صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
apache
/
hadoop
mirrorاز https://github.com/apache/hadoop.git
2
0
انشعاب 1
پرونده‌ها مشکلات 0 ویکی
فهرست منبع

Merged r1176182 from branch-0.20-security for HDFS-2361.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security-205@1176184 13f79535-47bb-0310-9956-ffa450edef68
Jitendra Nath Pandey 14 سال پیش
والد
1322bb5600
کامیت
aea4a3ac72
2فایلهای تغییر یافته به همراه16 افزوده شده و 6 حذف شده
مشاهده تقسیم شده نمایش آمار تفاوت ها
  1. 2 0
      CHANGES.txt
  2. 14 6
      src/hdfs/org/apache/hadoop/hdfs/server/namenode/JspHelper.java

+ 2 - 0
CHANGES.txt
مشاهده فایل 

@@ -220,6 +220,8 @@ Release 0.20.205.0 - 2011.09.12
 
     HDFS-2366. Initialize WebHdfsFileSystem.ugi in object construction.
 
     (szetszwo)
 
 
+    HDFS-2361. hftp is broken. Fixed username checks in JspHelper. (jitendra)
 
+
 
   IMPROVEMENTS
 
 
     MAPREDUCE-2928. MR-2413 improvements (Eli Collins via mattf)

+ 14 - 6
src/hdfs/org/apache/hadoop/hdfs/server/namenode/JspHelper.java
مشاهده فایل 

@@ -53,6 +53,7 @@ import org.apache.hadoop.hdfs.web.resources.UserParam;
 
 import org.apache.hadoop.http.HtmlQuoting;
 
 import org.apache.hadoop.net.NetUtils;
 
 import org.apache.hadoop.security.AccessControlException;
 
+import org.apache.hadoop.security.KerberosName;
 
 import org.apache.hadoop.security.SecurityUtil;
 
 import org.apache.hadoop.security.UserGroupInformation;
 
 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 
@@ -464,7 +465,8 @@ public class JspHelper {
 
         DelegationTokenIdentifier id = new DelegationTokenIdentifier();
 
         id.readFields(in);
 
         ugi = id.getUser();
 
-        checkUsername(ugi.getUserName(), user);
 
+        checkUsername(ugi.getShortUserName(), usernameFromQuery);
 
+        checkUsername(ugi.getShortUserName(), user);
 
         ugi.addToken(token);        
         ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
 
       } else {
 
@@ -473,13 +475,11 @@ public class JspHelper {
 
                                 "authenticated by filter");
 
         }
 
         ugi = UserGroupInformation.createRemoteUser(user);
 
+        checkUsername(ugi.getShortUserName(), usernameFromQuery);
 
         // This is not necessarily true, could have been auth'ed by user-facing
 
         // filter
 
         ugi.setAuthenticationMethod(secureAuthMethod);
 
       }
 
-
 
-      checkUsername(user, usernameFromQuery);
 
-
 
     } else { // Security's not on, pull from url
 
       ugi = usernameFromQuery == null?
 
           getDefaultWebUser(conf) // not specified in request
 
@@ -492,10 +492,18 @@ public class JspHelper {
 
     return ugi;
 
   }
 
 
+  /**
 
+   * Expected user name should be a short name.
 
+   */
 
   private static void checkUsername(final String expected, final String name
 
       ) throws IOException {
 
-    if (name != null && !name.equals(expected)) {
 
-      throw new IOException("Usernames not matched: name=" + name
 
+    if (name == null) {
 
+      return;
 
+    }
 
+    KerberosName u = new KerberosName(name);
 
+    String shortName = u.getShortName();
 
+    if (!shortName.equals(expected)) {
 
+      throw new IOException("Usernames not matched: name=" + shortName
 
           + " != expected=" + expected);
 
     }
 
   }