hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jgho...@apache.org
Subject svn commit: r948573 - in /hadoop/common/trunk: ./ ivy/ src/java/org/apache/hadoop/ipc/ src/java/org/apache/hadoop/security/ src/java/org/apache/hadoop/security/token/delegation/ src/test/core/org/apache/hadoop/ipc/ src/test/core/org/apache/hadoop/secur...
Date Wed, 26 May 2010 20:31:49 GMT
Author: jghoman
Date: Wed May 26 20:31:48 2010
New Revision: 948573

URL: http://svn.apache.org/viewvc?rev=948573&view=rev
Log:
HADOOP-6581. Add authenticated TokenIdentifiers to UGI so that they can be used for authorization.
Kan Zhang and Jitendra Pandey via jghoman.

Modified:
    hadoop/common/trunk/CHANGES.txt
    hadoop/common/trunk/ivy/libraries.properties
    hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java
    hadoop/common/trunk/src/java/org/apache/hadoop/security/SaslRpcServer.java
    hadoop/common/trunk/src/java/org/apache/hadoop/security/UserGroupInformation.java
    hadoop/common/trunk/src/java/org/apache/hadoop/security/token/delegation/DelegationKey.java
    hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/AvroTestProtocol.java
    hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java
    hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java

Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Wed May 26 20:31:48 2010
@@ -2,6 +2,11 @@ Hadoop Change Log
 
 Trunk (unreleased changes)
 
+  NEW FEATURES
+   HADOOP-6581. Add authenticated TokenIdentifiers to UGI so that 
+   they can be used for authorization (Kan Zhang and Jitendra Pandey 
+   via jghoman)
+
   IMPROVEMENTS
     HADOOP-6644. util.Shell getGROUPS_FOR_USER_COMMAND method name 
     - should use common naming convention (boryas)

Modified: hadoop/common/trunk/ivy/libraries.properties
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/ivy/libraries.properties?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/ivy/libraries.properties (original)
+++ hadoop/common/trunk/ivy/libraries.properties Wed May 26 20:31:48 2010
@@ -17,7 +17,7 @@
 apacheant.version=1.7.1
 ant-task.version=2.0.10
 
-avro.version=1.3.0
+avro.version=1.3.2
 
 checkstyle.version=4.2
 

Modified: hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/ipc/Server.java Wed May 26 20:31:48 2010
@@ -923,7 +923,13 @@ public abstract class Server {
       if (authMethod == SaslRpcServer.AuthMethod.DIGEST) {
         TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId,
             secretManager);
-        return tokenId.getUser();
+        UserGroupInformation ugi = tokenId.getUser();
+        if (ugi == null) {
+          throw new AccessControlException(
+              "Can't retrieve username from tokenIdentifier.");
+        }
+        ugi.addTokenIdentifier(tokenId);
+        return ugi;
       } else {
         return UserGroupInformation.createRemoteUser(authorizedId);
       }
@@ -1531,7 +1537,7 @@ public abstract class Server {
   public void setSocketSendBufSize(int size) { this.socketSendBufferSize = size; }
 
   /** Starts the service.  Must be called before any calls will be handled. */
-  public synchronized void start() throws IOException {
+  public synchronized void start() {
     responder.start();
     listener.start();
     handlers = new Handler[handlerCount];

Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/SaslRpcServer.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/SaslRpcServer.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/SaslRpcServer.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/SaslRpcServer.java Wed May 26
20:31:48 2010
@@ -68,10 +68,10 @@ public class SaslRpcServer {
     return Base64.decodeBase64(identifier.getBytes());
   }
 
-  public static TokenIdentifier getIdentifier(String id,
-      SecretManager<TokenIdentifier> secretManager) throws InvalidToken {
+  public static <T extends TokenIdentifier> T getIdentifier(String id,
+      SecretManager<T> secretManager) throws InvalidToken {
     byte[] tokenId = decodeIdentifier(id);
-    TokenIdentifier tokenIdentifier = secretManager.createIdentifier();
+    T tokenIdentifier = secretManager.createIdentifier();
     try {
       tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(
           tokenId)));
@@ -202,11 +202,12 @@ public class SaslRpcServer {
           ac.setAuthorized(false);
         }
         if (ac.isAuthorized()) {
-          String username = getIdentifier(authzid, secretManager).getUser()
-              .getUserName().toString();
-          if (LOG.isDebugEnabled())
+          if (LOG.isDebugEnabled()) {
+            String username = getIdentifier(authzid, secretManager).getUser()
+            .getUserName().toString();
             LOG.debug("SASL server DIGEST-MD5 callback: setting "
                 + "canonicalized client ID: " + username);
+          }
           ac.setAuthorizedID(authzid);
         }
       }

Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/UserGroupInformation.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/UserGroupInformation.java Wed
May 26 20:31:48 2010
@@ -611,6 +611,28 @@ public class UserGroupInformation {
   }
 
   /**
+   * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been
+   * authenticated by the RPC layer as belonging to the user represented by this
+   * UGI.
+   * 
+   * @param tokenId
+   *          tokenIdentifier to be added
+   * @return true on successful add of new tokenIdentifier
+   */
+  public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) {
+    return subject.getPublicCredentials().add(tokenId);
+  }
+
+  /**
+   * Get the set of TokenIdentifiers belonging to this UGI
+   * 
+   * @return the set of TokenIdentifiers belonging to this UGI
+   */
+  public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
+    return subject.getPublicCredentials(TokenIdentifier.class);
+  }
+  
+  /**
    * Add a token to this UGI
    * 
    * @param token Token to be added

Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/token/delegation/DelegationKey.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/token/delegation/DelegationKey.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/token/delegation/DelegationKey.java
(original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/token/delegation/DelegationKey.java
Wed May 26 20:31:48 2010
@@ -27,6 +27,7 @@ import javax.crypto.SecretKey;
 
 import org.apache.hadoop.io.Writable;
 import org.apache.hadoop.io.WritableUtils;
+import org.apache.avro.reflect.Nullable;
 
 /**
  * Key used for generating and verifying delegation tokens
@@ -35,7 +36,8 @@ import org.apache.hadoop.io.WritableUtil
 public class DelegationKey implements Writable {
   private int keyId;
   private long expiryDate;
-  private SecretKey key;
+  @Nullable
+  private byte[] keyBytes = null;
 
   public DelegationKey() {
     this(0, 0L, null);
@@ -44,7 +46,9 @@ public class DelegationKey implements Wr
   public DelegationKey(int keyId, long expiryDate, SecretKey key) {
     this.keyId = keyId;
     this.expiryDate = expiryDate;
-    this.key = key;
+    if (key!=null) {
+      this.keyBytes = key.getEncoded();
+    }
   }
 
   public int getKeyId() {
@@ -56,7 +60,12 @@ public class DelegationKey implements Wr
   }
 
   public SecretKey getKey() {
-    return key;
+    if (keyBytes == null || keyBytes.length == 0) {
+      return null;
+    } else {
+      SecretKey key = AbstractDelegationTokenSecretManager.createSecretKey(keyBytes);
+      return key;
+    }
   }
 
   public void setExpiryDate(long expiryDate) {
@@ -68,9 +77,12 @@ public class DelegationKey implements Wr
   public void write(DataOutput out) throws IOException {
     WritableUtils.writeVInt(out, keyId);
     WritableUtils.writeVLong(out, expiryDate);
-    byte[] keyBytes = key.getEncoded();
-    WritableUtils.writeVInt(out, keyBytes.length);
-    out.write(keyBytes);
+    if (keyBytes == null) {
+      WritableUtils.writeVInt(out, -1);
+    } else {
+      WritableUtils.writeVInt(out, keyBytes.length);
+      out.write(keyBytes);
+    }
   }
 
   /**
@@ -79,8 +91,11 @@ public class DelegationKey implements Wr
     keyId = WritableUtils.readVInt(in);
     expiryDate = WritableUtils.readVLong(in);
     int len = WritableUtils.readVInt(in);
-    byte[] keyBytes = new byte[len];
-    in.readFully(keyBytes);
-    key = AbstractDelegationTokenSecretManager.createSecretKey(keyBytes);
+    if (len == -1) {
+      keyBytes = null;
+    } else {
+      keyBytes = new byte[len];
+      in.readFully(keyBytes);
+    }
   }
 }

Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/AvroTestProtocol.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/AvroTestProtocol.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/AvroTestProtocol.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/AvroTestProtocol.java Wed May
26 20:31:48 2010
@@ -19,7 +19,6 @@
 package org.apache.hadoop.ipc;
 
 import org.apache.avro.ipc.AvroRemoteException;
-import org.apache.avro.util.Utf8;
 
 @SuppressWarnings("serial")
 public interface AvroTestProtocol {
@@ -27,7 +26,7 @@ public interface AvroTestProtocol {
     public Problem() {}
   }
   void ping();
-  Utf8 echo(Utf8 value);
+  String echo(String value);
   int add(int v1, int v2);
   int error() throws Problem;
 }

Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java (original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/ipc/TestAvroRpc.java Wed May 26 20:31:48
2010
@@ -30,7 +30,6 @@ import org.apache.hadoop.conf.Configurat
 import org.apache.hadoop.net.NetUtils;
 
 import org.apache.avro.ipc.AvroRemoteException;
-import org.apache.avro.util.Utf8;
 
 /** Unit tests for AvroRpc. */
 public class TestAvroRpc extends TestCase {
@@ -50,7 +49,7 @@ public class TestAvroRpc extends TestCas
 
     public void ping() {}
     
-    public Utf8 echo(Utf8 value) { return value; }
+    public String echo(String value) { return value; }
 
     public int add(int v1, int v2) { return v1 + v2; }
 
@@ -74,8 +73,8 @@ public class TestAvroRpc extends TestCas
       
       proxy.ping();
 
-      Utf8 utf8Result = proxy.echo(new Utf8("hello world"));
-      assertEquals(new Utf8("hello world"), utf8Result);
+      String echo = proxy.echo("hello world");
+      assertEquals("hello world", echo);
 
       int intResult = proxy.add(1, 2);
       assertEquals(3, intResult);

Modified: hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java?rev=948573&r1=948572&r2=948573&view=diff
==============================================================================
--- hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java
(original)
+++ hadoop/common/trunk/src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java
Wed May 26 20:31:48 2010
@@ -34,7 +34,6 @@ import java.util.List;
 
 import junit.framework.Assert;
 
-import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
@@ -216,6 +215,33 @@ public class TestUserGroupInformation {
   }
   
   @Test
+  public void testTokenIdentifiers() throws Exception {
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "TheDoctor", new String[] { "TheTARDIS" });
+    TokenIdentifier t1 = mock(TokenIdentifier.class);
+    TokenIdentifier t2 = mock(TokenIdentifier.class);
+
+    ugi.addTokenIdentifier(t1);
+    ugi.addTokenIdentifier(t2);
+
+    Collection<TokenIdentifier> z = ugi.getTokenIdentifiers();
+    assertTrue(z.contains(t1));
+    assertTrue(z.contains(t2));
+    assertEquals(2, z.size());
+
+    // ensure that the token identifiers are passed through doAs
+    Collection<TokenIdentifier> otherSet = ugi
+        .doAs(new PrivilegedExceptionAction<Collection<TokenIdentifier>>() {
+          public Collection<TokenIdentifier> run() throws IOException {
+            return UserGroupInformation.getCurrentUser().getTokenIdentifiers();
+          }
+        });
+    assertTrue(otherSet.contains(t1));
+    assertTrue(otherSet.contains(t2));
+    assertEquals(2, otherSet.size());
+  }
+
+  @Test
   public void testUGIAuthMethod() throws Exception {
     final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
     final AuthenticationMethod am = AuthenticationMethod.KERBEROS;



Mime
View raw message