subject:"\[hadoop\] 02\/03\: HDFS\-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG"

[hadoop] 02/03: HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG

2020-03-25 Thread weichiu

This is an automated email from the ASF dual-hosted git repository.

weichiu pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git

commit b837431a08524145865f9bd542527d466b1f774b
Author: Eric Yang 
AuthorDate: Tue May 28 17:31:35 2019 -0400

HDFS-14434.  Ignore user.name query parameter in secure WebHDFS.
 Contributed by KWON BYUNGCHANG

(cherry picked from commit d78854b928bb877f26b11b5b212a100a79941f35)

 Conflicts:

hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsTokens.java

(cherry picked from commit ba6b3a384863b57bc7eeeb736950f544e6ed8d6d)
---
 .../apache/hadoop/hdfs/web/WebHdfsFileSystem.java  |  16 +-
 .../hadoop/hdfs/server/common/JspHelper.java   |   8 +-
 .../hadoop/hdfs/server/common/TestJspHelper.java   |  88 +
 .../apache/hadoop/hdfs/web/TestWebHdfsTokens.java  | 218 +
 .../org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java |  47 +++--
 5 files changed, 236 insertions(+), 141 deletions(-)

diff --git 
a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
 
b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index 6fa7c97..37b66e6 100644
--- 
a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -167,6 +167,7 @@ public class WebHdfsFileSystem extends FileSystem
   private InetSocketAddress nnAddrs[];
   private int currentNNAddrIndex;
   private boolean disallowFallbackToInsecureCluster;
+  private boolean isInsecureCluster;
   private String restCsrfCustomHeader;
   private Set restCsrfMethodsToIgnore;
 
@@ -280,6 +281,7 @@ public class WebHdfsFileSystem extends FileSystem
 
 this.workingDir = makeQualified(new Path(getHomeDirectoryString(ugi)));
 this.canRefreshDelegationToken = UserGroupInformation.isSecurityEnabled();
+this.isInsecureCluster = !this.canRefreshDelegationToken;
 this.disallowFallbackToInsecureCluster = !conf.getBoolean(
 CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
 
CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT);
@@ -365,6 +367,7 @@ public class WebHdfsFileSystem extends FileSystem
 LOG.debug("Fetched new token: {}", token);
   } else { // security is disabled
 canRefreshDelegationToken = false;
+isInsecureCluster = true;
   }
 }
   }
@@ -411,8 +414,7 @@ public class WebHdfsFileSystem extends FileSystem
 if (cachedHomeDirectory == null) {
   final HttpOpParam.Op op = GetOpParam.Op.GETHOMEDIRECTORY;
   try {
-String pathFromDelegatedFS = new FsPathResponseRunner(op, null,
-new UserParam(ugi)) {
+String pathFromDelegatedFS = new FsPathResponseRunner(op, 
null){
   @Override
   String decodeResponse(Map json) throws IOException {
 return JsonUtilClient.getPath(json);
@@ -574,7 +576,8 @@ public class WebHdfsFileSystem extends FileSystem
 return url;
   }
 
-  Param[] getAuthParameters(final HttpOpParam.Op op) throws IOException {
+  private synchronized Param[] getAuthParameters(final HttpOpParam.Op op)
+  throws IOException {
 List> authParams = Lists.newArrayList();
 // Skip adding delegation token for token operations because these
 // operations require authentication.
@@ -591,7 +594,12 @@ public class WebHdfsFileSystem extends FileSystem
 authParams.add(new DoAsParam(userUgi.getShortUserName()));
 userUgi = realUgi;
   }
-  authParams.add(new UserParam(userUgi.getShortUserName()));
+  UserParam userParam = new UserParam((userUgi.getShortUserName()));
+
+  //in insecure, use user.name parameter, in secure, use spnego auth
+  if(isInsecureCluster) {
+authParams.add(userParam);
+  }
 }
 return authParams.toArray(new Param[0]);
   }
diff --git 
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
 
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
index 2d1d736..e56f1e1 100644
--- 
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
@@ -118,12 +118,9 @@ public class JspHelper {
   remoteUser = request.getRemoteUser();
   final String tokenString = 
request.getParameter(DELEGATION_PARAMETER_NAME);
   if (tokenString != null) {
-// Token-based connections need only verify the effective user, and
-// disallow proxying to different user.  Proxy authorization checks
-// are not required si

[hadoop] 02/03: HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG

2020-03-25 Thread weichiu

This is an automated email from the ASF dual-hosted git repository.

weichiu pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/hadoop.git

commit ba6b3a384863b57bc7eeeb736950f544e6ed8d6d
Author: Eric Yang 
AuthorDate: Tue May 28 17:31:35 2019 -0400

HDFS-14434.  Ignore user.name query parameter in secure WebHDFS.
 Contributed by KWON BYUNGCHANG

(cherry picked from commit d78854b928bb877f26b11b5b212a100a79941f35)

 Conflicts:

hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsTokens.java
---
 .../apache/hadoop/hdfs/web/WebHdfsFileSystem.java  |  16 +-
 .../hadoop/hdfs/server/common/JspHelper.java   |   8 +-
 .../hadoop/hdfs/server/common/TestJspHelper.java   |  88 +
 .../apache/hadoop/hdfs/web/TestWebHdfsTokens.java  | 218 +
 .../org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java |  47 +++--
 5 files changed, 236 insertions(+), 141 deletions(-)

diff --git 
a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
 
b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index b316bf1..90b15ff 100644
--- 
a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -167,6 +167,7 @@ public class WebHdfsFileSystem extends FileSystem
   private InetSocketAddress nnAddrs[];
   private int currentNNAddrIndex;
   private boolean disallowFallbackToInsecureCluster;
+  private boolean isInsecureCluster;
   private String restCsrfCustomHeader;
   private Set restCsrfMethodsToIgnore;
 
@@ -279,6 +280,7 @@ public class WebHdfsFileSystem extends FileSystem
 
 this.workingDir = makeQualified(new Path(getHomeDirectoryString(ugi)));
 this.canRefreshDelegationToken = UserGroupInformation.isSecurityEnabled();
+this.isInsecureCluster = !this.canRefreshDelegationToken;
 this.disallowFallbackToInsecureCluster = !conf.getBoolean(
 CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
 
CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT);
@@ -364,6 +366,7 @@ public class WebHdfsFileSystem extends FileSystem
 LOG.debug("Fetched new token: {}", token);
   } else { // security is disabled
 canRefreshDelegationToken = false;
+isInsecureCluster = true;
   }
 }
   }
@@ -410,8 +413,7 @@ public class WebHdfsFileSystem extends FileSystem
 if (cachedHomeDirectory == null) {
   final HttpOpParam.Op op = GetOpParam.Op.GETHOMEDIRECTORY;
   try {
-String pathFromDelegatedFS = new FsPathResponseRunner(op, null,
-new UserParam(ugi)) {
+String pathFromDelegatedFS = new FsPathResponseRunner(op, 
null){
   @Override
   String decodeResponse(Map json) throws IOException {
 return JsonUtilClient.getPath(json);
@@ -573,7 +575,8 @@ public class WebHdfsFileSystem extends FileSystem
 return url;
   }
 
-  Param[] getAuthParameters(final HttpOpParam.Op op) throws IOException {
+  private synchronized Param[] getAuthParameters(final HttpOpParam.Op op)
+  throws IOException {
 List> authParams = Lists.newArrayList();
 // Skip adding delegation token for token operations because these
 // operations require authentication.
@@ -590,7 +593,12 @@ public class WebHdfsFileSystem extends FileSystem
 authParams.add(new DoAsParam(userUgi.getShortUserName()));
 userUgi = realUgi;
   }
-  authParams.add(new UserParam(userUgi.getShortUserName()));
+  UserParam userParam = new UserParam((userUgi.getShortUserName()));
+
+  //in insecure, use user.name parameter, in secure, use spnego auth
+  if(isInsecureCluster) {
+authParams.add(userParam);
+  }
 }
 return authParams.toArray(new Param[0]);
   }
diff --git 
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
 
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
index eb488e8..2c65c3f 100644
--- 
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
@@ -118,12 +118,9 @@ public class JspHelper {
   remoteUser = request.getRemoteUser();
   final String tokenString = 
request.getParameter(DELEGATION_PARAMETER_NAME);
   if (tokenString != null) {
-// Token-based connections need only verify the effective user, and
-// disallow proxying to different user.  Proxy authorization checks
-// are not required since the checks apply to issuing a token.
+
+// user.name, doas param i

[hadoop] 02/03: HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG

[hadoop] 02/03: HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG

2 matches

Site Navigation

Mail list logo

Footer information