HDFS-993. Namenode should issue a delegation token only for kerberos authenticated clients.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/hdfs/trunk@934196 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -131,6 +131,9 @@ Trunk (unreleased changes)
     HDFS-1012. hdfsproxy: Support for fully qualified HDFS path in addition to
     simple unqualified path.  (Srikanth Sundarrajan via szetszwo)
 
+    HDFS-933. Namenode should issue a delegation token only for kerberos 
+    authenticated clients.(jnp via boryas)
+
   OPTIMIZATIONS
 
     HDFS-946. NameNode should not return full path name when lisitng a

src/java/org/apache/hadoop/hdfs/server/common/JspHelper.java

@@ -50,6 +50,7 @@ import org.apache.hadoop.io.WritableUtils;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.util.VersionInfo;
 
@@ -408,13 +409,15 @@ public class JspHelper {
           new Token<DelegationTokenIdentifier>();
         token.decodeFromUrlString(tokenString);
         ugi = UserGroupInformation.createRemoteUser(user);
-        ugi.addToken(token);        
+        ugi.addToken(token);
+        ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
       } else {
         if(user == null) {
           throw new IOException("Security enabled but user not " +
                                 "authenticated by filter");
         }
         ugi = UserGroupInformation.createRemoteUser(user);
+        ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS_SSL);
       }
     } else { // Security's not on, pull from url
       String user = request.getParameter("ugi");
@@ -424,6 +427,7 @@ public class JspHelper {
       } else {
         ugi = UserGroupInformation.createRemoteUser(user);
       }
+      ugi.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
     }
     
     if(LOG.isDebugEnabled())

src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java

@@ -34,6 +34,7 @@ import org.apache.hadoop.hdfs.server.namenode.metrics.FSNamesystemMBean;
 import org.apache.hadoop.hdfs.server.namenode.metrics.FSNamesystemMetrics;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.security.token.delegation.DelegationKey;
@@ -4478,6 +4479,10 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
     if (isInSafeMode()) {
       throw new SafeModeException("Cannot issue delegation token", safeMode);
     }
+    if (!isAllowedDelegationTokenOp()) {
+      throw new IOException(
+          "Delegation Token can be issued only with kerberos or web authentication");
+    }
     UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
     String user = ugi.getUserName();
     Text owner = new Text(user);
@@ -4506,6 +4511,10 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
     if (isInSafeMode()) {
       throw new SafeModeException("Cannot renew delegation token", safeMode);
     }
+    if (!isAllowedDelegationTokenOp()) {
+      throw new IOException(
+          "Delegation Token can be renewed only with kerberos or web authentication");
+    }
     String renewer = UserGroupInformation.getCurrentUser().getShortUserName();
     long expiryTime = dtSecretManager.renewToken(token, renewer);
     DelegationTokenIdentifier id = new DelegationTokenIdentifier();
@@ -4599,4 +4608,34 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
     }
     getEditLog().logSync();
   }
+  
+  /**
+   * 
+   * @return true if delegation token operation is allowed
+   */
+  private boolean isAllowedDelegationTokenOp() throws IOException {
+    AuthenticationMethod authMethod = getConnectionAuthenticationMethod();
+    if (UserGroupInformation.isSecurityEnabled()
+        && (authMethod != AuthenticationMethod.KERBEROS)
+        && (authMethod != AuthenticationMethod.KERBEROS_SSL)
+        && (authMethod != AuthenticationMethod.CERTIFICATE)) {
+      return false;
+    }
+    return true;
+  }
+  
+  /**
+   * Returns authentication method used to establish the connection
+   * @return AuthenticationMethod used to establish connection
+   * @throws IOException
+   */
+  private AuthenticationMethod getConnectionAuthenticationMethod()
+      throws IOException {
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
+    if (authMethod == AuthenticationMethod.PROXY) {
+      authMethod = ugi.getRealUser().getAuthenticationMethod();
+    }
+    return authMethod;
+  }
 }