hadoop-mapreduce-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject svn commit: r953879 - in /hadoop/mapreduce/trunk: CHANGES.txt src/java/org/apache/hadoop/mapred/JobTracker.java
Date Fri, 11 Jun 2010 21:28:36 GMT
Author: ddas
Date: Fri Jun 11 21:28:36 2010
New Revision: 953879

URL: http://svn.apache.org/viewvc?rev=953879&view=rev
Log:
MAPREDUCE-1516. JobTracker issues delegation tokens only if the user's authentication is Kerberos.
Contributed by Jitendra Pandey.

Modified:
    hadoop/mapreduce/trunk/CHANGES.txt
    hadoop/mapreduce/trunk/src/java/org/apache/hadoop/mapred/JobTracker.java

Modified: hadoop/mapreduce/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/mapreduce/trunk/CHANGES.txt?rev=953879&r1=953878&r2=953879&view=diff
==============================================================================
--- hadoop/mapreduce/trunk/CHANGES.txt (original)
+++ hadoop/mapreduce/trunk/CHANGES.txt Fri Jun 11 21:28:36 2010
@@ -51,6 +51,9 @@ Trunk (unreleased changes)
     MAPREDUCE-1533. Reduce overhead of logging and string manipulation during
     heartbeat processing. (Amar Kamat and Dick King via cdouglas)
 
+    MAPREDUCE-1516. JobTracker issues delegation tokens only if the user's
+    authentication is Kerberos. (Jitendra Pandey via ddas)
+
   OPTIMIZATIONS
 
     MAPREDUCE-1354. Enhancements to JobTracker for better performance and

Modified: hadoop/mapreduce/trunk/src/java/org/apache/hadoop/mapred/JobTracker.java
URL: http://svn.apache.org/viewvc/hadoop/mapreduce/trunk/src/java/org/apache/hadoop/mapred/JobTracker.java?rev=953879&r1=953878&r2=953879&view=diff
==============================================================================
--- hadoop/mapreduce/trunk/src/java/org/apache/hadoop/mapred/JobTracker.java (original)
+++ hadoop/mapreduce/trunk/src/java/org/apache/hadoop/mapred/JobTracker.java Fri Jun 11 21:28:36
2010
@@ -103,6 +103,7 @@ import org.apache.hadoop.security.Groups
 import org.apache.hadoop.security.RefreshUserMappingsProtocol;
 import org.apache.hadoop.security.TokenStorage;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;
@@ -205,6 +206,15 @@ public class JobTracker implements MRCon
   private MRAsyncDiskService asyncDiskService;
   
   /**
+   * Returns the delegation token secret manager instance in JobTracker.
+   * 
+   * @return DelegationTokenSecretManager object
+   */
+  public DelegationTokenSecretManager getDelegationTokenSecretManager() {
+    return secretManager;
+  }
+  
+  /**
    * A client tried to submit a job before the Job Tracker was ready.
    */
   @InterfaceAudience.Private
@@ -4706,6 +4716,10 @@ public class JobTracker implements MRCon
   public Token<DelegationTokenIdentifier> 
      getDelegationToken(Text renewer
                         )throws IOException, InterruptedException {
+    if (!isAllowedDelegationTokenOp()) {
+      throw new IOException(
+          "Delegation Token can be issued only with kerberos authentication");
+    }
     UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
     Text owner = new Text(ugi.getUserName());
     Text realUser = null;
@@ -4724,6 +4738,10 @@ public class JobTracker implements MRCon
   public long renewDelegationToken(Token<DelegationTokenIdentifier> token
                                       ) throws IOException,
                                                InterruptedException {
+    if (!isAllowedDelegationTokenOp()) {
+      throw new IOException(
+          "Delegation Token can be renewed only with kerberos authentication");
+    }
     String user = UserGroupInformation.getCurrentUser().getUserName();
     return secretManager.renewToken(token, user);
   }
@@ -4731,4 +4749,18 @@ public class JobTracker implements MRCon
   JobACLsManager getJobACLsManager() {
     return jobACLsManager;
   }
+  
+  /**
+   * 
+   * @return true if delegation token operation is allowed
+   */
+  private boolean isAllowedDelegationTokenOp() throws IOException {
+    AuthenticationMethod authMethod = UserGroupInformation
+        .getRealAuthenticationMethod(UserGroupInformation.getCurrentUser());
+    if (UserGroupInformation.isSecurityEnabled()
+        && (authMethod != AuthenticationMethod.KERBEROS)) {
+      return false;
+    }
+    return true;
+  }
 }



Mime
View raw message