HDFS-14006. Refactor name node to allow different token verification implementations. Contributed by CR Hota.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/00d5e631 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/00d5e631 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/00d5e631 Branch: refs/heads/HDFS-13891 Commit: 00d5e631b596f8712600879366e5283829e7ee5d Parents: f858f18 Author: Giovanni Matteo Fumarola <[email protected]> Authored: Fri Dec 14 11:10:54 2018 -0800 Committer: Giovanni Matteo Fumarola <[email protected]> Committed: Fri Dec 14 11:10:54 2018 -0800 ---------------------------------------------------------------------- .../hadoop/hdfs/server/common/JspHelper.java | 8 ++--- .../hdfs/server/common/TokenVerifier.java | 35 ++++++++++++++++++++ .../hadoop/hdfs/server/namenode/NameNode.java | 9 ++++- .../server/namenode/NameNodeHttpServer.java | 6 ++++ 4 files changed, 53 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/00d5e631/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java index 498a093..eb488e8 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java @@ -23,7 +23,6 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier; -import org.apache.hadoop.hdfs.server.namenode.NameNode; import org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer; import org.apache.hadoop.hdfs.web.resources.DelegationParam; import org.apache.hadoop.hdfs.web.resources.DoAsParam; @@ -176,10 +175,11 @@ public class JspHelper { DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.readFields(in); if (context != null) { - final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context); - if (nn != null) { + final TokenVerifier<DelegationTokenIdentifier> tokenVerifier = + NameNodeHttpServer.getTokenVerifierFromContext(context); + if (tokenVerifier != null) { // Verify the token. - nn.getNamesystem().verifyToken(id, token.getPassword()); + tokenVerifier.verifyToken(id, token.getPassword()); } } UserGroupInformation ugi = id.getUser(); http://git-wip-us.apache.org/repos/asf/hadoop/blob/00d5e631/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/TokenVerifier.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/TokenVerifier.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/TokenVerifier.java new file mode 100644 index 0000000..5691f0c --- /dev/null +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/TokenVerifier.java @@ -0,0 +1,35 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hdfs.server.common; + +import java.io.IOException; +import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier; + +/** + * Interface to verify delegation tokens passed through WebHDFS. + * Implementations are intercepted by JspHelper that pass delegation token + * for verification. + */ +public interface TokenVerifier<T extends AbstractDelegationTokenIdentifier> { + + /* Verify delegation token passed through WebHDFS + * Name node, Router implement this for JspHelper to verify token + */ + void verifyToken(T t, byte[] password) throws IOException; + +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/00d5e631/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java index 471abac..37b694b 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java @@ -47,6 +47,7 @@ import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys; import org.apache.hadoop.hdfs.protocol.ClientProtocol; import org.apache.hadoop.hdfs.protocol.HdfsConstants; import org.apache.hadoop.hdfs.protocol.HdfsConstants.StoragePolicySatisfierMode; +import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier; import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap; import org.apache.hadoop.hdfs.server.aliasmap.InMemoryLevelDBAliasMapServer; import org.apache.hadoop.hdfs.server.blockmanagement.DatanodeManager; @@ -55,6 +56,7 @@ import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.RollingUpgradeSt import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.StartupOption; import org.apache.hadoop.hdfs.server.common.MetricsLoggerTask; import org.apache.hadoop.hdfs.server.common.Storage.StorageDirectory; +import org.apache.hadoop.hdfs.server.common.TokenVerifier; import org.apache.hadoop.hdfs.server.namenode.ha.ActiveState; import org.apache.hadoop.hdfs.server.namenode.ha.BootstrapStandby; import org.apache.hadoop.hdfs.server.namenode.ha.HAContext; @@ -208,7 +210,7 @@ import static org.apache.hadoop.fs.CommonConfigurationKeys.IPC_BACKOFF_ENABLE_DE **********************************************************/ @InterfaceAudience.Private public class NameNode extends ReconfigurableBase implements - NameNodeStatusMXBean { + NameNodeStatusMXBean, TokenVerifier<DelegationTokenIdentifier> { static{ HdfsConfiguration.init(); } @@ -656,6 +658,11 @@ public class NameNode extends ReconfigurableBase implements return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser(); } + @Override + public void verifyToken(DelegationTokenIdentifier id, byte[] password) + throws IOException { + namesystem.verifyToken(id, password); + } /** * Login as the configured user for the NameNode. http://git-wip-us.apache.org/repos/asf/hadoop/blob/00d5e631/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java index 4d27bd9..69dadf5 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java @@ -38,6 +38,7 @@ import org.apache.hadoop.hdfs.DFSUtil; import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys; import org.apache.hadoop.hdfs.server.aliasmap.InMemoryAliasMap; import org.apache.hadoop.hdfs.server.common.JspHelper; +import org.apache.hadoop.hdfs.server.common.TokenVerifier; import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress; import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods; import org.apache.hadoop.hdfs.web.AuthFilter; @@ -319,6 +320,11 @@ public class NameNodeHttpServer { return (NameNode)context.getAttribute(NAMENODE_ATTRIBUTE_KEY); } + public static TokenVerifier + getTokenVerifierFromContext(ServletContext context) { + return (TokenVerifier) context.getAttribute(NAMENODE_ATTRIBUTE_KEY); + } + static Configuration getConfFromContext(ServletContext context) { return (Configuration)context.getAttribute(JspHelper.CURRENT_CONF); } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
