HDFS-9760. WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler (Ryan Sasson via aw)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/401ae4ec Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/401ae4ec Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/401ae4ec Branch: refs/heads/yarn-2877 Commit: 401ae4ecdb64e1ae2730976f96f7949831305c07 Parents: 60d2011 Author: Allen Wittenauer <a...@apache.org> Authored: Tue Feb 9 14:15:21 2016 -0800 Committer: Allen Wittenauer <a...@apache.org> Committed: Tue Feb 9 14:15:21 2016 -0800 ---------------------------------------------------------------------- hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 +++ .../hdfs/server/namenode/NameNodeHttpServer.java | 11 +++++++++++ .../java/org/apache/hadoop/hdfs/web/AuthFilter.java | 10 ++++++---- .../org/apache/hadoop/hdfs/web/TestAuthFilter.java | 15 +++++++++++++++ 4 files changed, 35 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/401ae4ec/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index 670a9f8..875799a 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -2715,6 +2715,9 @@ Release 2.8.0 - UNRELEASED HDFS-9713. DataXceiver#copyBlock should return if block is pinned. (umamahesh) + HDFS-9760. WebHDFS AuthFilter cannot be configured with custom AltKerberos + auth handler (Ryan Sasson via aw) + Release 2.7.3 - UNRELEASED INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/401ae4ec/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java index 8f112bd..55cf00f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java @@ -21,7 +21,9 @@ package org.apache.hadoop.hdfs.server.namenode; import java.io.IOException; import java.net.InetSocketAddress; import java.util.HashMap; +import java.util.Iterator; import java.util.Map; +import java.util.Map.Entry; import javax.servlet.ServletContext; @@ -34,6 +36,7 @@ import org.apache.hadoop.hdfs.client.HdfsClientConfigKeys; import org.apache.hadoop.hdfs.server.common.JspHelper; import org.apache.hadoop.hdfs.server.namenode.startupprogress.StartupProgress; import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods; +import org.apache.hadoop.hdfs.web.AuthFilter; import org.apache.hadoop.hdfs.web.WebHdfsFileSystem; import org.apache.hadoop.hdfs.web.resources.Param; import org.apache.hadoop.hdfs.web.resources.UserParam; @@ -158,6 +161,14 @@ public class NameNodeHttpServer { private Map<String, String> getAuthFilterParams(Configuration conf) throws IOException { Map<String, String> params = new HashMap<String, String>(); + // Select configs beginning with 'dfs.web.authentication.' + Iterator<Map.Entry<String, String>> iterator = conf.iterator(); + while (iterator.hasNext()) { + Entry<String, String> kvPair = iterator.next(); + if (kvPair.getKey().startsWith(AuthFilter.CONF_PREFIX)) { + params.put(kvPair.getKey(), kvPair.getValue()); + } + } String principalInConf = conf .get(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY); if (principalInConf != null && !principalInConf.isEmpty()) { http://git-wip-us.apache.org/repos/asf/hadoop/blob/401ae4ec/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java index 5ad1f24..a8b7bd4 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java @@ -46,7 +46,7 @@ import org.apache.hadoop.util.StringUtils; * obtains Hadoop-Auth configuration for webhdfs. */ public class AuthFilter extends AuthenticationFilter { - private static final String CONF_PREFIX = "dfs.web.authentication."; + public static final String CONF_PREFIX = "dfs.web.authentication."; /** * Returns the filter configuration properties, @@ -62,9 +62,11 @@ public class AuthFilter extends AuthenticationFilter { protected Properties getConfiguration(String prefix, FilterConfig config) throws ServletException { final Properties p = super.getConfiguration(CONF_PREFIX, config); - // set authentication type - p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? - KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); + // if not set, configure based on security enabled + if (p.getProperty(AUTH_TYPE) == null) { + p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? + KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); + } // if not set, enable anonymous for pseudo authentication if (p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED) == null) { p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); http://git-wip-us.apache.org/repos/asf/hadoop/blob/401ae4ec/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java index b19a08a..9818461 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java @@ -98,4 +98,19 @@ public class TestAuthFilter { Assert.assertEquals("true", p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED)); } + + @Test + public void testGetCustomAuthConfiguration() throws ServletException { + AuthFilter filter = new AuthFilter(); + Map<String, String> m = new HashMap<String,String>(); + + m.put(AuthFilter.CONF_PREFIX + AuthFilter.AUTH_TYPE, "com.yourclass"); + m.put(AuthFilter.CONF_PREFIX + "alt-kerberos.param", "value"); + FilterConfig config = new DummyFilterConfig(m); + + Properties p = filter.getConfiguration(AuthFilter.CONF_PREFIX, config); + Assert.assertEquals("com.yourclass", p.getProperty(AuthFilter.AUTH_TYPE)); + Assert.assertEquals("value", p.getProperty("alt-kerberos.param")); + } + }
