hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zjs...@apache.org
Subject [24/29] hadoop git commit: HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
Date Tue, 21 Apr 2015 23:21:45 GMT
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to
ProxyUsers#authorize (Anubhav Dhoot via asuresh)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/81ec672e
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/81ec672e
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/81ec672e

Branch: refs/heads/YARN-2928
Commit: 81ec672e2ce89ad56c128ed1eb1e68f56ae36d73
Parents: 539f79a
Author: Arun Suresh <asuresh@apache.org>
Authored: Tue Apr 21 11:31:51 2015 -0700
Committer: Zhijie Shen <zjshen@apache.org>
Committed: Tue Apr 21 16:16:56 2015 -0700

----------------------------------------------------------------------
 hadoop-common-project/hadoop-common/CHANGES.txt |  3 ++
 .../DelegationTokenAuthenticationFilter.java    |  2 +-
 .../DelegationTokenAuthenticationHandler.java   |  2 +-
 .../delegation/web/TestWebDelegationToken.java  | 56 +++++++++++++++++++-
 4 files changed, 60 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/81ec672e/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 230717c..5c6d44a 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -519,6 +519,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
     (Brahma Reddy Battula via ozawa)
 
+    HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
+    instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
+
 Release 2.7.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES

http://git-wip-us.apache.org/repos/asf/hadoop/blob/81ec672e/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
index fbd1129..b6e1a76 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
@@ -239,7 +239,7 @@ public class DelegationTokenAuthenticationFilter
         if (doAsUser != null) {
           ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
           try {
-            ProxyUsers.authorize(ugi, request.getRemoteHost());
+            ProxyUsers.authorize(ugi, request.getRemoteAddr());
           } catch (AuthorizationException ex) {
             HttpExceptionUtils.createServletExceptionResponse(response,
                 HttpServletResponse.SC_FORBIDDEN, ex);

http://git-wip-us.apache.org/repos/asf/hadoop/blob/81ec672e/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index c498f70..3f191de 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -199,7 +199,7 @@ public abstract class DelegationTokenAuthenticationHandler
             requestUgi = UserGroupInformation.createProxyUser(
                 doAsUser, requestUgi);
             try {
-              ProxyUsers.authorize(requestUgi, request.getRemoteHost());
+              ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
             } catch (AuthorizationException ex) {
               HttpExceptionUtils.createServletExceptionResponse(response,
                   HttpServletResponse.SC_FORBIDDEN, ex);

http://git-wip-us.apache.org/repos/asf/hadoop/blob/81ec672e/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
index 87c3105..d18f968 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
@@ -35,6 +35,7 @@ import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.mortbay.jetty.AbstractConnector;
 import org.mortbay.jetty.Connector;
 import org.mortbay.jetty.Server;
 import org.mortbay.jetty.servlet.Context;
@@ -658,7 +659,7 @@ public class TestWebDelegationToken {
       org.apache.hadoop.conf.Configuration conf =
           new org.apache.hadoop.conf.Configuration(false);
       conf.set("proxyuser.client.users", OK_USER);
-      conf.set("proxyuser.client.hosts", "localhost");
+      conf.set("proxyuser.client.hosts", "127.0.0.1");
       return conf;
     }
   }
@@ -752,6 +753,7 @@ public class TestWebDelegationToken {
     Context context = new Context();
     context.setContextPath("/foo");
     jetty.setHandler(context);
+    ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
     context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
     context.addServlet(new ServletHolder(UserServlet.class), "/bar");
     try {
@@ -969,4 +971,56 @@ public class TestWebDelegationToken {
     }
   }
 
+  public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
+    @Override
+    protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
+            (FilterConfig filterConfig) throws ServletException {
+      org.apache.hadoop.conf.Configuration configuration = super
+              .getProxyuserConfiguration(filterConfig);
+      configuration.set("proxyuser.foo.hosts", "127.0.0.1");
+      return configuration;
+    }
+  }
+
+  @Test
+  public void testIpaddressCheck() throws Exception {
+    final Server jetty = createJettyServer();
+    ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+
+    context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+        @Override
+        public Void run() throws Exception {
+          DelegationTokenAuthenticatedURL.Token token =
+                  new DelegationTokenAuthenticatedURL.Token();
+          DelegationTokenAuthenticatedURL aUrl =
+                  new DelegationTokenAuthenticatedURL();
+
+          // user ok-user via proxyuser foo
+          HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+                  conn.getResponseCode());
+          List<String> ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
+                  ":ugi=" + OK_USER, ret.get(0));
+
+          return null;
+        }
+      });
+    } finally {
+      jetty.stop();
+    }
+  }
+
 }


Mime
View raw message