Revert "HADOOP-13119. Add ability to secure log servlet using proxy users. Contribute by Yuanbo Liu."
This reverts commit a847903b6e64c6edb11d852b91f2c816b1253eb3. Change-Id: I3122a2142f5bdf8507dece930e447556a43cd9ae (cherry picked from commit 8fad3ec76070ccfcd3ed80feaba4355077bc6f5c) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/4cd42192 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/4cd42192 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/4cd42192 Branch: refs/heads/branch-3.1 Commit: 4cd4219206e973a07fd454c141268f95365e293c Parents: 26540a6 Author: Owen O'Malley <omal...@apache.org> Authored: Thu Mar 1 10:15:22 2018 -0800 Committer: Wangda Tan <wan...@apache.org> Committed: Fri Mar 9 23:01:11 2018 -0800 ---------------------------------------------------------------------- .../AuthenticationFilterInitializer.java | 9 +- .../AuthenticationWithProxyUserFilter.java | 119 ------------------- .../security/TestAuthenticationFilter.java | 13 +- .../TestAuthenticationWithProxyUserFilter.java | 79 ------------ 4 files changed, 13 insertions(+), 207 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/4cd42192/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java index 65d2211..ca221f5 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java @@ -29,9 +29,8 @@ import java.util.HashMap; import java.util.Map; /** - * Initializes {@link AuthenticationWithProxyUserFilter} - * which provides support for Kerberos HTTP SPNEGO authentication - * and proxy user authentication. + * Initializes hadoop-auth AuthenticationFilter which provides support for + * Kerberos HTTP SPNEGO authentication. * <p/> * It enables anonymous access, simple/speudo and Kerberos HTTP SPNEGO * authentication for Hadoop JobTracker, NameNode, DataNodes and @@ -59,10 +58,8 @@ public class AuthenticationFilterInitializer extends FilterInitializer { public void initFilter(FilterContainer container, Configuration conf) { Map<String, String> filterConfig = getFilterConfigMap(conf, PREFIX); - // extend AuthenticationFilter's feature to - // support proxy user operation. container.addFilter("authentication", - AuthenticationWithProxyUserFilter.class.getName(), + AuthenticationFilter.class.getName(), filterConfig); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/4cd42192/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java deleted file mode 100644 index ea9b282..0000000 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java +++ /dev/null @@ -1,119 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * <p> - * http://www.apache.org/licenses/LICENSE-2.0 - * <p> - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.security; - -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; -import org.apache.hadoop.security.authorize.AuthorizationException; -import org.apache.hadoop.security.authorize.ProxyUsers; -import org.apache.hadoop.util.HttpExceptionUtils; -import org.apache.http.NameValuePair; -import org.apache.http.client.utils.URLEncodedUtils; - -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.nio.charset.Charset; -import java.util.List; - -/** - * Extend the function of {@link AuthenticationFilter} to - * support authorizing proxy user. If the query string - * contains doAs parameter, then check the proxy user, - * otherwise do the next filter. - */ -public class AuthenticationWithProxyUserFilter extends AuthenticationFilter { - - /** - * Constant used in URL's query string to perform a proxy user request, the - * value of the <code>DO_AS</code> parameter is the user the request will be - * done on behalf of. - */ - private static final String DO_AS = "doAs"; - - private static final Charset UTF8_CHARSET = Charset.forName("UTF-8"); - - - /** - * This method provide the ability to do pre/post tasks - * in filter chain. Override this method to authorize - * proxy user between AuthenticationFilter and next filter. - * @param filterChain the filter chain object. - * @param request the request object. - * @param response the response object. - * - * @throws IOException - * @throws ServletException - */ - @Override - protected void doFilter(FilterChain filterChain, HttpServletRequest request, - HttpServletResponse response) throws IOException, ServletException { - - // authorize proxy user before calling next filter. - String proxyUser = getDoAs(request); - if (proxyUser != null) { - UserGroupInformation realUser = - UserGroupInformation.createRemoteUser(request.getRemoteUser()); - UserGroupInformation proxyUserInfo = - UserGroupInformation.createProxyUser(proxyUser, realUser); - - try { - ProxyUsers.authorize(proxyUserInfo, request.getRemoteAddr()); - } catch (AuthorizationException ex) { - HttpExceptionUtils.createServletExceptionResponse(response, - HttpServletResponse.SC_FORBIDDEN, ex); - // stop filter chain if there is an Authorization Exception. - return; - } - - final UserGroupInformation finalProxyUser = proxyUserInfo; - // Change the remote user after proxy user is authorized. - request = new HttpServletRequestWrapper(request) { - @Override - public String getRemoteUser() { - return finalProxyUser.getUserName(); - } - }; - - } - filterChain.doFilter(request, response); - } - - /** - * Get proxy user from query string. - * @param request the request object - * @return proxy user - */ - public static String getDoAs(HttpServletRequest request) { - String queryString = request.getQueryString(); - if (queryString == null) { - return null; - } - List<NameValuePair> list = URLEncodedUtils.parse(queryString, UTF8_CHARSET); - if (list != null) { - for (NameValuePair nv : list) { - if (DO_AS.equalsIgnoreCase(nv.getName())) { - return nv.getValue(); - } - } - } - return null; - } -} http://git-wip-us.apache.org/repos/asf/hadoop/blob/4cd42192/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java index 9fae536..ead3758 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java @@ -19,6 +19,7 @@ package org.apache.hadoop.security; import static org.junit.Assert.*; import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.http.FilterContainer; import org.junit.Test; @@ -26,6 +27,9 @@ import org.mockito.Mockito; import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; +import java.io.File; +import java.io.FileWriter; +import java.io.Writer; import java.util.Map; public class TestAuthenticationFilter { @@ -40,7 +44,7 @@ public class TestAuthenticationFilter { FilterContainer container = Mockito.mock(FilterContainer.class); Mockito.doAnswer( - new Answer() { + new Answer() { @Override public Object answer(InvocationOnMock invocationOnMock) throws Throwable { @@ -48,6 +52,8 @@ public class TestAuthenticationFilter { assertEquals("authentication", args[0]); + assertEquals(AuthenticationFilter.class.getName(), args[1]); + Map<String, String> conf = (Map<String, String>) args[2]; assertEquals("/", conf.get("cookie.path")); @@ -62,8 +68,9 @@ public class TestAuthenticationFilter { assertEquals("bar", conf.get("foo")); return null; - }} - ).when(container).addFilter(Mockito.<String>anyObject(), + } + } + ).when(container).addFilter(Mockito.<String>anyObject(), Mockito.<String>anyObject(), Mockito.<Map<String, String>>anyObject()); http://git-wip-us.apache.org/repos/asf/hadoop/blob/4cd42192/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java deleted file mode 100644 index dac6a55..0000000 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with this - * work for additional information regarding copyright ownership. The ASF - * licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.hadoop.security; - -import org.junit.Test; -import static org.junit.Assert.*; -import org.apache.hadoop.http.HttpServer2; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.http.FilterContainer; -import org.mockito.Mockito; -import org.mockito.invocation.InvocationOnMock; -import org.mockito.stubbing.Answer; -import java.util.Map; - -/** - * This class is tested for {@link AuthenticationWithProxyUserFilter} - * to verify configurations of this filter. - */ -public class TestAuthenticationWithProxyUserFilter { - - @SuppressWarnings("unchecked") - @Test - public void testConfiguration() throws Exception { - Configuration conf = new Configuration(); - conf.set("hadoop.http.authentication.foo", "bar"); - - conf.set(HttpServer2.BIND_ADDRESS, "barhost"); - - FilterContainer container = Mockito.mock(FilterContainer.class); - Mockito.doAnswer( - new Answer() { - @Override - public Object answer(InvocationOnMock invocationOnMock) - throws Throwable { - Object[] args = invocationOnMock.getArguments(); - - assertEquals("authentication", args[0]); - - assertEquals( - AuthenticationWithProxyUserFilter.class.getName(), args[1]); - - Map<String, String> conf = (Map<String, String>) args[2]; - assertEquals("/", conf.get("cookie.path")); - - assertEquals("simple", conf.get("type")); - assertEquals("36000", conf.get("token.validity")); - assertNull(conf.get("cookie.domain")); - assertEquals("true", conf.get("simple.anonymous.allowed")); - assertEquals("HTTP/barhost@LOCALHOST", - conf.get("kerberos.principal")); - assertEquals(System.getProperty("user.home") + - "/hadoop.keytab", conf.get("kerberos.keytab")); - assertEquals("bar", conf.get("foo")); - - return null; - } - } - ).when(container).addFilter(Mockito.<String>anyObject(), - Mockito.<String>anyObject(), - Mockito.<Map<String, String>>anyObject()); - - new AuthenticationFilterInitializer().initFilter(container, conf); - } - -} --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org