hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r1077347 - /hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Date Fri, 04 Mar 2011 04:05:52 GMT
Author: omalley
Date: Fri Mar  4 04:05:52 2011
New Revision: 1077347

URL: http://svn.apache.org/viewvc?rev=1077347&view=rev
Log:
commit 16e060ad9934801287be10fcaedd0a8ad519b456
Author: Boris Shkolnik <borya@yahoo-inc.com>
Date:   Fri Mar 19 14:05:16 2010 -0700

    HADOOP:6647 from https://issues.apache.org/jira/secure/attachment/12439325/HADOOP-6647-BP20.patch
    
    +++ b/YAHOO-CHANGES.txt
    +    HADOOP-6647. balancer fails with "is not authorized for protocol
    +    interface NamenodeProtocol" in secure environment (boryas)
    +

Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java?rev=1077347&r1=1077346&r2=1077347&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Fri Mar  4 04:05:52 2011
@@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFac
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.security.KerberosInfo;
+import org.apache.hadoop.security.KerberosName;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 
@@ -35,6 +36,8 @@ import org.apache.hadoop.security.UserGr
  */
 public class ServiceAuthorizationManager {
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
+  private static final Log LOG = LogFactory
+      .getLog(ServiceAuthorizationManager.class);
 
   private static Map<Class<?>, AccessControlList> protocolToAcl =
     new IdentityHashMap<Class<?>, AccessControlList>();
@@ -97,7 +100,19 @@ public class ServiceAuthorizationManager
         }
       }
     }
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||

+    // when authorizing use the short name only
+    String shortName = clientPrincipal;
+    if(clientPrincipal != null ) {
+      try {
+        shortName = new KerberosName(clientPrincipal).getShortName();
+      } catch (IOException e) {
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
+        // just keep going
+      }
+    }
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
         !acl.isUserAllowed(user)) {
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
       throw new AuthorizationException("User " + user + 



Mime
View raw message