Repository: hadoop
Updated Branches:
  refs/heads/branch-2.8 74782e7e4 -> b2667441e


HADOOP-13707. Skip authorization for anonymous user to access Hadoop
web interface in non-secure environment.  (Yuanbo Liu via eyang)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/b2667441
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/b2667441
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/b2667441

Branch: refs/heads/branch-2.8
Commit: b2667441e63004b3159158cf5797618073efcf53
Parents: 74782e7
Author: Eric Yang <ey...@apache.org>
Authored: Mon Oct 17 08:12:04 2016 -0700
Committer: Eric Yang <ey...@apache.org>
Committed: Mon Oct 17 08:12:04 2016 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/conf/ConfServlet.java     |  8 +++++-
 .../hadoop/http/AdminAuthorizedServlet.java     | 11 +++++--
 .../org/apache/hadoop/http/HttpServer2.java     | 30 ++++++++++++++++++--
 .../org/apache/hadoop/jmx/JMXJsonServlet.java   |  8 +++++-
 .../java/org/apache/hadoop/log/LogLevel.java    | 10 +++++--
 .../apache/hadoop/metrics/MetricsServlet.java   | 10 +++++--
 .../org/apache/hadoop/http/TestHttpServer.java  | 19 +++++++++++--
 7 files changed, 81 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
index c7f11b3..d4b34e9 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.conf;
 import java.io.IOException;
 import java.io.Writer;
 
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -56,7 +57,12 @@ public class ConfServlet extends HttpServlet {
   public void doGet(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException {
 
-    if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
+    // If user is a static user and auth Type is null, that means
+    // there is a non-security environment and no need authorization,
+    // otherwise, do the authorization.
+    final ServletContext servletContext = getServletContext();
+    if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+        !HttpServer2.isInstrumentationAccessAllowed(servletContext,
                                                    request, response)) {
       return;
     }

http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
index ef562b4..e591ab4 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.http;
 
 import java.io.IOException;
 
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -35,9 +36,13 @@ public class AdminAuthorizedServlet extends DefaultServlet {
 
   @Override
   protected void doGet(HttpServletRequest request, HttpServletResponse 
response)
- throws ServletException, IOException {
-    // Do the authorization
-    if (HttpServer2.hasAdministratorAccess(getServletContext(), request,
+      throws ServletException, IOException {
+    // If user is a static user and auth Type is null, that means
+    // there is a non-security environment and no need authorization,
+    // otherwise, do the authorization.
+    final ServletContext servletContext = getServletContext();
+    if (HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) ||
+        HttpServer2.hasAdministratorAccess(servletContext, request,
         response)) {
       // Authorization is done. Just call super.
       super.doGet(request, response);

http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index 4b1e6ab..bc541e9 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -1081,6 +1081,25 @@ public final class HttpServer2 implements 
FilterContainer {
   }
 
   /**
+   * check whether user is static and unauthenticated, if the
+   * answer is TRUE, that means http sever is in non-security
+   * environment.
+   * @param servletContext the servlet context.
+   * @param request the servlet request.
+   * @return TRUE/FALSE based on the logic described above.
+   */
+  public static boolean isStaticUserAndNoneAuthType(
+      ServletContext servletContext, HttpServletRequest request) {
+    Configuration conf =
+        (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
+    final String authType = request.getAuthType();
+    final String staticUser = conf.get(
+        CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER,
+        CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER);
+    return authType == null && staticUser.equals(request.getRemoteUser());
+  }
+
+  /**
    * Checks the user has privileges to access to instrumentation servlets.
    * <p/>
    * If <code>hadoop.security.instrumentation.requires.admin</code> is set to 
FALSE
@@ -1177,9 +1196,14 @@ public final class HttpServer2 implements 
FilterContainer {
 
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response)
-      throws ServletException, IOException {
-      if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
-                                                      request, response)) {
+        throws ServletException, IOException {
+      // If user is a static user and auth Type is null, that means
+      // there is a non-security environment and no need authorization,
+      // otherwise, do the authorization.
+      final ServletContext servletContext = getServletContext();
+      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+          !HttpServer2.isInstrumentationAccessAllowed(servletContext,
+              request, response)) {
         return;
       }
       response.setContentType("text/plain; charset=UTF-8");

http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
index f59b64c..6546c05 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@@ -38,6 +38,7 @@ import javax.management.RuntimeMBeanException;
 import javax.management.openmbean.CompositeData;
 import javax.management.openmbean.CompositeType;
 import javax.management.openmbean.TabularData;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -166,7 +167,12 @@ public class JMXJsonServlet extends HttpServlet {
     String jsonpcb = null;
     PrintWriter writer = null;
     try {
-      if (!isInstrumentationAccessAllowed(request, response)) {
+      // If user is a static user and auth Type is null, that means
+      // there is a non-security environment and no need authorization,
+      // otherwise, do the authorization.
+      final ServletContext servletContext = getServletContext();
+      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+          !isInstrumentationAccessAllowed(request, response)) {
         return;
       }
       

http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
index 11326ca..bc03a6a 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
@@ -93,9 +93,13 @@ public class LogLevel {
     public void doGet(HttpServletRequest request, HttpServletResponse response
         ) throws ServletException, IOException {
 
-      // Do the authorization
-      if (!HttpServer2.hasAdministratorAccess(getServletContext(), request,
-          response)) {
+      // If user is a static user and auth Type is null, that means
+      // there is a non-security environment and no need authorization,
+      // otherwise, do the authorization.
+      final ServletContext servletContext = getServletContext();
+      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+          !HttpServer2.hasAdministratorAccess(servletContext,
+              request, response)) {
         return;
       }
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
index b330613..275fa81 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
@@ -25,6 +25,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -109,8 +110,13 @@ public class MetricsServlet extends HttpServlet {
   public void doGet(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException {
 
-    if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
-                                                   request, response)) {
+    // If user is a static user and auth Type is null, that means
+    // there is a non-security environment and no need authorization,
+    // otherwise, do the authorization.
+    final ServletContext servletContext = getServletContext();
+    if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
+        !HttpServer2.isInstrumentationAccessAllowed(servletContext,
+            request, response)) {
       return;
     }
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/b2667441/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
----------------------------------------------------------------------
diff --git 
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
 
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
index d85935b..b5190b2 100644
--- 
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
+++ 
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
@@ -66,6 +66,9 @@ import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.Executor;
 import java.util.concurrent.Executors;
 
+import static 
org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
+import static 
org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
+
 public class TestHttpServer extends HttpServerFunctionalTest {
   static final Log LOG = LogFactory.getLog(TestHttpServer.class);
   private static HttpServer2 server;
@@ -452,8 +455,8 @@ public class TestHttpServer extends 
HttpServerFunctionalTest {
 
     String serverURL = "http://";
         + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
-    for (String servlet : new String[] { "conf", "logs", "stacks",
-        "logLevel", "metrics" }) {
+    for (String servlet : new String[] {"conf", "logs", "stacks",
+        "logLevel", "jmx", "metrics"}) {
       for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
         assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
             + servlet, user));
@@ -461,6 +464,18 @@ public class TestHttpServer extends 
HttpServerFunctionalTest {
       assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
           serverURL + servlet, "userE"));
     }
+
+    // hadoop.security.authorization is set as true while
+    // hadoop.http.authentication.type's value is `simple`(default value)
+    // in this case, static user has administrator access
+    final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
+        DEFAULT_HADOOP_HTTP_STATIC_USER);
+    for (String servlet : new String[] {"conf", "logs", "stacks",
+        "logLevel", "jmx", "metrics"}) {
+      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(
+          serverURL + servlet, staticUser));
+    }
+
     myServer.stop();
   }
   


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org

Reply via email to