Revert "HADOOP-13119. Add ability to secure log servlet using proxy users. Contribute by Yuanbo Liu."
This reverts commit b13492a0ab6e92517528d2f622591d4682071ead. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/fec04c46 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/fec04c46 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/fec04c46 Branch: refs/heads/branch-2.7 Commit: fec04c462a88655ec57a46e798e53f98a0496601 Parents: b2015d2 Author: Konstantin V Shvachko <[email protected]> Authored: Thu Mar 15 18:54:32 2018 -0700 Committer: Konstantin V Shvachko <[email protected]> Committed: Fri Mar 16 17:17:43 2018 -0700 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 + .../AuthenticationFilterInitializer.java | 9 +- .../AuthenticationWithProxyUserFilter.java | 119 --------- .../hadoop/http/TestHttpServerWithSpengo.java | 239 ------------------- .../security/TestAuthenticationFilter.java | 13 +- .../TestAuthenticationWithProxyUserFilter.java | 78 ------ 6 files changed, 16 insertions(+), 445 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/fec04c46/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 42d88eb..94ff9f2 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -64,6 +64,9 @@ Release 2.7.6 - UNRELEASED HADOOP-12001. Fixed LdapGroupsMapping to include configurable Posix UID and GID attributes during the search. (Patrick White via vinodkv) + Revert HADOOP-13119. Add ability to secure log servlet using proxy users. + (Contribute by Yuanbo Liu via Eric Yang) + Release 2.7.5 - 2017-12-14 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/fec04c46/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java index 65d2211..ca221f5 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java @@ -29,9 +29,8 @@ import java.util.HashMap; import java.util.Map; /** - * Initializes {@link AuthenticationWithProxyUserFilter} - * which provides support for Kerberos HTTP SPNEGO authentication - * and proxy user authentication. + * Initializes hadoop-auth AuthenticationFilter which provides support for + * Kerberos HTTP SPNEGO authentication. * <p/> * It enables anonymous access, simple/speudo and Kerberos HTTP SPNEGO * authentication for Hadoop JobTracker, NameNode, DataNodes and @@ -59,10 +58,8 @@ public class AuthenticationFilterInitializer extends FilterInitializer { public void initFilter(FilterContainer container, Configuration conf) { Map<String, String> filterConfig = getFilterConfigMap(conf, PREFIX); - // extend AuthenticationFilter's feature to - // support proxy user operation. container.addFilter("authentication", - AuthenticationWithProxyUserFilter.class.getName(), + AuthenticationFilter.class.getName(), filterConfig); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/fec04c46/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java deleted file mode 100644 index ea9b282..0000000 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java +++ /dev/null @@ -1,119 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * <p> - * http://www.apache.org/licenses/LICENSE-2.0 - * <p> - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.security; - -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; -import org.apache.hadoop.security.authorize.AuthorizationException; -import org.apache.hadoop.security.authorize.ProxyUsers; -import org.apache.hadoop.util.HttpExceptionUtils; -import org.apache.http.NameValuePair; -import org.apache.http.client.utils.URLEncodedUtils; - -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.nio.charset.Charset; -import java.util.List; - -/** - * Extend the function of {@link AuthenticationFilter} to - * support authorizing proxy user. If the query string - * contains doAs parameter, then check the proxy user, - * otherwise do the next filter. - */ -public class AuthenticationWithProxyUserFilter extends AuthenticationFilter { - - /** - * Constant used in URL's query string to perform a proxy user request, the - * value of the <code>DO_AS</code> parameter is the user the request will be - * done on behalf of. - */ - private static final String DO_AS = "doAs"; - - private static final Charset UTF8_CHARSET = Charset.forName("UTF-8"); - - - /** - * This method provide the ability to do pre/post tasks - * in filter chain. Override this method to authorize - * proxy user between AuthenticationFilter and next filter. - * @param filterChain the filter chain object. - * @param request the request object. - * @param response the response object. - * - * @throws IOException - * @throws ServletException - */ - @Override - protected void doFilter(FilterChain filterChain, HttpServletRequest request, - HttpServletResponse response) throws IOException, ServletException { - - // authorize proxy user before calling next filter. - String proxyUser = getDoAs(request); - if (proxyUser != null) { - UserGroupInformation realUser = - UserGroupInformation.createRemoteUser(request.getRemoteUser()); - UserGroupInformation proxyUserInfo = - UserGroupInformation.createProxyUser(proxyUser, realUser); - - try { - ProxyUsers.authorize(proxyUserInfo, request.getRemoteAddr()); - } catch (AuthorizationException ex) { - HttpExceptionUtils.createServletExceptionResponse(response, - HttpServletResponse.SC_FORBIDDEN, ex); - // stop filter chain if there is an Authorization Exception. - return; - } - - final UserGroupInformation finalProxyUser = proxyUserInfo; - // Change the remote user after proxy user is authorized. - request = new HttpServletRequestWrapper(request) { - @Override - public String getRemoteUser() { - return finalProxyUser.getUserName(); - } - }; - - } - filterChain.doFilter(request, response); - } - - /** - * Get proxy user from query string. - * @param request the request object - * @return proxy user - */ - public static String getDoAs(HttpServletRequest request) { - String queryString = request.getQueryString(); - if (queryString == null) { - return null; - } - List<NameValuePair> list = URLEncodedUtils.parse(queryString, UTF8_CHARSET); - if (list != null) { - for (NameValuePair nv : list) { - if (DO_AS.equalsIgnoreCase(nv.getName())) { - return nv.getValue(); - } - } - } - return null; - } -} http://git-wip-us.apache.org/repos/asf/hadoop/blob/fec04c46/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java deleted file mode 100644 index cbdda90..0000000 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java +++ /dev/null @@ -1,239 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * <p> - * http://www.apache.org/licenses/LICENSE-2.0 - * <p> - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.http; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.CommonConfigurationKeys; -import org.apache.hadoop.minikdc.MiniKdc; -import org.apache.hadoop.net.NetUtils; -import org.apache.hadoop.security.AuthenticationFilterInitializer; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.authentication.KerberosTestUtils; -import org.apache.hadoop.security.authentication.client.AuthenticatedURL; -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; -import org.apache.hadoop.security.authentication.server.AuthenticationToken; -import org.apache.hadoop.security.authentication.util.Signer; -import org.apache.hadoop.security.authentication.util.SignerSecretProvider; -import org.apache.hadoop.security.authentication.util.StringSignerSecretProviderCreator; -import org.apache.hadoop.security.authorize.AccessControlList; -import org.apache.hadoop.security.authorize.ProxyUsers; -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.junit.Test; -import org.junit.Assert; - -import java.io.File; -import java.io.FileWriter; -import java.io.Writer; -import java.net.HttpURLConnection; -import java.net.URI; -import java.net.URL; -import java.util.Properties; -import static org.junit.Assert.assertTrue; - -/** - * This class is tested for http server with SPENGO authentication. - */ -public class TestHttpServerWithSpengo { - - static final Log LOG = LogFactory.getLog(TestHttpServerWithSpengo.class); - - private static final String SECRET_STR = "secret"; - private static final String HTTP_USER = "HTTP"; - private static final String PREFIX = "hadoop.http.authentication."; - private static final long TIMEOUT = 20000; - - private static File httpSpnegoKeytabFile = new File( - KerberosTestUtils.getKeytabFile()); - private static String httpSpnegoPrincipal = - KerberosTestUtils.getServerPrincipal(); - private static String realm = KerberosTestUtils.getRealm(); - - private static File testRootDir = new File("target", - TestHttpServerWithSpengo.class.getName() + "-root"); - private static MiniKdc testMiniKDC; - private static File secretFile = new File(testRootDir, SECRET_STR); - - @BeforeClass - public static void setUp() throws Exception { - try { - testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir); - testMiniKDC.start(); - testMiniKDC.createPrincipal( - httpSpnegoKeytabFile, HTTP_USER + "/localhost"); - } catch (Exception e) { - assertTrue("Couldn't setup MiniKDC", false); - } - Writer w = new FileWriter(secretFile); - w.write("secret"); - w.close(); - } - - @AfterClass - public static void tearDown() { - if (testMiniKDC != null) { - testMiniKDC.stop(); - } - } - - /** - * groupA - * - userA - * groupB - * - userA, userB - * groupC - * - userC - * SPNEGO filter has been enabled. - * userA has the privilege to impersonate users in groupB. - * userA has admin access to all default servlets, but userB - * and userC don't have. So "/logs" can only be accessed by userA. - * @throws Exception - */ - @Test - public void testAuthenticationWithProxyUser() throws Exception { - - Configuration spengoConf = getSpengoConf(new Configuration()); - - //setup logs dir - System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath()); - - // Setup user group - UserGroupInformation.createUserForTesting("userA", - new String[]{"groupA", "groupB"}); - UserGroupInformation.createUserForTesting("userB", - new String[]{"groupB"}); - UserGroupInformation.createUserForTesting("userC", - new String[]{"groupC"}); - - // Make userA impersonate users in groupB - spengoConf.set("hadoop.proxyuser.userA.hosts", "*"); - spengoConf.set("hadoop.proxyuser.userA.groups", "groupB"); - ProxyUsers.refreshSuperUserGroupsConfiguration(spengoConf); - - HttpServer2 httpServer = null; - try { - // Create http server to test. - httpServer = getCommonBuilder() - .setConf(spengoConf) - .setACL(new AccessControlList("userA groupA")) - .build(); - httpServer.start(); - - // Get signer to encrypt token - Signer signer = getSignerToEncrypt(); - - // setup auth token for userA - AuthenticatedURL.Token token = getEncryptedAuthToken(signer, "userA"); - - String serverURL = "http://" + - NetUtils.getHostPortString(httpServer.getConnectorAddress(0)) + "/"; - - // The default authenticator is kerberos. - AuthenticatedURL authUrl = new AuthenticatedURL(); - - // userA impersonates userB, it's allowed. - for (String servlet : - new String[]{"stacks", "jmx", "conf"}) { - HttpURLConnection conn = authUrl - .openConnection(new URL(serverURL + servlet + "?doAs=userB"), - token); - Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); - } - - // userA cannot impersonate userC, it fails. - for (String servlet : - new String[]{"stacks", "jmx", "conf"}){ - HttpURLConnection conn = authUrl - .openConnection(new URL(serverURL + servlet + "?doAs=userC"), - token); - Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, - conn.getResponseCode()); - } - - // "/logs" and "/logLevel" require admin authorization, - // only userA has the access. - for (String servlet : - new String[]{"logLevel", "logs"}) { - HttpURLConnection conn = authUrl - .openConnection(new URL(serverURL + servlet), token); - Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); - } - - // Setup token for userB - token = getEncryptedAuthToken(signer, "userB"); - - // userB cannot access these servlets. - for (String servlet : - new String[]{"logLevel", "logs"}) { - HttpURLConnection conn = authUrl - .openConnection(new URL(serverURL + servlet), token); - Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, - conn.getResponseCode()); - } - - } finally { - if (httpServer != null) { - httpServer.stop(); - } - } - } - - - private AuthenticatedURL.Token getEncryptedAuthToken(Signer signer, - String user) throws Exception { - AuthenticationToken token = - new AuthenticationToken(user, user, "kerberos"); - token.setExpires(System.currentTimeMillis() + TIMEOUT); - return new AuthenticatedURL.Token(signer.sign(token.toString())); - } - - private Signer getSignerToEncrypt() throws Exception { - SignerSecretProvider secretProvider = - StringSignerSecretProviderCreator.newStringSignerSecretProvider(); - Properties secretProviderProps = new Properties(); - secretProviderProps.setProperty( - AuthenticationFilter.SIGNATURE_SECRET, SECRET_STR); - secretProvider.init(secretProviderProps, null, TIMEOUT); - return new Signer(secretProvider); - } - - private Configuration getSpengoConf(Configuration conf) { - conf = new Configuration(); - conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY, - AuthenticationFilterInitializer.class.getName()); - conf.set(PREFIX + "type", "kerberos"); - conf.setBoolean(PREFIX + "simple.anonymous.allowed", false); - conf.set(PREFIX + "signature.secret.file", - secretFile.getAbsolutePath()); - conf.set(PREFIX + "kerberos.keytab", - httpSpnegoKeytabFile.getAbsolutePath()); - conf.set(PREFIX + "kerberos.principal", httpSpnegoPrincipal); - conf.set(PREFIX + "cookie.domain", realm); - conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, - true); - return conf; - } - - private HttpServer2.Builder getCommonBuilder() throws Exception { - return new HttpServer2.Builder().setName("test") - .addEndpoint(new URI("http://localhost:0")) - .setFindPort(true); - } -} http://git-wip-us.apache.org/repos/asf/hadoop/blob/fec04c46/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java index 64cd9b7..c8179e2 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java @@ -19,12 +19,16 @@ package org.apache.hadoop.security; import junit.framework.TestCase; import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.http.FilterContainer; import org.mockito.Mockito; import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; +import java.io.File; +import java.io.FileWriter; +import java.io.Writer; import java.util.Map; public class TestAuthenticationFilter extends TestCase { @@ -38,7 +42,7 @@ public class TestAuthenticationFilter extends TestCase { FilterContainer container = Mockito.mock(FilterContainer.class); Mockito.doAnswer( - new Answer() { + new Answer() { @Override public Object answer(InvocationOnMock invocationOnMock) throws Throwable { @@ -46,6 +50,8 @@ public class TestAuthenticationFilter extends TestCase { assertEquals("authentication", args[0]); + assertEquals(AuthenticationFilter.class.getName(), args[1]); + Map<String, String> conf = (Map<String, String>) args[2]; assertEquals("/", conf.get("cookie.path")); @@ -60,8 +66,9 @@ public class TestAuthenticationFilter extends TestCase { assertEquals("bar", conf.get("foo")); return null; - }} - ).when(container).addFilter(Mockito.<String>anyObject(), + } + } + ).when(container).addFilter(Mockito.<String>anyObject(), Mockito.<String>anyObject(), Mockito.<Map<String, String>>anyObject()); http://git-wip-us.apache.org/repos/asf/hadoop/blob/fec04c46/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java deleted file mode 100644 index 504f5a1..0000000 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java +++ /dev/null @@ -1,78 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with this - * work for additional information regarding copyright ownership. The ASF - * licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.hadoop.security; - - -import junit.framework.TestCase; -import org.apache.hadoop.http.HttpServer2; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.http.FilterContainer; -import org.mockito.Mockito; -import org.mockito.invocation.InvocationOnMock; -import org.mockito.stubbing.Answer; -import java.util.Map; - -/** - * This class is tested for {@link AuthenticationWithProxyUserFilter} - * to verify configurations of this filter. - */ -public class TestAuthenticationWithProxyUserFilter extends TestCase { - - @SuppressWarnings("unchecked") - public void testConfiguration() throws Exception { - Configuration conf = new Configuration(); - conf.set("hadoop.http.authentication.foo", "bar"); - - conf.set(HttpServer2.BIND_ADDRESS, "barhost"); - - FilterContainer container = Mockito.mock(FilterContainer.class); - Mockito.doAnswer( - new Answer() { - @Override - public Object answer(InvocationOnMock invocationOnMock) - throws Throwable { - Object[] args = invocationOnMock.getArguments(); - - assertEquals("authentication", args[0]); - - assertEquals( - AuthenticationWithProxyUserFilter.class.getName(), args[1]); - - Map<String, String> conf = (Map<String, String>) args[2]; - assertEquals("/", conf.get("cookie.path")); - - assertEquals("simple", conf.get("type")); - assertEquals("36000", conf.get("token.validity")); - assertNull(conf.get("cookie.domain")); - assertEquals("true", conf.get("simple.anonymous.allowed")); - assertEquals("HTTP/barhost@LOCALHOST", - conf.get("kerberos.principal")); - assertEquals(System.getProperty("user.home") + - "/hadoop.keytab", conf.get("kerberos.keytab")); - assertEquals("bar", conf.get("foo")); - - return null; - } - } - ).when(container).addFilter(Mockito.<String>anyObject(), - Mockito.<String>anyObject(), - Mockito.<Map<String, String>>anyObject()); - - new AuthenticationFilterInitializer().initFilter(container, conf); - } - -} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
