[jira] [Updated] (HADOOP-18594) ProxyUserAuthenticationFilter add properties 'hadoop.security.impersonation.provider.class' to enable load custom ImpersonationProvider class when start namenode

Xie Yi (Jira) Mon, 16 Jan 2023 02:58:19 -0800


     [ 
https://issues.apache.org/jira/browse/HADOOP-18594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Xie Yi updated HADOOP-18594:
----------------------------
    Description: 
h3. h3.  the phenomenon

I made a custom  ImpersonationProvider class and configured core-site.xml
{code:none}
    <property>
      <name>hadoop.security.impersonation.provider.class</name>
      
<value>org.apache.hadoop.security.authorize.YoudaoImpersonationProvider</value>
    </property>
{code}
However, DefaultImpersonationProvider's loaded, rather than  
MyImpersonationProvider.

 
h3. h3. what I see else

custom ImpersonationProvider was load in 
org.apache.hadoop.security.authorize.ProxyUsers#refreshSuperUserGroupsConfiguration
through the propertoes "hadoop.security.impersonation.provider.class"

https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java#L70
{code:java}
public static void refreshSuperUserGroupsConfiguration(Configuration conf,
    String proxyUserPrefix) {
  Preconditions.checkArgument(proxyUserPrefix != null && 
      !proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty");
  // sip is volatile. Any assignment to it as well as the object's state
  // will be visible to all the other threads. 
  ImpersonationProvider ip = getInstance(conf);
  ip.init(proxyUserPrefix);
  sip = ip;
  ProxyServers.refresh(conf);
} 


private static ImpersonationProvider getInstance(Configuration conf) {
  Class<? extends ImpersonationProvider> clazz =
      conf.getClass(
          
CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
          DefaultImpersonationProvider.class, ImpersonationProvider.class);
  return ReflectionUtils.newInstance(clazz, conf);
}{code}
 

when namenode start, refreshSuperUserGroupsConfiguration was called in 
ProxyUserAuthenticationFilter,

https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authentication/server/ProxyUserAuthenticationFilter.java#L56

{code:java}
  public void init(FilterConfig filterConfig) throws ServletException {
    Configuration conf = getProxyuserConfiguration(filterConfig);
    ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
    super.init(filterConfig);
  }
{code}

 here is the stack trace
{code:none}
init:70, DefaultImpersonationProvider (org.apache.hadoop.security.authorize)
refreshSuperUserGroupsConfiguration:77, ProxyUsers 
(org.apache.hadoop.security.authorize)
init:56, ProxyUserAuthenticationFilter 
(org.apache.hadoop.security.authentication.server)
initialize:140, FilterHolder (org.eclipse.jetty.servlet)
lambda$initialize$0:731, ServletHandler (org.eclipse.jetty.servlet)
accept:-1, 1541075662 (org.eclipse.jetty.servlet.ServletHandler$$Lambda$36)
forEachRemaining:948, Spliterators$ArraySpliterator (java.util)
forEachRemaining:742, Streams$ConcatSpliterator (java.util.stream)
forEach:580, ReferencePipeline$Head (java.util.stream)
initialize:755, ServletHandler (org.eclipse.jetty.servlet)
startContext:379, ServletContextHandler (org.eclipse.jetty.servlet)
doStart:910, ContextHandler (org.eclipse.jetty.server.handler)
doStart:288, ServletContextHandler (org.eclipse.jetty.servlet)
start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
doStart:117, ContainerLifeCycle (org.eclipse.jetty.util.component)
doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
doStart:117, ContainerLifeCycle (org.eclipse.jetty.util.component)
doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
start:423, Server (org.eclipse.jetty.server)
doStart:110, ContainerLifeCycle (org.eclipse.jetty.util.component)
doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
doStart:387, Server (org.eclipse.jetty.server)
start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
start:1276, HttpServer2 (org.apache.hadoop.http)
start:170, NameNodeHttpServer (org.apache.hadoop.hdfs.server.namenode)
startHttpServer:954, NameNode (org.apache.hadoop.hdfs.server.namenode)
initialize:765, NameNode (org.apache.hadoop.hdfs.server.namenode)
<init>:1020, NameNode (org.apache.hadoop.hdfs.server.namenode)
<init>:995, NameNode (org.apache.hadoop.hdfs.server.namenode)
createNameNode:1769, NameNode (org.apache.hadoop.hdfs.server.namenode)
main:1834, NameNode (org.apache.hadoop.hdfs.server.namenode)
{code}
 
{color:red}but the filterConfig in ProxyUserAuthenticationFilter did't contains 
properties ''hadoop.security.impersonation.provider.class''{color}
filterConfig in ProxyUserAuthenticationFilter is controled by 
ProxyUserAuthenticationFilterInitializer or AuthFilterInitializer
filterConfig only put property which start with  "hadoop.proxyuser", but not 
put "hadoop.security.impersonation.provider.class"
{code:java}
    for (Map.Entry<String, String> entry : conf.getPropsWithPrefix(
        ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
      filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
    }
{code}

https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authentication/server/ProxyUserAuthenticationFilterInitializer.java#L46

https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilterInitializer.java#L46




it leads to custome ImpersonationProvider can't be load.
 
 
 
 

 
 
 
 

 
 
 
 

 

  was:
h3. h3.  the phenomenon

I made a custom  ImpersonationProvider class and configured core-site.xml
{code:java}
    <property>
      <name>hadoop.security.impersonation.provider.class</name>
      
<value>org.apache.hadoop.security.authorize.MyImpersonationProvider</value>
    </property> {code}
and start namenode

However, DefaultImpersonationProvider's loaded, rather than  
MyImpersonationProvider.

 

 

 

 
 
 
 

 


> ProxyUserAuthenticationFilter add properties 
> 'hadoop.security.impersonation.provider.class'  to enable  load custom 
> ImpersonationProvider class when start namenode
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18594
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18594
>             Project: Hadoop Common
>          Issue Type: Wish
>            Reporter: Xie Yi
>            Priority: Minor
>
> h3. h3.  the phenomenon
> I made a custom  ImpersonationProvider class and configured core-site.xml
> {code:none}
>     <property>
>       <name>hadoop.security.impersonation.provider.class</name>
>       
> <value>org.apache.hadoop.security.authorize.YoudaoImpersonationProvider</value>
>     </property>
> {code}
> However, DefaultImpersonationProvider's loaded, rather than  
> MyImpersonationProvider.
>  
> h3. h3. what I see else
> custom ImpersonationProvider was load in 
> org.apache.hadoop.security.authorize.ProxyUsers#refreshSuperUserGroupsConfiguration
> through the propertoes "hadoop.security.impersonation.provider.class"
> https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java#L70
> {code:java}
> public static void refreshSuperUserGroupsConfiguration(Configuration conf,
>     String proxyUserPrefix) {
>   Preconditions.checkArgument(proxyUserPrefix != null && 
>       !proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty");
>   // sip is volatile. Any assignment to it as well as the object's state
>   // will be visible to all the other threads. 
>   ImpersonationProvider ip = getInstance(conf);
>   ip.init(proxyUserPrefix);
>   sip = ip;
>   ProxyServers.refresh(conf);
> } 
> private static ImpersonationProvider getInstance(Configuration conf) {
>   Class<? extends ImpersonationProvider> clazz =
>       conf.getClass(
>           
> CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
>           DefaultImpersonationProvider.class, ImpersonationProvider.class);
>   return ReflectionUtils.newInstance(clazz, conf);
> }{code}
>  
> when namenode start, refreshSuperUserGroupsConfiguration was called in 
> ProxyUserAuthenticationFilter,
> https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authentication/server/ProxyUserAuthenticationFilter.java#L56
> {code:java}
>   public void init(FilterConfig filterConfig) throws ServletException {
>     Configuration conf = getProxyuserConfiguration(filterConfig);
>     ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
>     super.init(filterConfig);
>   }
> {code}
>  here is the stack trace
> {code:none}
> init:70, DefaultImpersonationProvider (org.apache.hadoop.security.authorize)
> refreshSuperUserGroupsConfiguration:77, ProxyUsers 
> (org.apache.hadoop.security.authorize)
> init:56, ProxyUserAuthenticationFilter 
> (org.apache.hadoop.security.authentication.server)
> initialize:140, FilterHolder (org.eclipse.jetty.servlet)
> lambda$initialize$0:731, ServletHandler (org.eclipse.jetty.servlet)
> accept:-1, 1541075662 (org.eclipse.jetty.servlet.ServletHandler$$Lambda$36)
> forEachRemaining:948, Spliterators$ArraySpliterator (java.util)
> forEachRemaining:742, Streams$ConcatSpliterator (java.util.stream)
> forEach:580, ReferencePipeline$Head (java.util.stream)
> initialize:755, ServletHandler (org.eclipse.jetty.servlet)
> startContext:379, ServletContextHandler (org.eclipse.jetty.servlet)
> doStart:910, ContextHandler (org.eclipse.jetty.server.handler)
> doStart:288, ServletContextHandler (org.eclipse.jetty.servlet)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:117, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:117, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
> start:423, Server (org.eclipse.jetty.server)
> doStart:110, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
> doStart:387, Server (org.eclipse.jetty.server)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:1276, HttpServer2 (org.apache.hadoop.http)
> start:170, NameNodeHttpServer (org.apache.hadoop.hdfs.server.namenode)
> startHttpServer:954, NameNode (org.apache.hadoop.hdfs.server.namenode)
> initialize:765, NameNode (org.apache.hadoop.hdfs.server.namenode)
> <init>:1020, NameNode (org.apache.hadoop.hdfs.server.namenode)
> <init>:995, NameNode (org.apache.hadoop.hdfs.server.namenode)
> createNameNode:1769, NameNode (org.apache.hadoop.hdfs.server.namenode)
> main:1834, NameNode (org.apache.hadoop.hdfs.server.namenode)
> {code}
>  
> {color:red}but the filterConfig in ProxyUserAuthenticationFilter did't 
> contains properties ''hadoop.security.impersonation.provider.class''{color}
> filterConfig in ProxyUserAuthenticationFilter is controled by 
> ProxyUserAuthenticationFilterInitializer or AuthFilterInitializer
> filterConfig only put property which start with  "hadoop.proxyuser", but not 
> put "hadoop.security.impersonation.provider.class"
> {code:java}
>     for (Map.Entry<String, String> entry : conf.getPropsWithPrefix(
>         ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
>       filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
>     }
> {code}
> https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authentication/server/ProxyUserAuthenticationFilterInitializer.java#L46
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilterInitializer.java#L46
> it leads to custome ImpersonationProvider can't be load.
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (HADOOP-18594) ProxyUserAuthenticationFilter add properties 'hadoop.security.impersonation.provider.class' to enable load custom ImpersonationProvider class when start namenode

Reply via email to