hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From te...@apache.org
Subject svn commit: r1378268 - in /hbase/branches/0.94: pom.xml security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
Date Tue, 28 Aug 2012 18:54:59 GMT
Author: tedyu
Date: Tue Aug 28 18:54:58 2012
New Revision: 1378268

URL: http://svn.apache.org/viewvc?rev=1378268&view=rev
Log:
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation
tokens (Francis)


Modified:
    hbase/branches/0.94/pom.xml
    hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java

Modified: hbase/branches/0.94/pom.xml
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/pom.xml?rev=1378268&r1=1378267&r2=1378268&view=diff
==============================================================================
--- hbase/branches/0.94/pom.xml (original)
+++ hbase/branches/0.94/pom.xml Tue Aug 28 18:54:58 2012
@@ -1844,7 +1844,7 @@
         </property>
       </activation>
       <properties>
-        <hadoop.version>0.23.2-SNAPSHOT</hadoop.version>
+        <hadoop.version>0.23.3-SNAPSHOT</hadoop.version>
         <slf4j.version>1.6.1</slf4j.version>
       </properties>
       <dependencies>

Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java?rev=1378268&r1=1378267&r2=1378268&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
(original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
Tue Aug 28 18:54:58 2012
@@ -31,6 +31,7 @@ import org.apache.hadoop.hbase.ipc.Secur
 import org.apache.hadoop.hbase.security.AccessDeniedException;
 import org.apache.hadoop.hbase.security.User;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.SecretManager;
 import org.apache.hadoop.security.token.Token;
 
@@ -80,8 +81,7 @@ public class TokenProvider extends BaseE
     }
     if (currentUser == null) {
       throw new AccessDeniedException("No authenticated user for request!");
-    } else if (ugi.getAuthenticationMethod() !=
-        UserGroupInformation.AuthenticationMethod.KERBEROS) {
+    } else if (!isAllowedDelegationTokenOp(ugi)) {
       LOG.warn("Token generation denied for user="+currentUser.getName()
           +", authMethod="+ugi.getAuthenticationMethod());
       throw new AccessDeniedException(
@@ -91,6 +91,23 @@ public class TokenProvider extends BaseE
     return secretManager.generateToken(currentUser.getName());
   }
 
+  /**
+   * @param ugi
+   * @return true if delegation token operation is allowed
+   */
+  private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException
{
+    AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
+    if (authMethod == AuthenticationMethod.PROXY) {
+      authMethod = ugi.getRealUser().getAuthenticationMethod();
+    }
+    if (authMethod != AuthenticationMethod.KERBEROS
+        && authMethod != AuthenticationMethod.KERBEROS_SSL
+        && authMethod != AuthenticationMethod.CERTIFICATE) {
+      return false;
+    }
+    return true;
+  }
+
   @Override
   public String whoami() {
     return RequestContext.getRequestUserName();



Mime
View raw message