HADOOP-6620. NPE if renewer is passed as null in getDelegationToken. Contributed by Jitendra Pandey.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@953896 13f79535-47bb-0310-9956-ffa450edef68
2010-06-11 22:48:15 +00:00 · 2010-06-11 22:48:15 +00:00 · fbdb249460
parent 6378822a67
commit fbdb249460
4 changed files with 51 additions and 5 deletions
--- a/CHANGES.txt
+++ b/CHANGES.txt
@ -81,6 +81,9 @@ Trunk (unreleased changes)
    HADOOP-6603. Provide workaround for issue with Kerberos not resolving 
    cross-realm principal (Kan Zhang and Jitendra Pandey via jghoman)

+    HADOOP-6620. NPE if renewer is passed as null in getDelegationToken.
+    (Jitendra Pandey via jghoman)
+
 Release 0.21.0 - Unreleased

  INCOMPATIBLE CHANGES
--- a/src/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
+++ b/src/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
@ -49,8 +49,16 @@ public AbstractDelegationTokenIdentifier() {
  }
  
  public AbstractDelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
-    this.owner = owner;
-    this.renewer = renewer;
+    if (owner == null) {
+      this.owner = new Text();
+    } else {
+      this.owner = owner;
+    }
+    if (renewer == null) {
+      this.renewer = new Text();
+    } else {
+      this.renewer = renewer;
+    }
    if (realUser == null) {
      this.realUser = new Text();
    } else {
@ -170,4 +178,14 @@ public void write(DataOutput out) throws IOException {
    WritableUtils.writeVInt(out, sequenceNumber);
    WritableUtils.writeVInt(out, masterKeyId);
  }
+  
+  public String toString() {
+    StringBuilder buffer = new StringBuilder();
+    buffer
+        .append("owner=" + owner + ", renewer=" + renewer + ", realUser="
+            + realUser + ", issueDate=" + issueDate + ", maxDate=" + maxDate
+            + ", sequenceNumber=" + sequenceNumber + ", masterKeyId="
+            + masterKeyId);
+    return buffer.toString();
+  }
 }
--- a/src/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
+++ b/src/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
@ -178,6 +178,7 @@ private synchronized void removeExpiredKeys() {
  
  @Override
  protected synchronized byte[] createPassword(TokenIdent identifier) {
+    LOG.info("Creating password for identifier: "+identifier);
    int sequenceNum;
    long now = System.currentTimeMillis();
    sequenceNum = ++delegationTokenSequenceNumber;
@ -220,12 +221,13 @@ public synchronized long renewToken(Token<TokenIdent> token,
    DataInputStream in = new DataInputStream(buf);
    TokenIdent id = createIdentifier();
    id.readFields(in);
-
+    LOG.info("Token renewal requested for identifier: "+id);
+    
    if (id.getMaxDate() < now) {
      throw new InvalidToken("User " + renewer + 
                             " tried to renew an expired token");
    }
-    if (id.getRenewer() == null) {
+    if ((id.getRenewer() == null) || ("".equals(id.getRenewer().toString()))) {
      throw new AccessControlException("User " + renewer + 
                                       " tried to renew a token without " +
                                       "a renewer");
@ -271,13 +273,16 @@ public synchronized TokenIdent cancelToken(Token<TokenIdent> token,
    DataInputStream in = new DataInputStream(buf);
    TokenIdent id = createIdentifier();
    id.readFields(in);
+    LOG.info("Token cancelation requested for identifier: "+id);
+    
    if (id.getUser() == null) {
      throw new InvalidToken("Token with no owner");
    }
    String owner = id.getUser().getUserName();
    Text renewer = id.getRenewer();
    if (!canceller.equals(owner)
-        && (renewer == null || !canceller.equals(renewer.toString()))) {
+        && (renewer == null || "".equals(renewer.toString()) || !canceller
+            .equals(renewer.toString()))) {
      throw new AccessControlException(canceller
          + " is not authorized to cancel the token");
    }
--- a/src/test/core/org/apache/hadoop/security/token/delegation/TestDelegationToken.java
+++ b/src/test/core/org/apache/hadoop/security/token/delegation/TestDelegationToken.java
@ -365,4 +365,24 @@ public void run() {
      dtSecretManager.stopThreads();
    }
  }
+  
+  @Test 
+  public void testDelegationTokenNullRenewer() throws Exception {
+    TestDelegationTokenSecretManager dtSecretManager = 
+      new TestDelegationTokenSecretManager(24*60*60*1000,
+        10*1000,1*1000,3600000);
+    dtSecretManager.startThreads();
+    TestDelegationTokenIdentifier dtId = new TestDelegationTokenIdentifier(new Text(
+        "theuser"), null, null);
+    Token<TestDelegationTokenIdentifier> token = new Token<TestDelegationTokenIdentifier>(
+        dtId, dtSecretManager);
+    Assert.assertTrue(token != null);
+    try {
+      dtSecretManager.renewToken(token, "");
+      Assert.fail("Renewal must not succeed");
+    } catch (IOException e) {
+      //PASS
+    }
+  }
+
 }