Author: bobby Date: Mon Nov 5 18:37:39 2012 New Revision: 1405910 URL: http://svn.apache.org/viewvc?rev=1405910&view=rev Log: HADOOP-9010. Map UGI authenticationMethod to RPC authMethod (daryn via bobby)
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcServer.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1405910&r1=1405909&r2=1405910&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Mon Nov 5 18:37:39 2012 @@ -336,6 +336,9 @@ Release 2.0.3-alpha - Unreleased HADOOP-9009. Add SecurityUtil methods to get/set authentication method (daryn via bobby) + HADOOP-9010. Map UGI authenticationMethod to RPC authMethod (daryn via + bobby) + OPTIMIZATIONS HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java?rev=1405910&r1=1405909&r2=1405910&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java Mon Nov 5 18:37:39 2012 @@ -69,6 +69,7 @@ import org.apache.hadoop.security.SaslRp import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenInfo; @@ -295,8 +296,9 @@ public class Client { } if (token != null) { - authMethod = AuthMethod.DIGEST; + authMethod = AuthenticationMethod.TOKEN.getAuthMethod(); } else if (UserGroupInformation.isSecurityEnabled()) { + // eventually just use the ticket's authMethod authMethod = AuthMethod.KERBEROS; } else { authMethod = AuthMethod.SIMPLE; Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java?rev=1405910&r1=1405909&r2=1405910&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java Mon Nov 5 18:37:39 2012 @@ -1526,11 +1526,11 @@ public abstract class Server { if (!useSasl) { user = protocolUser; if (user != null) { - user.setAuthenticationMethod(AuthMethod.SIMPLE.authenticationMethod); + user.setAuthenticationMethod(AuthMethod.SIMPLE); } } else { // user is authenticated - user.setAuthenticationMethod(authMethod.authenticationMethod); + user.setAuthenticationMethod(authMethod); //Now we check if this is a proxy user case. If the protocol user is //different from the 'user', it is a proxy user scenario. However, //this is not allowed if user authenticated with DIGEST. Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcServer.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcServer.java?rev=1405910&r1=1405909&r2=1405910&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcServer.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcServer.java Mon Nov 5 18:37:39 2012 @@ -42,7 +42,6 @@ import org.apache.hadoop.classification. import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.ipc.Server; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.SecretManager; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.SecretManager.InvalidToken; @@ -137,20 +136,17 @@ public class SaslRpcServer { /** Authentication method */ @InterfaceStability.Evolving public static enum AuthMethod { - SIMPLE((byte) 80, "", AuthenticationMethod.SIMPLE), - KERBEROS((byte) 81, "GSSAPI", AuthenticationMethod.KERBEROS), - DIGEST((byte) 82, "DIGEST-MD5", AuthenticationMethod.TOKEN); + SIMPLE((byte) 80, ""), + KERBEROS((byte) 81, "GSSAPI"), + DIGEST((byte) 82, "DIGEST-MD5"); /** The code for this method. */ public final byte code; public final String mechanismName; - public final AuthenticationMethod authenticationMethod; - private AuthMethod(byte code, String mechanismName, - AuthenticationMethod authMethod) { + private AuthMethod(byte code, String mechanismName) { this.code = code; this.mechanismName = mechanismName; - this.authenticationMethod = authMethod; } private static final int FIRST_CODE = values()[0].code; Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java?rev=1405910&r1=1405909&r2=1405910&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java Mon Nov 5 18:37:39 2012 @@ -59,6 +59,7 @@ import org.apache.hadoop.metrics2.annota import org.apache.hadoop.metrics2.annotation.Metrics; import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; import org.apache.hadoop.metrics2.lib.MutableRate; +import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.hadoop.security.token.Token; @@ -1019,13 +1020,34 @@ public class UserGroupInformation { @InterfaceAudience.Public @InterfaceStability.Evolving public static enum AuthenticationMethod { - SIMPLE, - KERBEROS, - TOKEN, - CERTIFICATE, - KERBEROS_SSL, - PROXY; - } + // currently we support only one auth per method, but eventually a + // subtype is needed to differentiate, ex. if digest is token or ldap + SIMPLE(AuthMethod.SIMPLE), + KERBEROS(AuthMethod.KERBEROS), + TOKEN(AuthMethod.DIGEST), + CERTIFICATE(null), + KERBEROS_SSL(null), + PROXY(null); + + private final AuthMethod authMethod; + private AuthenticationMethod(AuthMethod authMethod) { + this.authMethod = authMethod; + } + + public AuthMethod getAuthMethod() { + return authMethod; + } + + public static AuthenticationMethod valueOf(AuthMethod authMethod) { + for (AuthenticationMethod value : values()) { + if (value.getAuthMethod() == authMethod) { + return value; + } + } + throw new IllegalArgumentException( + "no authentication method for " + authMethod); + } + }; /** * Create a proxy user using username of the effective user and the ugi of the @@ -1291,6 +1313,15 @@ public class UserGroupInformation { } /** + * Sets the authentication method in the subject + * + * @param authMethod + */ + public void setAuthenticationMethod(AuthMethod authMethod) { + user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod)); + } + + /** * Get the authentication method from the subject * * @return AuthenticationMethod in the subject, null if not present. Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1405910&r1=1405909&r2=1405910&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java Mon Nov 5 18:37:39 2012 @@ -305,7 +305,6 @@ public class TestUserGroupInformation { assertSame(secret, ugi.getCredentials().getSecretKey(secretKey)); } - @SuppressWarnings("unchecked") // from Mockito mocks @Test public <T extends TokenIdentifier> void testGetCredsNotSame() throws Exception { @@ -430,6 +429,18 @@ public class TestUserGroupInformation { } @Test + public void testTestAuthMethod() throws Exception { + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + // verify the reverse mappings works + for (AuthenticationMethod am : AuthenticationMethod.values()) { + if (am.getAuthMethod() != null) { + ugi.setAuthenticationMethod(am.getAuthMethod()); + assertEquals(am, ugi.getAuthenticationMethod()); + } + } + } + + @Test public void testUGIAuthMethod() throws Exception { final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final AuthenticationMethod am = AuthenticationMethod.KERBEROS;