hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bor...@apache.org
Subject svn commit: r963490 - in /hadoop/common/trunk: CHANGES.txt src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Date Mon, 12 Jul 2010 21:18:48 GMT
Author: boryas
Date: Mon Jul 12 21:18:47 2010
New Revision: 963490

URL: http://svn.apache.org/viewvc?rev=963490&view=rev
Log:
HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol"
in secure environment

Modified:
    hadoop/common/trunk/CHANGES.txt
    hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

Modified: hadoop/common/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=963490&r1=963489&r2=963490&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Mon Jul 12 21:18:47 2010
@@ -117,6 +117,9 @@ Trunk (unreleased changes)
 
     HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
     (ddas)
+ 
+    HADOOP-6647. balancer fails with "is not authorized for protocol 
+    interface NamenodeProtocol" in secure environment (boryas)
 
 Release 0.21.0 - Unreleased
 

Modified: hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java?rev=963490&r1=963489&r2=963490&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
(original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Mon Jul 12 21:18:47 2010
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.security.authorize;
 
+import java.io.IOException;
 import java.util.IdentityHashMap;
 import java.util.Map;
 
@@ -27,6 +28,7 @@ import org.apache.hadoop.classification.
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.KerberosName;
 import org.apache.hadoop.security.UserGroupInformation;
 
 /**
@@ -37,6 +39,8 @@ import org.apache.hadoop.security.UserGr
 @InterfaceStability.Evolving
 public class ServiceAuthorizationManager {
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
+  private static final Log LOG = LogFactory
+  .getLog(ServiceAuthorizationManager.class);
 
   private static Map<Class<?>, AccessControlList> protocolToAcl =
     new IdentityHashMap<Class<?>, AccessControlList>();
@@ -85,7 +89,19 @@ public class ServiceAuthorizationManager
         clientPrincipal = conf.get(clientKey);
       }
     }
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||

+    // when authorizing use the short name only
+    String shortName = clientPrincipal;
+    if(clientPrincipal != null ) {
+      try {
+        shortName = new KerberosName(clientPrincipal).getShortName();
+      } catch (IOException e) {
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
+        // just keep going
+      }
+    }
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
         !acl.isUserAllowed(user)) {
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
       throw new AuthorizationException("User " + user + 



Mime
View raw message