13 年之前 · a86d4addb4
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@@ -1082,6 +1082,8 @@ Release 0.23.0 - Unreleased
 
				     HDFS-2366. Initialize WebHdfsFileSystem.ugi in object construction.
			
 
				     (szetszwo)
			
 
				 
			
 
				+    HDFS-2361. hftp is broken, fixed username checks in JspHelper. (jitendra)
			
 
				+
			
 
				   BREAKDOWN OF HDFS-1073 SUBTASKS
			
 
				 
			
 
				     HDFS-1521. Persist transaction ID on disk between NN restarts.
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
@@ -60,6 +60,7 @@ import org.apache.hadoop.http.HtmlQuoting;
 
				 import org.apache.hadoop.io.Text;
			
 
				 import org.apache.hadoop.net.NetUtils;
			
 
				 import org.apache.hadoop.security.AccessControlException;
			
 
				+import org.apache.hadoop.security.authentication.util.KerberosName;
			
 
				 import org.apache.hadoop.security.UserGroupInformation;
			
 
				 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
			
 
				 import org.apache.hadoop.security.token.Token;
			
@@ -552,7 +553,8 @@ public class JspHelper {
 
				         DelegationTokenIdentifier id = new DelegationTokenIdentifier();
			
 
				         id.readFields(in);
			
 
				         ugi = id.getUser();
			
 
				-        checkUsername(ugi.getUserName(), user);
			
 
				+        checkUsername(ugi.getShortUserName(), usernameFromQuery);
			
 
				+        checkUsername(ugi.getShortUserName(), user);
			
 
				         ugi.addToken(token);
			
 
				         ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
			
 
				       } else {
			
@@ -561,13 +563,11 @@ public class JspHelper {
 
				                                 "authenticated by filter");
			
 
				         }
			
 
				         ugi = UserGroupInformation.createRemoteUser(user);
			
 
				+        checkUsername(ugi.getShortUserName(), usernameFromQuery);
			
 
				         // This is not necessarily true, could have been auth'ed by user-facing
			
 
				         // filter
			
 
				         ugi.setAuthenticationMethod(secureAuthMethod);
			
 
				       }
			
 
				-
			
 
				-      checkUsername(user, usernameFromQuery);
			
 
				-
			
 
				     } else { // Security's not on, pull from url
			
 
				       ugi = usernameFromQuery == null?
			
 
				           getDefaultWebUser(conf) // not specified in request
			
@@ -580,10 +580,18 @@ public class JspHelper {
 
				     return ugi;
			
 
				   }
			
 
				 
			
 
				+  /**
			
 
				+   * Expected user name should be a short name.
			
 
				+   */
			
 
				   private static void checkUsername(final String expected, final String name
			
 
				       ) throws IOException {
			
 
				-    if (name != null && !name.equals(expected)) {
			
 
				-      throw new IOException("Usernames not matched: name=" + name
			
 
				+    if (name == null) {
			
 
				+      return;
			
 
				+    }
			
 
				+    KerberosName u = new KerberosName(name);
			
 
				+    String shortName = u.getShortName();
			
 
				+    if (!shortName.equals(expected)) {
			
 
				+      throw new IOException("Usernames not matched: name=" + shortName
			
 
				           + " != expected=" + expected);
			
 
				     }
			
 
				   }