Return-Path: X-Original-To: apmail-hadoop-common-commits-archive@www.apache.org Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BB9501120E for ; Wed, 10 Sep 2014 05:25:01 +0000 (UTC) Received: (qmail 59270 invoked by uid 500); 10 Sep 2014 05:25:01 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 59096 invoked by uid 500); 10 Sep 2014 05:25:01 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 58936 invoked by uid 99); 10 Sep 2014 05:25:01 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Sep 2014 05:25:01 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id F28AF932F; Wed, 10 Sep 2014 05:25:00 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: tucu@apache.org To: common-commits@hadoop.apache.org Date: Wed, 10 Sep 2014 05:25:01 -0000 Message-Id: <1b396fe3c1c34066a7dc601e1ac3324e@git.apache.org> In-Reply-To: <4e831beae88f41acb2d1ec1ebe8517e3@git.apache.org> References: <4e831beae88f41acb2d1ec1ebe8517e3@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/3] git commit: HADOOP-11077. NPE if hosts not specified in ProxyUsers. (gchanan via tucu) HADOOP-11077. NPE if hosts not specified in ProxyUsers. (gchanan via tucu) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d0e21165 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d0e21165 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d0e21165 Branch: refs/heads/branch-2 Commit: d0e211650244516abdef6ee212303af135167e39 Parents: 16a4558 Author: Alejandro Abdelnur Authored: Tue Sep 9 22:18:03 2014 -0700 Committer: Alejandro Abdelnur Committed: Tue Sep 9 22:20:43 2014 -0700 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++ .../authorize/DefaultImpersonationProvider.java | 2 +- .../hadoop/security/authorize/TestProxyUsers.java | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/d0e21165/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index b414e53..b94198c 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -442,6 +442,8 @@ Release 2.6.0 - UNRELEASED HADOOP-10925. Compilation fails in native link0 function on Windows. (cnauroth) + HADOOP-11077. NPE if hosts not specified in ProxyUsers. (gchanan via tucu) + Release 2.5.1 - UNRELEASED INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/d0e21165/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java index ab1c390..b36ac80 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/DefaultImpersonationProvider.java @@ -123,7 +123,7 @@ public class DefaultImpersonationProvider implements ImpersonationProvider { MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); - if(!MachineList.includes(remoteAddress)) { + if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/d0e21165/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java index dbcac67..8ff4bfb 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestProxyUsers.java @@ -478,6 +478,21 @@ public class TestProxyUsers { assertNotAuthorized(proxyUserUgi, "1.2.3.5"); } + @Test + public void testNoHostsForUsers() throws Exception { + Configuration conf = new Configuration(false); + conf.set("y." + REAL_USER_NAME + ".users", + StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); + ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); + + UserGroupInformation realUserUgi = UserGroupInformation + .createRemoteUser(REAL_USER_NAME); + UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( + AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); + + // IP doesn't matter + assertNotAuthorized(proxyUserUgi, "1.2.3.4"); + } private void assertNotAuthorized(UserGroupInformation proxyUgi, String host) { try {