hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sur...@apache.org
Subject svn commit: r1404882 - in /hadoop/common/branches/branch-1: ./ src/core/ src/core/org/apache/hadoop/conf/ src/core/org/apache/hadoop/fs/ src/core/org/apache/hadoop/http/ src/core/org/apache/hadoop/jmx/ src/core/org/apache/hadoop/metrics/ src/test/org/a...
Date Fri, 02 Nov 2012 06:38:35 GMT
Author: suresh
Date: Fri Nov  2 06:38:35 2012
New Revision: 1404882

URL: http://svn.apache.org/viewvc?rev=1404882&view=rev
Log:
HADOOP-8988. Allow configuration of authorization for JmxJsonServlet and MetricsServlet. Contributed
by Jing Zhao.

Modified:
    hadoop/common/branches/branch-1/CHANGES.txt
    hadoop/common/branches/branch-1/src/core/core-default.xml
    hadoop/common/branches/branch-1/src/core/org/apache/hadoop/conf/ConfServlet.java
    hadoop/common/branches/branch-1/src/core/org/apache/hadoop/fs/CommonConfigurationKeys.java
    hadoop/common/branches/branch-1/src/core/org/apache/hadoop/http/HttpServer.java
    hadoop/common/branches/branch-1/src/core/org/apache/hadoop/jmx/JMXJsonServlet.java
    hadoop/common/branches/branch-1/src/core/org/apache/hadoop/metrics/MetricsServlet.java
    hadoop/common/branches/branch-1/src/test/org/apache/hadoop/http/TestHttpServer.java

Modified: hadoop/common/branches/branch-1/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/CHANGES.txt?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/CHANGES.txt (original)
+++ hadoop/common/branches/branch-1/CHANGES.txt Fri Nov  2 06:38:35 2012
@@ -29,6 +29,9 @@ Release 1.2.0 - unreleased
     HDFS-3912. Detect and avoid stale datanodes for writes.
     (Jing Zhao via suresh)
 
+    HADOOP-8988. Allow configuration of authorization for JmxJsonServlet and 
+    MetricsServlet. (tucu, Jing Zhao via suresh)
+
   IMPROVEMENTS
 
     HDFS-3515. Port HDFS-1457 to branch-1. (eli)

Modified: hadoop/common/branches/branch-1/src/core/core-default.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/core-default.xml?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/core-default.xml (original)
+++ hadoop/common/branches/branch-1/src/core/core-default.xml Fri Nov  2 06:38:35 2012
@@ -45,6 +45,15 @@
 </property>
 
 <property>
+  <name>hadoop.security.instrumentation.requires.admin</name>
+  <value>false</value>
+  <description>
+    Indicates if administrator ACLs are required to access
+    instrumentation servlets (JMX, METRICS, CONF, STACKS).
+  </description>
+</property>
+
+<property>
   <name>hadoop.security.authentication</name>
   <value>simple</value>
   <description>Possible values are simple (no authentication), and kerberos

Modified: hadoop/common/branches/branch-1/src/core/org/apache/hadoop/conf/ConfServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/org/apache/hadoop/conf/ConfServlet.java?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/org/apache/hadoop/conf/ConfServlet.java (original)
+++ hadoop/common/branches/branch-1/src/core/org/apache/hadoop/conf/ConfServlet.java Fri Nov
 2 06:38:35 2012
@@ -55,6 +55,10 @@ public class ConfServlet extends HttpSer
   @Override
   public void doGet(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException {
+    if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(),
+        request, response)) {
+      return;
+    }
     String format = request.getParameter(FORMAT_PARAM);
     if (null == format) {
       format = FORMAT_XML;

Modified: hadoop/common/branches/branch-1/src/core/org/apache/hadoop/fs/CommonConfigurationKeys.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/org/apache/hadoop/fs/CommonConfigurationKeys.java?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/org/apache/hadoop/fs/CommonConfigurationKeys.java
(original)
+++ hadoop/common/branches/branch-1/src/core/org/apache/hadoop/fs/CommonConfigurationKeys.java
Fri Nov  2 06:38:35 2012
@@ -40,6 +40,9 @@ public class CommonConfigurationKeys {
   public static final String HADOOP_SECURITY_AUTHORIZATION =
     "hadoop.security.authorization";
   /** See src/core/core-default.xml */
+  public static final String HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN = 
+      "hadoop.security.instrumentation.requires.admin";
+  /** See src/core/core-default.xml */
   public static final String  HADOOP_SECURITY_SERVICE_USER_NAME_KEY = 
     "hadoop.security.service.user.name.key";
   /** See src/core/core-default.xml */

Modified: hadoop/common/branches/branch-1/src/core/org/apache/hadoop/http/HttpServer.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/org/apache/hadoop/http/HttpServer.java?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/org/apache/hadoop/http/HttpServer.java (original)
+++ hadoop/common/branches/branch-1/src/core/org/apache/hadoop/http/HttpServer.java Fri Nov
 2 06:38:35 2012
@@ -693,6 +693,37 @@ public class HttpServer implements Filte
   }
 
   /**
+   * Checks the user has privileges to access to instrumentation servlets.
+   * <p/>
+   * If <code>hadoop.security.instrumentation.requires.admin</code> is set to

+   * FALSE (default value) it returns always returns TRUE.
+   * <p/>
+   * If <code>hadoop.security.instrumentation.requires.admin</code> is set to

+   * TRUE it will check that if the current user is in the admin ACLS. If the 
+   * user is in the admin ACLs it returns TRUE, otherwise it returns FALSE.
+   *
+   * @param servletContext the servlet context.
+   * @param request the servlet request.
+   * @param response the servlet response.
+   * @return TRUE/FALSE based on the logic decribed above.
+   */
+  public static boolean isInstrumentationAccessAllowed(
+      ServletContext servletContext, HttpServletRequest request,
+      HttpServletResponse response) throws IOException {
+    Configuration conf = (Configuration) servletContext
+        .getAttribute(CONF_CONTEXT_ATTRIBUTE);
+
+    boolean access = true;
+    boolean adminAccess = conf.getBoolean(
+        CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
+        false);
+    if (adminAccess) {
+      access = hasAdministratorAccess(servletContext, request, response);
+    }
+    return access;
+  }
+  
+  /**
    * Does the user sending the HttpServletRequest has the administrator ACLs? If
    * it isn't the case, response will be modified to send an error to the user.
    * 
@@ -749,8 +780,8 @@ public class HttpServer implements Filte
       throws ServletException, IOException {
 
       // Do the authorization
-      if (!HttpServer.hasAdministratorAccess(getServletContext(), request,
-          response)) {
+      if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(),
+          request, response)) {
         return;
       }
 

Modified: hadoop/common/branches/branch-1/src/core/org/apache/hadoop/jmx/JMXJsonServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/org/apache/hadoop/jmx/JMXJsonServlet.java?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/org/apache/hadoop/jmx/JMXJsonServlet.java (original)
+++ hadoop/common/branches/branch-1/src/core/org/apache/hadoop/jmx/JMXJsonServlet.java Fri
Nov  2 06:38:35 2012
@@ -134,8 +134,8 @@ public class JMXJsonServlet extends Http
   public void doGet(HttpServletRequest request, HttpServletResponse response) {
     try {
       // Do the authorization
-      if (!HttpServer.hasAdministratorAccess(getServletContext(), request,
-          response)) {
+      if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(),
+          request, response)) {
         return;
       }
 

Modified: hadoop/common/branches/branch-1/src/core/org/apache/hadoop/metrics/MetricsServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/core/org/apache/hadoop/metrics/MetricsServlet.java?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/core/org/apache/hadoop/metrics/MetricsServlet.java
(original)
+++ hadoop/common/branches/branch-1/src/core/org/apache/hadoop/metrics/MetricsServlet.java
Fri Nov  2 06:38:35 2012
@@ -109,8 +109,8 @@ public class MetricsServlet extends Http
       throws ServletException, IOException {
 
     // Do the authorization
-    if (!HttpServer.hasAdministratorAccess(getServletContext(), request,
-        response)) {
+    if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(),
+        request, response)) {
       return;
     }
 

Modified: hadoop/common/branches/branch-1/src/test/org/apache/hadoop/http/TestHttpServer.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1/src/test/org/apache/hadoop/http/TestHttpServer.java?rev=1404882&r1=1404881&r2=1404882&view=diff
==============================================================================
--- hadoop/common/branches/branch-1/src/test/org/apache/hadoop/http/TestHttpServer.java (original)
+++ hadoop/common/branches/branch-1/src/test/org/apache/hadoop/http/TestHttpServer.java Fri
Nov  2 06:38:35 2012
@@ -23,7 +23,6 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.PrintStream;
-import java.net.URLConnection;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.Arrays;
@@ -310,6 +309,9 @@ public class TestHttpServer {
     Configuration conf = new Configuration();
     conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
         true);
+    conf.setBoolean(
+        CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
+        true);
     conf.set(HttpServer.FILTER_INITIALIZER_PROPERTY,
         DummyFilterInitializer.class.getName());
 
@@ -395,5 +397,31 @@ public class TestHttpServer {
     Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
 
   }
+  
+  @Test
+  public void testRequiresAuthorizationAccess() throws Exception {
+    Configuration conf = new Configuration();
+    ServletContext context = Mockito.mock(ServletContext.class);
+    Mockito.when(context.getAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE))
+        .thenReturn(conf);
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
 
+    // requires admin access to instrumentation, FALSE by default
+    Assert.assertTrue(HttpServer.isInstrumentationAccessAllowed(context,
+        request, response));
+
+    // requires admin access to instrumentation, TRUE
+    conf.setBoolean(
+        CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
+        true);
+    conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
+    AccessControlList acls = Mockito.mock(AccessControlList.class);
+    Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation> any()))
+        .thenReturn(false);
+    Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
+    Assert.assertFalse(HttpServer.isInstrumentationAccessAllowed(context,
+        request, response));
+  }
+  
 }



Mime
View raw message