[jira] [Updated] (HADOOP-18594) ProxyUserAuthenticationFilter add properties 'hadoop.security.impersonation.provider.class' to enable load custom ImpersonationProvider class when start namenode

Xie Yi (Jira) Sun, 28 Apr 2024 02:44:05 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-18594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Xie Yi updated HADOOP-18594:
----------------------------
    Priority: Major  (was: Minor)

> ProxyUserAuthenticationFilter add properties 
> 'hadoop.security.impersonation.provider.class'  to enable  load custom 
> ImpersonationProvider class when start namenode
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18594
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18594
>             Project: Hadoop Common
>          Issue Type: Wish
>            Reporter: Xie Yi
>            Priority: Major
>              Labels: pull-request-available
>
> h3. h3.  the phenomenon
> I made a custom  ImpersonationProvider class and configured in core-site.xml
> {code:none}
>     <property>
>       <name>hadoop.security.impersonation.provider.class</name>
>       
> <value>org.apache.hadoop.security.authorize.MyImpersonationProvider</value>
>     </property>
> {code}
>  
> {color:#ff0000}However, when  start namenode, MyImpersonationProvider could't 
> be load automatically, but DefaultImpersonationProvider is loaded.{color}
> When execute the following command, custom ImpersonationProvider could be 
> load.
> {code:java}
> bin/hdfs dfsadmin -refreshSuperUserGroupsConfiguration{code}
> h3. h3. what I see else
> custom ImpersonationProvider was load in 
> org.apache.hadoop.security.authorize.ProxyUsers#refreshSuperUserGroupsConfiguration
> through the property "hadoop.security.impersonation.provider.class"
> [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ProxyUsers.java#L70]
> {code:java}
> public static void refreshSuperUserGroupsConfiguration(Configuration conf,
>     String proxyUserPrefix) {
>   Preconditions.checkArgument(proxyUserPrefix != null && 
>       !proxyUserPrefix.isEmpty(), "prefix cannot be NULL or empty");
>   // sip is volatile. Any assignment to it as well as the object's state
>   // will be visible to all the other threads. 
>   ImpersonationProvider ip = getInstance(conf);
>   ip.init(proxyUserPrefix);
>   sip = ip;
>   ProxyServers.refresh(conf);
> } 
> private static ImpersonationProvider getInstance(Configuration conf) {
>   Class<? extends ImpersonationProvider> clazz =
>       conf.getClass(
>           
> CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
>           DefaultImpersonationProvider.class, ImpersonationProvider.class);
>   return ReflectionUtils.newInstance(clazz, conf);
> }{code}
>  
> when namenode start, refreshSuperUserGroupsConfiguration was called in 
> ProxyUserAuthenticationFilter,
> [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authentication/server/ProxyUserAuthenticationFilter.java#L56]
> {code:java}
>   public void init(FilterConfig filterConfig) throws ServletException {
>     Configuration conf = getProxyuserConfiguration(filterConfig);
>     ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
>     super.init(filterConfig);
>   }
> {code}
> here is the stack trace
> {code:none}
> init:70, DefaultImpersonationProvider (org.apache.hadoop.security.authorize)
> refreshSuperUserGroupsConfiguration:77, ProxyUsers 
> (org.apache.hadoop.security.authorize)
> init:56, ProxyUserAuthenticationFilter 
> (org.apache.hadoop.security.authentication.server)
> initialize:140, FilterHolder (org.eclipse.jetty.servlet)
> lambda$initialize$0:731, ServletHandler (org.eclipse.jetty.servlet)
> accept:-1, 1541075662 (org.eclipse.jetty.servlet.ServletHandler$$Lambda$36)
> forEachRemaining:948, Spliterators$ArraySpliterator (java.util)
> forEachRemaining:742, Streams$ConcatSpliterator (java.util.stream)
> forEach:580, ReferencePipeline$Head (java.util.stream)
> initialize:755, ServletHandler (org.eclipse.jetty.servlet)
> startContext:379, ServletContextHandler (org.eclipse.jetty.servlet)
> doStart:910, ContextHandler (org.eclipse.jetty.server.handler)
> doStart:288, ServletContextHandler (org.eclipse.jetty.servlet)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:117, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:117, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:169, ContainerLifeCycle (org.eclipse.jetty.util.component)
> start:423, Server (org.eclipse.jetty.server)
> doStart:110, ContainerLifeCycle (org.eclipse.jetty.util.component)
> doStart:97, AbstractHandler (org.eclipse.jetty.server.handler)
> doStart:387, Server (org.eclipse.jetty.server)
> start:73, AbstractLifeCycle (org.eclipse.jetty.util.component)
> start:1276, HttpServer2 (org.apache.hadoop.http)
> start:170, NameNodeHttpServer (org.apache.hadoop.hdfs.server.namenode)
> startHttpServer:954, NameNode (org.apache.hadoop.hdfs.server.namenode)
> initialize:765, NameNode (org.apache.hadoop.hdfs.server.namenode)
> <init>:1020, NameNode (org.apache.hadoop.hdfs.server.namenode)
> <init>:995, NameNode (org.apache.hadoop.hdfs.server.namenode)
> createNameNode:1769, NameNode (org.apache.hadoop.hdfs.server.namenode)
> main:1834, NameNode (org.apache.hadoop.hdfs.server.namenode)
> {code}
>  
> {color:#ff0000}but the filterConfig in ProxyUserAuthenticationFilter did't 
> contains properties ''hadoop.security.impersonation.provider.class''{color}
> filterConfig in ProxyUserAuthenticationFilter is controled by 
> ProxyUserAuthenticationFilterInitializer or AuthFilterInitializer
> filterConfig only put property which start with "hadoop.proxyuser", but not 
> put "hadoop.security.impersonation.provider.class"
> {code:java}
>   protected Map<String, String> createFilterConfig(Configuration conf) {
>     Map<String, String> filterConfig = AuthenticationFilterInitializer
>         .getFilterConfigMap(conf, configPrefix);
>     //Add proxy user configs
>     for (Map.Entry<String, String> entry : conf.getPropsWithPrefix(
>         ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
>       filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
>     }
>     return filterConfig;
>   }
> {code}
> [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authentication/server/ProxyUserAuthenticationFilterInitializer.java#L46]
> [https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilterInitializer.java#L46]
> it leads to custome ImpersonationProvider can't be load during namenode start.
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-18594) ProxyUserAuthenticationFilter add properties 'hadoop.security.impersonation.provider.class' to enable load custom ImpersonationProvider class when start namenode

Reply via email to