Return-Path: X-Original-To: apmail-hadoop-hdfs-commits-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9D73470B9 for ; Thu, 6 Oct 2011 21:30:33 +0000 (UTC) Received: (qmail 30873 invoked by uid 500); 6 Oct 2011 21:30:33 -0000 Delivered-To: apmail-hadoop-hdfs-commits-archive@hadoop.apache.org Received: (qmail 30849 invoked by uid 500); 6 Oct 2011 21:30:33 -0000 Mailing-List: contact hdfs-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-dev@hadoop.apache.org Delivered-To: mailing list hdfs-commits@hadoop.apache.org Received: (qmail 30841 invoked by uid 99); 6 Oct 2011 21:30:33 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Oct 2011 21:30:33 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Oct 2011 21:30:29 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 7B0B523888FE; Thu, 6 Oct 2011 21:30:07 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1179861 - in /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs: ./ src/main/java/org/apache/hadoop/hdfs/ src/main/java/org/apache/hadoop/hdfs/server/namenode/ src/main/java/org/apache/hadoop/hdfs/web/ src/main/java/org/apache/hadoop/hdf... Date: Thu, 06 Oct 2011 21:30:07 -0000 To: hdfs-commits@hadoop.apache.org From: jitendra@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20111006213007.7B0B523888FE@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jitendra Date: Thu Oct 6 21:30:06 2011 New Revision: 1179861 URL: http://svn.apache.org/viewvc?rev=1179861&view=rev Log: HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. Incorporates HDFS-2405 as well. Added: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java Modified: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java Modified: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt?rev=1179861&r1=1179860&r2=1179861&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt (original) +++ hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt Thu Oct 6 21:30:06 2011 @@ -100,6 +100,8 @@ Trunk (unreleased changes) HDFS-2403. NamenodeWebHdfsMethods.generateDelegationToken(..) does not use the renewer parameter. (szetszwo) + HDFS-2409. _HOST in dfs.web.authentication.kerberos.principal. (jitendra) + Release 0.23.0 - Unreleased INCOMPATIBLE CHANGES Modified: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=1179861&r1=1179860&r2=1179861&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java (original) +++ hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java Thu Oct 6 21:30:06 2011 @@ -282,4 +282,6 @@ public class DFSConfigKeys extends Commo public static final String DFS_NAMENODE_DU_RESERVED_KEY = "dfs.namenode.resource.du.reserved"; public static final long DFS_NAMENODE_DU_RESERVED_DEFAULT = 1024 * 1024 * 100; // 100 MB public static final String DFS_NAMENODE_CHECKED_VOLUMES_KEY = "dfs.namenode.resource.checked.volumes"; + public static final String DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY = "dfs.web.authentication.kerberos.principal"; + public static final String DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY = "dfs.web.authentication.kerberos.keytab"; } Modified: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java?rev=1179861&r1=1179860&r2=1179861&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java (original) +++ hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java Thu Oct 6 21:30:06 2011 @@ -20,6 +20,8 @@ package org.apache.hadoop.hdfs.server.na import java.io.IOException; import java.net.InetSocketAddress; import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; import javax.servlet.ServletContext; @@ -108,7 +110,8 @@ public class NameNodeHttpServer { final String name = "SPNEGO"; final String classname = AuthFilter.class.getName(); final String pathSpec = "/" + WebHdfsFileSystem.PATH_PREFIX + "/*"; - defineFilter(webAppContext, name, classname, null, + Map params = getAuthFilterParams(conf); + defineFilter(webAppContext, name, classname, params, new String[]{pathSpec}); LOG.info("Added filter '" + name + "' (class=" + classname + ")"); @@ -118,6 +121,30 @@ public class NameNodeHttpServer { + ";" + Param.class.getPackage().getName(), pathSpec); } } + + private Map getAuthFilterParams(Configuration conf) + throws IOException { + Map params = new HashMap(); + String principalInConf = conf + .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY); + if (principalInConf != null && !principalInConf.isEmpty()) { + params + .put( + DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + SecurityUtil.getServerPrincipal(principalInConf, + infoHost)); + } + String httpKeytab = conf + .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY); + if (httpKeytab != null && !httpKeytab.isEmpty()) { + params.put( + DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY, + httpKeytab); + } + params.put("kerberos.name.rules", + conf.get("hadoop.security.auth_to_local", "DEFAULT")); + return params; + } }; boolean certSSL = conf.getBoolean("dfs.https.enable", false); Modified: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java?rev=1179861&r1=1179860&r2=1179861&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java (original) +++ hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java Thu Oct 6 21:30:06 2011 @@ -17,12 +17,11 @@ */ package org.apache.hadoop.hdfs.web; -import java.util.Map; import java.util.Properties; import javax.servlet.FilterConfig; +import javax.servlet.ServletException; -import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; @@ -41,30 +40,21 @@ public class AuthFilter extends Authenti * The prefix is removed from the returned property names. * * @param prefix parameter not used. - * @param config parameter not used. + * @param config parameter contains the initialization values. * @return Hadoop-Auth configuration properties. + * @throws ServletException */ @Override - protected Properties getConfiguration(String prefix, FilterConfig config) { - final Configuration conf = new Configuration(); - final Properties p = new Properties(); - - //set authentication type + protected Properties getConfiguration(String prefix, FilterConfig config) + throws ServletException { + final Properties p = super.getConfiguration(CONF_PREFIX, config); + // set authentication type p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); //For Pseudo Authentication, allow anonymous. p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); //set cookie path p.setProperty(COOKIE_PATH, "/"); - - //set other configurations with CONF_PREFIX - for (Map.Entry entry : conf) { - final String key = entry.getKey(); - if (key.startsWith(CONF_PREFIX)) { - //remove prefix from the key and set property - p.setProperty(key.substring(CONF_PREFIX.length()), conf.get(key)); - } - } - return p; + return p; } } \ No newline at end of file Modified: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java?rev=1179861&r1=1179860&r2=1179861&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java (original) +++ hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/resources/UserProvider.java Thu Oct 6 21:30:06 2011 @@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.web.resou import java.io.IOException; import java.lang.reflect.Type; +import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.ext.Provider; @@ -42,11 +43,12 @@ public class UserProvider extends AbstractHttpContextInjectable implements InjectableProvider { @Context HttpServletRequest request; + @Context ServletContext servletcontext; @Override public UserGroupInformation getValue(final HttpContext context) { - final Configuration conf = (Configuration)context.getProperties().get( - JspHelper.CURRENT_CONF); + final Configuration conf = (Configuration) servletcontext + .getAttribute(JspHelper.CURRENT_CONF); try { return JspHelper.getUGI(null, request, conf, AuthenticationMethod.KERBEROS, false); Added: hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java?rev=1179861&view=auto ============================================================================== --- hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java (added) +++ hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java Thu Oct 6 21:30:06 2011 @@ -0,0 +1,78 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hdfs.web; + +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; + +import org.apache.hadoop.hdfs.DFSConfigKeys; +import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; +import org.junit.Assert; +import org.junit.Test; + +public class TestAuthFilter { + + private static class DummyFilterConfig implements FilterConfig { + final Map map; + + DummyFilterConfig(Map map) { + this.map = map; + } + + @Override + public String getFilterName() { + return "dummy"; + } + @Override + public String getInitParameter(String arg0) { + return map.get(arg0); + } + @Override + public Enumeration getInitParameterNames() { + return Collections.enumeration(map.keySet()); + } + @Override + public ServletContext getServletContext() { + return null; + } + } + + @Test + public void testGetConfiguration() throws ServletException { + AuthFilter filter = new AuthFilter(); + Map m = new HashMap(); + m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + "xyz/thehost@REALM"); + m.put(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY, + "thekeytab"); + FilterConfig config = new DummyFilterConfig(m); + Properties p = filter.getConfiguration("random", config); + Assert.assertEquals("xyz/thehost@REALM", + p.getProperty("kerberos.principal")); + Assert.assertEquals("thekeytab", p.getProperty("kerberos.keytab")); + Assert.assertEquals("true", + p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED)); + } +}