Home Explore Help
Register Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Browse Source

HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1173739 13f79535-47bb-0310-9956-ffa450edef68
Aaron Myers 13 years ago
parent
d50ecc38a3
commit
83e4b2b469
6 changed files with 72 additions and 7 deletions
Split View Show Diff Stats
  1. 3 0
      hadoop-common-project/hadoop-common/CHANGES.txt
  2. 5 3
      hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
  3. 25 1
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
  4. 2 2
      hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
  5. 15 1
      hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
  6. 22 0
      hadoop-project/pom.xml

+ 3 - 0
hadoop-common-project/hadoop-common/CHANGES.txt
View File 

@@ -23,6 +23,9 @@ Trunk (unreleased changes)
 
 
     HADOOP-7641. Add Apache License to template config files (Eric Yang via atm)
 
 
+    HADOOP-7621. alfredo config should be in a file not readable by users
 
+                 (Alejandro Abdelnur via atm)
 
+
 
 Release 0.23.0 - Unreleased
 
 
   INCOMPATIBLE CHANGES

+ 5 - 3
hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
View File 

@@ -82,10 +82,12 @@
 
       <code>36000</code>.
 
       </p>
 
 
-      <p><code>hadoop.http.authentication.signature.secret</code>: The signature secret for  
-      signing the authentication tokens. If not set a random secret is generated at 
+      <p><code>hadoop.http.authentication.signature.secret.file</code>: The signature secret 
+      file for signing the authentication tokens. If not set a random secret is generated at 
       startup time. The same secret should be used for all nodes in the cluster, JobTracker, 
-      NameNode, DataNode and TastTracker. The default value is a <code>hadoop</code> value.
 
+      NameNode, DataNode and TastTracker. The default value is 
+      <code>${user.home}/hadoop-http-auth-signature-secret</code>.
 
+      IMPORTANT: This file should be readable only by the Unix user running the daemons.
 
       </p>
 
         
       <p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP

+ 25 - 1
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
View File 

@@ -22,6 +22,9 @@ import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.http.FilterContainer;
 
 import org.apache.hadoop.http.FilterInitializer;
 
 
+import java.io.FileReader;
 
+import java.io.IOException;
 
+import java.io.Reader;
 
 import java.util.HashMap;
 
 import java.util.Map;
 
 
@@ -40,8 +43,10 @@ import java.util.Map;
 
  */
 
 public class AuthenticationFilterInitializer extends FilterInitializer {
 
 
-  private static final String PREFIX = "hadoop.http.authentication.";
 
+  static final String PREFIX = "hadoop.http.authentication.";
 
 
+  static final String SIGNATURE_SECRET_FILE = AuthenticationFilter.SIGNATURE_SECRET + ".file";
 
+  
   /**
 
    * Initializes Alfredo AuthenticationFilter.
 
    * <p/>
 
@@ -67,6 +72,25 @@ public class AuthenticationFilterInitializer extends FilterInitializer {
 
       }
 
     }
 
 
+    String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE);
 
+    if (signatureSecretFile == null) {
 
+      throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE);      
+    }
 
+    
+    try {
 
+      StringBuilder secret = new StringBuilder();
 
+      Reader reader = new FileReader(signatureSecretFile);
 
+      int c = reader.read();
 
+      while (c > -1) {
 
+        secret.append((char)c);
 
+        c = reader.read();
 
+      }
 
+      reader.close();
 
+      filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
 
+    } catch (IOException ex) {
 
+      throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);            
+    }
 
+    
     container.addFilter("authentication",
 
                         AuthenticationFilter.class.getName(),
 
                         filterConfig);

+ 2 - 2
hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
View File 

@@ -808,8 +808,8 @@
 
 </property>
 
 
 <property>
 
-  <name>hadoop.http.authentication.signature.secret</name>
 
-  <value>hadoop</value>
 
+  <name>hadoop.http.authentication.signature.secret.file</name>
 
+  <value>${user.home}/hadoop-http-auth-signature-secret</value>
 
   <description>
 
     The signature secret for signing the authentication tokens.
 
     If not set a random secret is generated at startup time.

+ 15 - 1
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
View File 

@@ -25,14 +25,28 @@ import org.mockito.Mockito;
 
 import org.mockito.invocation.InvocationOnMock;
 
 import org.mockito.stubbing.Answer;
 
 
+import java.io.File;
 
+import java.io.FileWriter;
 
+import java.io.Writer;
 
 import java.util.Map;
 
 
 public class TestAuthenticationFilter extends TestCase {
 
 
   @SuppressWarnings("unchecked")
 
-  public void testConfiguration() {
 
+  public void testConfiguration() throws Exception {
 
     Configuration conf = new Configuration();
 
     conf.set("hadoop.http.authentication.foo", "bar");
 
+    
+    File testDir = new File(System.getProperty("test.build.data", 
+                                               "target/test-dir"));
 
+    testDir.mkdirs();
 
+    File secretFile = new File(testDir, "http-secret.txt");
 
+    Writer writer = new FileWriter(new File(testDir, "http-secret.txt"));
 
+    writer.write("hadoop");
 
+    writer.close();
 
+    conf.set(AuthenticationFilterInitializer.PREFIX + 
+             AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE, 
+             secretFile.getAbsolutePath());
 
 
     FilterContainer container = Mockito.mock(FilterContainer.class);
 
     Mockito.doAnswer(

+ 22 - 0
hadoop-project/pom.xml
View File 

@@ -76,6 +76,9 @@
 
     <distMgmtSnapshotsUrl>https://repository.apache.org/content/repositories/snapshots</distMgmtSnapshotsUrl>
 
 
     <commons-daemon.version>1.0.3</commons-daemon.version>
 
+    
+    <test.build.dir>${project.build.directory}/test-dir</test.build.dir>
 
+    <test.build.data>${test.build.dir}</test.build.data>
 
   </properties>
 
 
   <dependencyManagement>
 
@@ -554,6 +557,25 @@
 
           </execution>
 
         </executions>
 
       </plugin>
 
+      <plugin>
 
+        <groupId>org.apache.maven.plugins</groupId>
 
+        <artifactId>maven-antrun-plugin</artifactId>
 
+        <executions>
 
+          <execution>
 
+            <id>create-testdirs</id>
 
+            <phase>validate</phase>
 
+            <goals>
 
+              <goal>run</goal>
 
+            </goals>
 
+            <configuration>
 
+              <target>
 
+                <mkdir dir="${test.build.dir}"/>
 
+                <mkdir dir="${test.build.data}"/>
 
+              </target>
 
+            </configuration>
 
+          </execution>
 
+        </executions>
 
+      </plugin>
 
       <plugin>
 
         <groupId>org.apache.maven.plugins</groupId>
 
         <artifactId>maven-compiler-plugin</artifactId>