AuthenticationFilterInitializer.java

shv Mon, 04 Jun 2012 20:51:41 -0700

Author: shv
Date: Tue Jun  5 03:51:15 2012
New Revision: 1346227

URL: http://svn.apache.org/viewvc?rev=1346227&view=rev
Log:
HADOOP-7621. Alfredo config should be in a file not readable by users. 
Contributed by Aaron T. Myers and Benoy Antony.


Modified:
    hadoop/common/branches/branch-0.22/common/CHANGES.txt
    
hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml
    
hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java

Modified: hadoop/common/branches/branch-0.22/common/CHANGES.txt
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/CHANGES.txt?rev=1346227&r1=1346226&r2=1346227&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.22/common/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.22/common/CHANGES.txt Tue Jun  5 03:51:15 
2012
@@ -34,6 +34,9 @@ Release 0.22.1 - Unreleased
     HADOOP-7645. Disable TestKerberosAuthenticator and
     TestKerberosAuthenticationHandler. (Benoy Antony via shv)
 
+    HADOOP-7621. Alfredo config should be in a file not readable by users.
+    (Aaron T. Myers and Benoy Antony via shv)
+
 Release 0.22.0 - 2011-11-29
 
   INCOMPATIBLE CHANGES

Modified: 
hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml?rev=1346227&r1=1346226&r2=1346227&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml
 (original)
+++ 
hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml
 Tue Jun  5 03:51:15 2012
@@ -82,10 +82,12 @@
       <code>36000</code>.
       </p>
 
-      <p><code>hadoop.http.authentication.signature.secret</code>: The 
signature secret for  
-      signing the authentication tokens. If not set a random secret is 
generated at 
-      startup time. The same secret should be used for all nodes in the 
cluster, JobTracker, 
-      NameNode, DataNode and TastTracker. The default value is a 
<code>hadoop</code> value.
+      <p><code>hadoop.http.authentication.signature.secret.file</code>: The 
signature secret
+      file for signing the authentication tokens. If not set a random secret 
is generated at
+      startup time. The same secret should be used for all nodes in the 
cluster, JobTracker,
+      NameNode, DataNode and TastTracker. The default value is
+      <code>${user.home}/hadoop-http-auth-signature-secret</code>.
+      IMPORTANT: This file should be readable only by the Unix user running 
the daemons.
       </p>
         
       <p><code>hadoop.http.authentication.cookie.domain</code>: The domain to 
use for the HTTP 

Modified: 
hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java?rev=1346227&r1=1346226&r2=1346227&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
 (original)
+++ 
hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
 Tue Jun  5 03:51:15 2012
@@ -22,6 +22,9 @@ import org.apache.hadoop.conf.Configurat
 import org.apache.hadoop.http.FilterContainer;
 import org.apache.hadoop.http.FilterInitializer;
 
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.Reader;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -40,7 +43,9 @@ import java.util.Map;
  */
 public class AuthenticationFilterInitializer extends FilterInitializer {
 
-  private static final String PREFIX = "hadoop.http.authentication.";
+  static final String PREFIX = "hadoop.http.authentication.";
+
+  static final String SIGNATURE_SECRET_FILE = 
AuthenticationFilter.SIGNATURE_SECRET + ".file";
 
   /**
    * Initializes Alfredo AuthenticationFilter.
@@ -67,6 +72,25 @@ public class AuthenticationFilterInitial
       }
     }
 
+    String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE);
+    if (signatureSecretFile == null) {
+      throw new RuntimeException("Undefined property: " + 
SIGNATURE_SECRET_FILE);
+    }
+
+    try {
+      StringBuilder secret = new StringBuilder();
+      Reader reader = new FileReader(signatureSecretFile);
+      int c = reader.read();
+      while (c > -1) {
+        secret.append((char)c);
+        c = reader.read();
+      }
+      reader.close();
+      filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, 
secret.toString());
+    } catch (IOException ex) {
+      throw new RuntimeException("Could not read HTTP signature secret file: " 
+ signatureSecretFile);
+    }
+
     container.addFilter("authentication",
                         AuthenticationFilter.class.getName(),
                         filterConfig);

svn commit: r1346227 - in /hadoop/common/branches/branch-0.22/common: CHANGES.txt src/docs/src/documentation/content/xdocs/HttpAuthentication.xml src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java

Reply via email to