首頁 探索 說明
登入
apache
/
hadoop
镜像来自 https://github.com/apache/hadoop.git
2
0
複刻 1
檔案 問題管理 0 Wiki
瀏覽代碼

commit 16e060ad9934801287be10fcaedd0a8ad519b456
Author: Boris Shkolnik <borya@yahoo-inc.com>
Date: Fri Mar 19 14:05:16 2010 -0700

HADOOP:6647 from https://issues.apache.org/jira/secure/attachment/12439325/HADOOP-6647-BP20.patch

+++ b/YAHOO-CHANGES.txt
+ HADOOP-6647. balancer fails with "is not authorized for protocol
+ interface NamenodeProtocol" in secure environment (boryas)
+


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security-patches@1077347 13f79535-47bb-0310-9956-ffa450edef68

Owen O'Malley 14 年之前
父節點
a18c8585b5
當前提交
c9ff2d8a87
共有 1 個文件被更改,包括 16 次插入1 次删除
分割檢視 顯示文件統計
  1. 16 1
      src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java

+ 16 - 1
src/core/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
查看文件 

@@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFactory;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 
 import org.apache.hadoop.security.KerberosInfo;
 
+import org.apache.hadoop.security.KerberosName;
 
 import org.apache.hadoop.security.SecurityUtil;
 
 import org.apache.hadoop.security.UserGroupInformation;
 
 
@@ -35,6 +36,8 @@ import org.apache.hadoop.security.UserGroupInformation;
 
  */
 
 public class ServiceAuthorizationManager {
 
   private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
 
+  private static final Log LOG = LogFactory
 
+      .getLog(ServiceAuthorizationManager.class);
 
 
   private static Map<Class<?>, AccessControlList> protocolToAcl =
 
     new IdentityHashMap<Class<?>, AccessControlList>();
 
@@ -97,7 +100,19 @@ public class ServiceAuthorizationManager {
 
         }
 
       }
 
     }
 
-    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
+    // when authorizing use the short name only
 
+    String shortName = clientPrincipal;
 
+    if(clientPrincipal != null ) {
 
+      try {
 
+        shortName = new KerberosName(clientPrincipal).getShortName();
 
+      } catch (IOException e) {
 
+        LOG.warn("couldn't get short name from " + clientPrincipal, e);
 
+        // just keep going
 
+      }
 
+    }
 
+    LOG.debug("for protocol authorization compare (" + clientPrincipal + "): " 
+        + shortName + " with " + user.getShortUserName());
 
+    if((shortName != null &&  !shortName.equals(user.getShortUserName())) || 
         !acl.isUserAllowed(user)) {
 
       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol="+protocol);
 
       throw new AuthorizationException("User " + user +