commit 363caf8d8218394654038da9b0cf8ff54b8bda6e

Author: Jitendra Nath Pandey <jitendra@sufferhome-lm.(none)>
Date:   Tue Mar 9 12:54:42 2010 -0800

    HADOOP-6620 from https://issues.apache.org/jira/secure/attachment/12438072/HADOOP-6620-y20.1.patch
    
    +++ b/YAHOO-CHANGES.txt
    +    HADOOP-6620. NPE if renewer is passed as null in getDelegationToken.
    +    (jitendra)
    +


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security-patches@1077302 13f79535-47bb-0310-9956-ffa450edef68

src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java

@@ -49,8 +49,16 @@ extends TokenIdentifier {
   }
   
   public AbstractDelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
-    this.owner = owner;
-    this.renewer = renewer;
+    if (owner == null) {
+      this.owner = new Text();
+    } else {
+      this.owner = owner;
+    }
+    if (renewer == null) {
+      this.renewer = new Text();
+    } else {
+      this.renewer = renewer;
+    }
     if (realUser == null) {
       this.realUser = new Text();
     } else {
@@ -170,4 +178,14 @@ extends TokenIdentifier {
     WritableUtils.writeVInt(out, sequenceNumber);
     WritableUtils.writeVInt(out, masterKeyId);
   }
+  
+  public String toString() {
+    StringBuilder buffer = new StringBuilder();
+    buffer
+        .append("owner=" + owner + ", renewer=" + renewer + ", realUser="
+            + realUser + ", issueDate=" + issueDate + ", maxDate=" + maxDate
+            + ", sequenceNumber=" + sequenceNumber + ", masterKeyId="
+            + masterKeyId);
+    return buffer.toString();
+  }
 }

src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java

@@ -178,6 +178,7 @@ extends AbstractDelegationTokenIdentifier>
   
   @Override
   protected synchronized byte[] createPassword(TokenIdent identifier) {
+    LOG.info("Creating password for identifier: "+identifier);
     int sequenceNum;
     long now = System.currentTimeMillis();
     sequenceNum = ++delegationTokenSequenceNumber;
@@ -220,12 +221,13 @@ extends AbstractDelegationTokenIdentifier>
     DataInputStream in = new DataInputStream(buf);
     TokenIdent id = createIdentifier();
     id.readFields(in);
-
+    LOG.info("Token renewal requested for identifier: "+id);
+    
     if (id.getMaxDate() < now) {
       throw new InvalidToken("User " + renewer + 
                              " tried to renew an expired token");
     }
-    if (id.getRenewer() == null) {
+    if ((id.getRenewer() == null) || ("".equals(id.getRenewer().toString()))) {
       throw new AccessControlException("User " + renewer + 
                                        " tried to renew a token without " +
                                        "a renewer");
@@ -271,13 +273,16 @@ extends AbstractDelegationTokenIdentifier>
     DataInputStream in = new DataInputStream(buf);
     TokenIdent id = createIdentifier();
     id.readFields(in);
+    LOG.info("Token cancelation requested for identifier: "+id);
+    
     if (id.getUser() == null) {
       throw new InvalidToken("Token with no owner");
     }
     String owner = id.getUser().getUserName();
     Text renewer = id.getRenewer();
     if (!canceller.equals(owner)
-        && (renewer == null || !canceller.equals(renewer.toString()))) {
+        && (renewer == null || "".equals(renewer.toString()) || !canceller
+            .equals(renewer.toString()))) {
       throw new AccessControlException(canceller
           + " is not authorized to cancel the token");
     }

src/test/org/apache/hadoop/security/token/delegation/TestDelegationToken.java

@@ -365,4 +365,24 @@ public class TestDelegationToken {
       dtSecretManager.stopThreads();
     }
   }
+  
+  @Test 
+  public void testDelegationTokenNullRenewer() throws Exception {
+    TestDelegationTokenSecretManager dtSecretManager = 
+      new TestDelegationTokenSecretManager(24*60*60*1000,
+        10*1000,1*1000,3600000);
+    dtSecretManager.startThreads();
+    TestDelegationTokenIdentifier dtId = new TestDelegationTokenIdentifier(new Text(
+        "theuser"), null, null);
+    Token<TestDelegationTokenIdentifier> token = new Token<TestDelegationTokenIdentifier>(
+        dtId, dtSecretManager);
+    Assert.assertTrue(token != null);
+    try {
+      dtSecretManager.renewToken(token, "");
+      Assert.fail("Renewal must not succeed");
+    } catch (IOException e) {
+      //PASS
+    }
+  }
+
 }