+    ProxyUsers.authorize(null, "10.222.0.0");
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testNullIpAddress() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set(
+        DefaultImpersonationProvider.getTestProvider().
+            getProxySuperuserGroupConfKey(REAL_USER_NAME),
+        "*");
+    conf.set(
+        DefaultImpersonationProvider.getTestProvider().
+            getProxySuperuserIpConfKey(REAL_USER_NAME),
+        PROXY_IP_RANGE);
+    ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+    // First try proxying a group that's allowed
+    UserGroupInformation realUserUgi = UserGroupInformation
+        .createRemoteUser(REAL_USER_NAME);
+    UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
+        PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
+
+    // remote address is null
+    ProxyUsers.authorize(proxyUserUgi, null);
+  }
+
   @Test
   public void testWithDuplicateProxyGroups() throws Exception {
     Configuration conf = new Configuration();

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/TestMachineList.java

@@ -176,7 +176,15 @@ public void testCIDRs() {
 
     //test for exclusion with an unknown IP
     assertFalse(ml.includes("10.119.103.111"));
+  }
 
+  @Test(expected = IllegalArgumentException.class)
+  public void testNullIpAddress() {
+    //create MachineList with a list of of ip ranges specified in CIDR format
+    MachineList ml = new MachineList(CIDR_LIST);
+
+    //test for exclusion with a null IP
+    assertFalse(ml.includes(null));
   }
 
   @Test