Ana Sayfa Keşfet Yardım
Giriş Yap
apache
/
hadoop
şunun yansıması https://github.com/apache/hadoop.git
2
0
Çatalla 1
Dosyalar Sorunlar 0 Wiki
Kaynağa Gözat

HADOOP-6647. balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@963490 13f79535-47bb-0310-9956-ffa450edef68
Boris Shkolnik 15 yıl önce
ebeveyn
4ff2991849
işleme
6ba9b70d85
2 değiştirilmiş dosya ile 20 ekleme ve 1 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 3 0
      CHANGES.txt
  2. 17 1
      src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

+ 3 - 0
CHANGES.txt
Dosyayı Görüntüle 

@@ -117,6 +117,9 @@ Trunk (unreleased changes)
 
 
     HADOOP-6648. Adds a check for null tokens in Credentials.addToken api.
 
     (ddas)
 
+ 
+    HADOOP-6647. balancer fails with "is not authorized for protocol 
+    interface NamenodeProtocol" in secure environment (boryas)
 
 
 Release 0.21.0 - Unreleased

+ 17 - 1
src/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
Dosyayı Görüntüle 

@@ -17,6 +17,7 @@
 
  */
 
 package org.apache.hadoop.security.authorize;
 
 
+import java.io.IOException;
 
 import java.util.IdentityHashMap;
 
 import java.util.Map;
 
 
@@ -27,6 +28,7 @@ import org.apache.hadoop.classification.InterfaceStability;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 
 import org.apache.hadoop.security.KerberosInfo;
 
+import org.apache.hadoop.security.KerberosName;
 
 import org.apache.hadoop.security.UserGroupInformation;
 
 
 /**
 
@@ -37,6 +39,8 @@ import org.apache.hadoop.security.UserGroupInformation;
 
 @InterfaceStability.Evolving
 
 public class ServiceAuthorizationManager {
 
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
 
+  private static final Log LOG = LogFactory
 
+  .getLog(ServiceAuthorizationManager.class);
 
 
   private static Map<Class<?>, AccessControlList> protocolToAcl =
 
     new IdentityHashMap<Class<?>, AccessControlList>();
 
@@ -85,7 +89,19 @@ public class ServiceAuthorizationManager {
 
         clientPrincipal = conf.get(clientKey);
 
       }
 
     }
 
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
+    // when authorizing use the short name only
 
+    String shortName = clientPrincipal;
 
+    if(clientPrincipal != null ) {
 
+      try {
 
+        shortName = new KerberosName(clientPrincipal).getShortName();
 
+      } catch (IOException e) {
 
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
 
+        // just keep going
 
+      }
 
+    }
 
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
 
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
         !acl.isUserAllowed(user)) {
 
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
 
       throw new AuthorizationException("User " + user +