13 år sedan · 0b2245a0f3
--- a/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/service_level_auth.xml
+++ b/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/service_level_auth.xml
@@ -138,6 +138,12 @@
 
				             dfsadmin and mradmin commands to refresh the security policy in-effect.
			
 
				             </td>
			
 
				           </tr>
			
 
				+          <tr>
			
 
				+            <td><code>security.ha.service.protocol.acl</code></td>
			
 
				+            <td>ACL for HAService protocol used by HAAdmin to manage the
			
 
				+            active and stand-by states of namenode.
			
 
				+            </td>
			
 
				+          </tr>
			
 
				         </table>
			
 
				       </section>
			
 
				       
			
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
@@ -114,11 +114,12 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
 
				   public static final String 
			
 
				   HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_USER_MAPPINGS =
			
 
				       "security.refresh.user.mappings.protocol.acl";
			
 
				+  public static final String 
			
 
				+  SECURITY_HA_SERVICE_PROTOCOL_ACL = "security.ha.service.protocol.acl";
			
 
				   
			
 
				   public static final String HADOOP_SECURITY_TOKEN_SERVICE_USE_IP =
			
 
				       "hadoop.security.token.service.use_ip";
			
 
				   public static final boolean HADOOP_SECURITY_TOKEN_SERVICE_USE_IP_DEFAULT =
			
 
				       true;
			
 
				-
			
 
				 }
			
 
				 
			
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ha/HAServiceProtocol.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ha/HAServiceProtocol.java
@@ -19,7 +19,9 @@ package org.apache.hadoop.ha;
 
				 
			
 
				 import org.apache.hadoop.classification.InterfaceAudience;
			
 
				 import org.apache.hadoop.classification.InterfaceStability;
			
 
				+import org.apache.hadoop.fs.CommonConfigurationKeys;
			
 
				 import org.apache.hadoop.ipc.VersionedProtocol;
			
 
				+import org.apache.hadoop.security.KerberosInfo;
			
 
				 
			
 
				 import java.io.IOException;
			
 
				 
			
@@ -29,6 +31,8 @@ import java.io.IOException;
 
				  * 
			
 
				  * This interface could be used by HA frameworks to manage the service.
			
 
				  */
			
 
				+@KerberosInfo(
			
 
				+    serverPrincipal=CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_USER_NAME_KEY)
			
 
				 @InterfaceAudience.Public
			
 
				 @InterfaceStability.Evolving
			
 
				 public interface HAServiceProtocol extends VersionedProtocol {
			
--- a/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml
+++ b/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml
@@ -216,6 +216,13 @@
 
				     group list is separated by a blank. For e.g. "alice,bob users,wheel".
			
 
				     A special value of "*" means all users are allowed.</description>
			
 
				   </property>
			
 
				+  
			
 
				+  <property>
			
 
				+    <name>security.ha.service.protocol.acl</name>
			
 
				+    <value>*</value>
			
 
				+    <description>ACL for HAService protocol used by HAAdmin to manage the
			
 
				+      active and stand-by states of namenode.</description>
			
 
				+  </property>
			
 
				 
			
 
				    <property>
			
 
				       <name>security.mrhs.client.protocol.acl</name>
			
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.HDFS-1623.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.HDFS-1623.txt
@@ -127,3 +127,5 @@ HDFS-2820. Add a simple sanity check for HA config (todd)
 
				 HDFS-2688. Add tests for quota tracking in an HA cluster. (todd)
			
 
				 
			
 
				 HDFS-2804. Should not mark blocks under-replicated when exiting safemode (todd)
			
 
				+
			
 
				+HDFS-2807. Service level authorizartion for HAServiceProtocol. (jitendra)
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HDFSPolicyProvider.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HDFSPolicyProvider.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.hdfs;
 
				 
			
 
				 import org.apache.hadoop.classification.InterfaceAudience;
			
 
				 import org.apache.hadoop.fs.CommonConfigurationKeys;
			
 
				+import org.apache.hadoop.ha.HAServiceProtocol;
			
 
				 import org.apache.hadoop.hdfs.protocol.ClientDatanodeProtocol;
			
 
				 import org.apache.hadoop.hdfs.protocol.ClientProtocol;
			
 
				 import org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol;
			
@@ -44,6 +45,8 @@ public class HDFSPolicyProvider extends PolicyProvider {
 
				     new Service("security.inter.datanode.protocol.acl", 
			
 
				                 InterDatanodeProtocol.class),
			
 
				     new Service("security.namenode.protocol.acl", NamenodeProtocol.class),
			
 
				+    new Service(CommonConfigurationKeys.SECURITY_HA_SERVICE_PROTOCOL_ACL,
			
 
				+        HAServiceProtocol.class),
			
 
				     new Service(
			
 
				         CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY, 
			
 
				         RefreshAuthorizationPolicyProtocol.class),
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-policy.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/resources/hadoop-policy.xml
@@ -109,5 +109,12 @@
 
				     group list is separated by a blank. For e.g. "alice,bob users,wheel". 
			
 
				     A special value of "*" means all users are allowed.</description>
			
 
				   </property>
			
 
				-
			
 
				+  
			
 
				+  <property>
			
 
				+    <name>security.ha.service.protocol.acl</name>
			
 
				+    <value>*</value>
			
 
				+    <description>ACL for HAService protocol used by HAAdmin to manage the
			
 
				+      active and stand-by states of namenode.</description>
			
 
				+  </property>
			
 
				+  
			
 
				 </configuration>