hadoop-hdfs-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From szets...@apache.org
Subject svn commit: r931320 - in /hadoop/hdfs/trunk: CHANGES.txt src/contrib/hdfsproxy/conf/tomcat-web.xml src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/KerberosAuthorizationFilter.java
Date Tue, 06 Apr 2010 20:46:13 GMT
Author: szetszwo
Date: Tue Apr  6 20:46:13 2010
New Revision: 931320

URL: http://svn.apache.org/viewvc?rev=931320&view=rev
Log:
HDFS-1009. Support Kerberos authorization in HDFSProxy.  Contributed by Srikanth Sundarrajan

Added:
    hadoop/hdfs/trunk/src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/KerberosAuthorizationFilter.java
Modified:
    hadoop/hdfs/trunk/CHANGES.txt
    hadoop/hdfs/trunk/src/contrib/hdfsproxy/conf/tomcat-web.xml

Modified: hadoop/hdfs/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/CHANGES.txt?rev=931320&r1=931319&r2=931320&view=diff
==============================================================================
--- hadoop/hdfs/trunk/CHANGES.txt (original)
+++ hadoop/hdfs/trunk/CHANGES.txt Tue Apr  6 20:46:13 2010
@@ -30,6 +30,9 @@ Trunk (unreleased changes)
     HDFS-245. Adds a symlink implementation to HDFS. This complements the new 
     symlink feature added in HADOOP-6421 (Eli Collins via Sanjay Radia)
 
+    HDFS-1009. Support Kerberos authorization in HDFSProxy.  (Srikanth
+    Sundarrajan via szetszwo)
+
   IMPROVEMENTS
     HDFS-968. Use StringBuilder instead of StringBuffer for better
     performance. (Kay Kay via suresh)

Modified: hadoop/hdfs/trunk/src/contrib/hdfsproxy/conf/tomcat-web.xml
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/contrib/hdfsproxy/conf/tomcat-web.xml?rev=931320&r1=931319&r2=931320&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/contrib/hdfsproxy/conf/tomcat-web.xml (original)
+++ hadoop/hdfs/trunk/src/contrib/hdfsproxy/conf/tomcat-web.xml Tue Apr  6 20:46:13 2010
@@ -64,7 +64,7 @@
 
     <filter>
         <filter-name>authorizationFilter</filter-name>
-        <filter-class>org.apache.hadoop.hdfsproxy.AuthorizationFilter</filter-class>
+        <filter-class>org.apache.hadoop.hdfsproxy.KerberosAuthorizationFilter</filter-class>
     </filter>
 
     <filter-mapping>

Added: hadoop/hdfs/trunk/src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/KerberosAuthorizationFilter.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/KerberosAuthorizationFilter.java?rev=931320&view=auto
==============================================================================
--- hadoop/hdfs/trunk/src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/KerberosAuthorizationFilter.java
(added)
+++ hadoop/hdfs/trunk/src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/KerberosAuthorizationFilter.java
Tue Apr  6 20:46:13 2010
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfsproxy;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import java.io.IOException;
+
+/**
+ * This filter is required for hdfsproxies connecting to HDFS
+ * with kerberos authentication. Keytab file and principal to
+ * use for proxy user is retrieved from a configuration file.
+ * If user attribute in ldap doesn't kerberos realm, the 
+ * default realm is picked up from configuration. 
+ */
+public class KerberosAuthorizationFilter
+    extends AuthorizationFilter {
+
+  private String defaultRealm;
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    super.init(filterConfig);
+    Configuration conf = new Configuration(false);
+    conf.addResource("hdfsproxy-default.xml");
+    conf.addResource("hdfsproxy-site.xml");
+    initializeUGI(conf);
+    initDefaultRealm(conf);
+  }
+
+  private void initializeUGI(Configuration conf) {
+    try {
+      conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
+          "kerberos");
+
+      UserGroupInformation.setConfiguration(conf);
+      UserGroupInformation.loginUserFromKeytab(
+          conf.get("hdfsproxy.kerberos.principal"),
+          conf.get("hdfsproxy.kerberos.keytab"));
+
+      LOG.info("Logged in user: " +
+          UserGroupInformation.getLoginUser().getUserName() +
+          ", Current User: " + UserGroupInformation.getCurrentUser().getUserName());
+
+    } catch (IOException e) {
+      throw new RuntimeException("Unable to initialize credentials", e);
+    }
+  }
+
+  private void initDefaultRealm(Configuration conf) {
+    defaultRealm = conf.get("hdfsproxy.kerberos.default.realm","");
+  }
+
+  @Override
+  /** If the userid does not have realm, add the default realm */
+  protected String getUserId(ServletRequest request) {
+    String userId = (String) request.
+        getAttribute("org.apache.hadoop.hdfsproxy.authorized.userID");
+    return userId +
+        (userId.indexOf('@') > 0 ? "" : defaultRealm);
+  }
+
+  @Override
+  protected String getGroups(ServletRequest request) {
+    return (String) request.
+        getAttribute("org.apache.hadoop.hdfsproxy.authorized.role");
+  }
+}



Mime
View raw message