[hadoop] 02/03: HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG
This is an automated email from the ASF dual-hosted git repository. weichiu pushed a commit to branch branch-3.1 in repository https://gitbox.apache.org/repos/asf/hadoop.git commit b837431a08524145865f9bd542527d466b1f774b Author: Eric Yang AuthorDate: Tue May 28 17:31:35 2019 -0400 HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG (cherry picked from commit d78854b928bb877f26b11b5b212a100a79941f35) Conflicts: hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsTokens.java (cherry picked from commit ba6b3a384863b57bc7eeeb736950f544e6ed8d6d) --- .../apache/hadoop/hdfs/web/WebHdfsFileSystem.java | 16 +- .../hadoop/hdfs/server/common/JspHelper.java | 8 +- .../hadoop/hdfs/server/common/TestJspHelper.java | 88 + .../apache/hadoop/hdfs/web/TestWebHdfsTokens.java | 218 + .../org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java | 47 +++-- 5 files changed, 236 insertions(+), 141 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java index 6fa7c97..37b66e6 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java @@ -167,6 +167,7 @@ public class WebHdfsFileSystem extends FileSystem private InetSocketAddress nnAddrs[]; private int currentNNAddrIndex; private boolean disallowFallbackToInsecureCluster; + private boolean isInsecureCluster; private String restCsrfCustomHeader; private Set restCsrfMethodsToIgnore; @@ -280,6 +281,7 @@ public class WebHdfsFileSystem extends FileSystem this.workingDir = makeQualified(new Path(getHomeDirectoryString(ugi))); this.canRefreshDelegationToken = UserGroupInformation.isSecurityEnabled(); +this.isInsecureCluster = !this.canRefreshDelegationToken; this.disallowFallbackToInsecureCluster = !conf.getBoolean( CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY, CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT); @@ -365,6 +367,7 @@ public class WebHdfsFileSystem extends FileSystem LOG.debug("Fetched new token: {}", token); } else { // security is disabled canRefreshDelegationToken = false; +isInsecureCluster = true; } } } @@ -411,8 +414,7 @@ public class WebHdfsFileSystem extends FileSystem if (cachedHomeDirectory == null) { final HttpOpParam.Op op = GetOpParam.Op.GETHOMEDIRECTORY; try { -String pathFromDelegatedFS = new FsPathResponseRunner(op, null, -new UserParam(ugi)) { +String pathFromDelegatedFS = new FsPathResponseRunner(op, null){ @Override String decodeResponse(Map json) throws IOException { return JsonUtilClient.getPath(json); @@ -574,7 +576,8 @@ public class WebHdfsFileSystem extends FileSystem return url; } - Param[] getAuthParameters(final HttpOpParam.Op op) throws IOException { + private synchronized Param[] getAuthParameters(final HttpOpParam.Op op) + throws IOException { List> authParams = Lists.newArrayList(); // Skip adding delegation token for token operations because these // operations require authentication. @@ -591,7 +594,12 @@ public class WebHdfsFileSystem extends FileSystem authParams.add(new DoAsParam(userUgi.getShortUserName())); userUgi = realUgi; } - authParams.add(new UserParam(userUgi.getShortUserName())); + UserParam userParam = new UserParam((userUgi.getShortUserName())); + + //in insecure, use user.name parameter, in secure, use spnego auth + if(isInsecureCluster) { +authParams.add(userParam); + } } return authParams.toArray(new Param[0]); } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java index 2d1d736..e56f1e1 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java @@ -118,12 +118,9 @@ public class JspHelper { remoteUser = request.getRemoteUser(); final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME); if (tokenString != null) { -// Token-based connections need only verify the effective user, and -// disallow proxying to different user. Proxy authorization checks -// are not required si
[hadoop] 02/03: HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG
This is an automated email from the ASF dual-hosted git repository. weichiu pushed a commit to branch branch-3.2 in repository https://gitbox.apache.org/repos/asf/hadoop.git commit ba6b3a384863b57bc7eeeb736950f544e6ed8d6d Author: Eric Yang AuthorDate: Tue May 28 17:31:35 2019 -0400 HDFS-14434. Ignore user.name query parameter in secure WebHDFS. Contributed by KWON BYUNGCHANG (cherry picked from commit d78854b928bb877f26b11b5b212a100a79941f35) Conflicts: hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestWebHdfsTokens.java --- .../apache/hadoop/hdfs/web/WebHdfsFileSystem.java | 16 +- .../hadoop/hdfs/server/common/JspHelper.java | 8 +- .../hadoop/hdfs/server/common/TestJspHelper.java | 88 + .../apache/hadoop/hdfs/web/TestWebHdfsTokens.java | 218 + .../org/apache/hadoop/hdfs/web/TestWebHdfsUrl.java | 47 +++-- 5 files changed, 236 insertions(+), 141 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java index b316bf1..90b15ff 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java @@ -167,6 +167,7 @@ public class WebHdfsFileSystem extends FileSystem private InetSocketAddress nnAddrs[]; private int currentNNAddrIndex; private boolean disallowFallbackToInsecureCluster; + private boolean isInsecureCluster; private String restCsrfCustomHeader; private Set restCsrfMethodsToIgnore; @@ -279,6 +280,7 @@ public class WebHdfsFileSystem extends FileSystem this.workingDir = makeQualified(new Path(getHomeDirectoryString(ugi))); this.canRefreshDelegationToken = UserGroupInformation.isSecurityEnabled(); +this.isInsecureCluster = !this.canRefreshDelegationToken; this.disallowFallbackToInsecureCluster = !conf.getBoolean( CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY, CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT); @@ -364,6 +366,7 @@ public class WebHdfsFileSystem extends FileSystem LOG.debug("Fetched new token: {}", token); } else { // security is disabled canRefreshDelegationToken = false; +isInsecureCluster = true; } } } @@ -410,8 +413,7 @@ public class WebHdfsFileSystem extends FileSystem if (cachedHomeDirectory == null) { final HttpOpParam.Op op = GetOpParam.Op.GETHOMEDIRECTORY; try { -String pathFromDelegatedFS = new FsPathResponseRunner(op, null, -new UserParam(ugi)) { +String pathFromDelegatedFS = new FsPathResponseRunner(op, null){ @Override String decodeResponse(Map json) throws IOException { return JsonUtilClient.getPath(json); @@ -573,7 +575,8 @@ public class WebHdfsFileSystem extends FileSystem return url; } - Param[] getAuthParameters(final HttpOpParam.Op op) throws IOException { + private synchronized Param[] getAuthParameters(final HttpOpParam.Op op) + throws IOException { List> authParams = Lists.newArrayList(); // Skip adding delegation token for token operations because these // operations require authentication. @@ -590,7 +593,12 @@ public class WebHdfsFileSystem extends FileSystem authParams.add(new DoAsParam(userUgi.getShortUserName())); userUgi = realUgi; } - authParams.add(new UserParam(userUgi.getShortUserName())); + UserParam userParam = new UserParam((userUgi.getShortUserName())); + + //in insecure, use user.name parameter, in secure, use spnego auth + if(isInsecureCluster) { +authParams.add(userParam); + } } return authParams.toArray(new Param[0]); } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java index eb488e8..2c65c3f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java @@ -118,12 +118,9 @@ public class JspHelper { remoteUser = request.getRemoteUser(); final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME); if (tokenString != null) { -// Token-based connections need only verify the effective user, and -// disallow proxying to different user. Proxy authorization checks -// are not required since the checks apply to issuing a token. + +// user.name, doas param i