10 年之前 · c536142699
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -24,6 +24,8 @@ Trunk (Unreleased)
 
				     (Dexter Bradshaw, Mostafa Elhemali, Xi Fang, Johannes Klein, David Lao,
			
 
				     Mike Liddell, Chuan Liu, Lengning Liu, Ivan Mitic, Michael Rys,
			
 
				     Alexander Stojanovich, Brian Swan, and Min Wei via cnauroth)
			
 
				+
			
 
				+    HADOOP-6590. Add a username check for hadoop sub-commands (John Smith via aw)
			
 
				     
			
 
				   IMPROVEMENTS
			
 
				 
			
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop
@@ -179,6 +179,8 @@ case ${COMMAND} in
 
				   ;;
			
 
				 esac
			
 
				 
			
 
				+hadoop_verify_user "${COMMAND}"
			
 
				+
			
 
				 # Always respect HADOOP_OPTS and HADOOP_CLIENT_OPTS
			
 
				 hadoop_debug "Appending HADOOP_CLIENT_OPTS onto HADOOP_OPTS"
			
 
				 HADOOP_OPTS="${HADOOP_OPTS} ${HADOOP_CLIENT_OPTS}"
			
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -1154,3 +1154,15 @@ function hadoop_secure_daemon_handler
 
				   esac
			
 
				 }
			
 
				 
			
 
				+function hadoop_verify_user
			
 
				+{
			
 
				+  local command=$1
			
 
				+  local uservar="HADOOP_${command}_USER"
			
 
				+
			
 
				+  if [[ -n ${!uservar} ]]; then
			
 
				+    if [[ ${!uservar} !=  ${USER} ]]; then
			
 
				+      hadoop_error "ERROR: ${command} can only be executed by ${!uservar}."
			
 
				+      exit 1
			
 
				+    fi
			
 
				+  fi
			
 
				+}
			
--- a/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
+++ b/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh
@@ -398,3 +398,9 @@ esac
 
				 # via this special env var:
			
 
				 # export HADOOP_ENABLE_BUILD_PATHS="true"
			
 
				 
			
 
				+#
			
 
				+# To prevent accidents, shell commands be (superficially) locked
			
 
				+# to only allow certain users to execute certain subcommands.
			
 
				+#
			
 
				+# For example, to limit who can execute the namenode command,
			
 
				+# export HADOOP_namenode_USER=hdfs
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/hdfs
@@ -247,6 +247,8 @@ case ${COMMAND} in
 
				   ;;
			
 
				 esac
			
 
				 
			
 
				+hadoop_verify_user "${COMMAND}"
			
 
				+
			
 
				 if [[ -n "${secure_service}" ]]; then
			
 
				   HADOOP_SECURE_USER="${secure_user}"
			
 
				   hadoop_verify_secure_prereq
			
--- a/hadoop-mapreduce-project/bin/mapred
+++ b/hadoop-mapreduce-project/bin/mapred
@@ -135,6 +135,8 @@ case ${COMMAND} in
 
				   ;;
			
 
				 esac
			
 
				 
			
 
				+hadoop_verify_user "${COMMAND}"
			
 
				+
			
 
				 daemon_outfile="${HADOOP_LOG_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}-${HOSTNAME}.out"
			
 
				 daemon_pidfile="${HADOOP_PID_DIR}/hadoop-${HADOOP_IDENT_STRING}-${COMMAND}.pid"
			
 
				 
			
--- a/hadoop-yarn-project/hadoop-yarn/bin/yarn
+++ b/hadoop-yarn-project/hadoop-yarn/bin/yarn
@@ -184,6 +184,8 @@ case "${COMMAND}" in
 
				   ;;
			
 
				 esac
			
 
				 
			
 
				+hadoop_verify_user "${COMMAND}"
			
 
				+
			
 
				 # set HADOOP_OPTS to YARN_OPTS so that we can use
			
 
				 # finalize, etc, without doing anything funky
			
 
				 hadoop_debug "Resetting HADOOP_OPTS=YARN_OPTS"