Author: atm
Date: Thu May 17 10:28:15 2012
New Revision: 1339543
URL: http://svn.apache.org/viewvc?rev=1339543&view=rev
Log:
HDFS-3433. GetImageServlet should allow administrative requestors when security
is enabled. Contributed by Aaron T. Myers.
Modified:
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Modified:
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java?rev=1339543&r1=1339542&r2=1339543&view=diff
==============================================================================
---
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
(original)
+++
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Thu May 17 10:28:15 2012
@@ -95,7 +95,7 @@ public class HttpServer implements Filte
// The ServletContext attribute where the daemon Configuration
// gets stored.
public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf";
- static final String ADMINS_ACL = "admins.acl";
+ public static final String ADMINS_ACL = "admins.acl";
public static final String SPNEGO_FILTER = "SpnegoFilter";
public static final String BIND_ADDRESS = "bind.address";
@@ -744,7 +744,7 @@ public class HttpServer implements Filte
*
* @param servletContext
* @param request
- * @param response
+ * @param response used to send the error response if user does not have
admin access.
* @return true if admin-authorized, false otherwise
* @throws IOException
*/
@@ -766,18 +766,33 @@ public class HttpServer implements Filte
"authorized to access this page.");
return false;
}
+
+ if (servletContext.getAttribute(ADMINS_ACL) != null &&
+ !userHasAdministratorAccess(servletContext, remoteUser)) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
+ + remoteUser + " is unauthorized to access this page.");
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Get the admin ACLs from the given ServletContext and check if the given
+ * user is in the ACL.
+ *
+ * @param servletContext the context containing the admin ACL.
+ * @param remoteUser the remote user to check for.
+ * @return true if the user is present in the ACL, false if no ACL is set or
+ * the user is not present
+ */
+ public static boolean userHasAdministratorAccess(ServletContext
servletContext,
+ String remoteUser) {
AccessControlList adminsAcl = (AccessControlList) servletContext
.getAttribute(ADMINS_ACL);
UserGroupInformation remoteUserUGI =
UserGroupInformation.createRemoteUser(remoteUser);
- if (adminsAcl != null) {
- if (!adminsAcl.isUserAllowed(remoteUserUGI)) {
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
- + remoteUser + " is unauthorized to access this page.");
- return false;
- }
- }
- return true;
+ return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}
/**
