HDFS-6822. Namenode and datanode fails to replace _HOST to hostname for hadoop.http.authentication.kerberos.principal. Contributed by Jing Zhao.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-1@1616296 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -236,6 +236,9 @@ Release 1.3.0 - unreleased
     MAPREDUCE-5968. Work directory is not deleted when downloadCacheObject 
     throws IOException. (Zhihai Xu va kasha)
 
+    HDFS-6822. Namenode and datanode fails to replace "_HOST" to hostname for
+    hadoop.http.authentication.kerberos.principal. (jing9)
+
 Release 1.2.2 - unreleased
 
   INCOMPATIBLE CHANGES

src/core/org/apache/hadoop/http/HttpServer.java

@@ -93,6 +93,7 @@ public class HttpServer implements FilterContainer {
   static final String ADMINS_ACL = "admins.acl";
   public static final String SPNEGO_FILTER = "SpnegoFilter";
   public static final String KRB5_FILTER = "krb5Filter";
+  public static final String BIND_ADDRESS = "bind.address";
 
   private AccessControlList adminsAcl;
 
@@ -159,6 +160,7 @@ public class HttpServer implements FilterContainer {
     }
     
     webServer.addConnector(listener);
+    final String hostName = listener.getHost();
 
     QueuedThreadPool threadPool = new QueuedThreadPool();
     threadPool.setName("httpServerThreadPool");
@@ -186,6 +188,7 @@ public class HttpServer implements FilterContainer {
     final FilterInitializer[] initializers = getFilterInitializers(conf); 
     if (initializers != null) {
       for(FilterInitializer c : initializers) {
+        conf.set(BIND_ADDRESS, hostName);
         c.initFilter(this, conf);
       }
     }

src/core/org/apache/hadoop/security/AuthenticationFilterInitializer.java

@@ -17,17 +17,19 @@
  */
 package org.apache.hadoop.security;
 
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.http.FilterContainer;
-import org.apache.hadoop.http.FilterInitializer;
-
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.Reader;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.FilterContainer;
+import org.apache.hadoop.http.FilterInitializer;
+import org.apache.hadoop.http.HttpServer;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+
 /**
  * Initializes Alfredo AuthenticationFilter which provides support for
  * Kerberos HTTP SPNEGO authentication.
@@ -91,6 +93,20 @@ public class AuthenticationFilterInitializer extends FilterInitializer {
       throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);
     }
 
+    // Resolve _HOST into bind address
+    String bindAddress = conf.get(HttpServer.BIND_ADDRESS);
+    String principal = filterConfig
+        .get(KerberosAuthenticationHandler.PRINCIPAL);
+    if (principal != null) {
+      try {
+        principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
+      } catch (IOException ex) {
+        throw new RuntimeException(
+            "Could not resolve Kerberos principal name: " + ex.toString(), ex);
+      }
+      filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
+    }
+
     container.addFilter("authentication",
                         AuthenticationFilter.class.getName(),
                         filterConfig);