HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)

(cherry picked from commit 424a00daa069bf2049014fd46ad152ec5fc77ac8)

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -78,6 +78,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-11811. Fix typos in hadoop-project/pom.xml and TestAccessControlList.
     (Brahma Reddy Battula via ozawa)
 
+    HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress
+    instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh)
+
 Release 2.7.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java

@@ -239,7 +239,7 @@ public class DelegationTokenAuthenticationFilter
         if (doAsUser != null) {
           ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
           try {
-            ProxyUsers.authorize(ugi, request.getRemoteHost());
+            ProxyUsers.authorize(ugi, request.getRemoteAddr());
           } catch (AuthorizationException ex) {
             HttpExceptionUtils.createServletExceptionResponse(response,
                 HttpServletResponse.SC_FORBIDDEN, ex);

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java

@@ -199,7 +199,7 @@ public abstract class DelegationTokenAuthenticationHandler
             requestUgi = UserGroupInformation.createProxyUser(
                 doAsUser, requestUgi);
             try {
-              ProxyUsers.authorize(requestUgi, request.getRemoteHost());
+              ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
             } catch (AuthorizationException ex) {
               HttpExceptionUtils.createServletExceptionResponse(response,
                   HttpServletResponse.SC_FORBIDDEN, ex);

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java

@@ -35,6 +35,7 @@ import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.mortbay.jetty.AbstractConnector;
 import org.mortbay.jetty.Connector;
 import org.mortbay.jetty.Server;
 import org.mortbay.jetty.servlet.Context;
@@ -658,7 +659,7 @@ public class TestWebDelegationToken {
       org.apache.hadoop.conf.Configuration conf =
           new org.apache.hadoop.conf.Configuration(false);
       conf.set("proxyuser.client.users", OK_USER);
-      conf.set("proxyuser.client.hosts", "localhost");
+      conf.set("proxyuser.client.hosts", "127.0.0.1");
       return conf;
     }
   }
@@ -752,6 +753,7 @@ public class TestWebDelegationToken {
     Context context = new Context();
     context.setContextPath("/foo");
     jetty.setHandler(context);
+    ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
     context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
     context.addServlet(new ServletHolder(UserServlet.class), "/bar");
     try {
@@ -969,4 +971,56 @@ public class TestWebDelegationToken {
     }
   }
 
+  public static class IpAddressBasedPseudoDTAFilter extends PseudoDTAFilter {
+    @Override
+    protected org.apache.hadoop.conf.Configuration getProxyuserConfiguration
+            (FilterConfig filterConfig) throws ServletException {
+      org.apache.hadoop.conf.Configuration configuration = super
+              .getProxyuserConfiguration(filterConfig);
+      configuration.set("proxyuser.foo.hosts", "127.0.0.1");
+      return configuration;
+    }
+  }
+
+  @Test
+  public void testIpaddressCheck() throws Exception {
+    final Server jetty = createJettyServer();
+    ((AbstractConnector)jetty.getConnectors()[0]).setResolveNames(true);
+    Context context = new Context();
+    context.setContextPath("/foo");
+    jetty.setHandler(context);
+
+    context.addFilter(new FilterHolder(IpAddressBasedPseudoDTAFilter.class), "/*", 0);
+    context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
+
+    try {
+      jetty.start();
+      final URL url = new URL(getJettyURL() + "/foo/bar");
+
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(FOO_USER);
+      ugi.doAs(new PrivilegedExceptionAction<Void>() {
+        @Override
+        public Void run() throws Exception {
+          DelegationTokenAuthenticatedURL.Token token =
+                  new DelegationTokenAuthenticatedURL.Token();
+          DelegationTokenAuthenticatedURL aUrl =
+                  new DelegationTokenAuthenticatedURL();
+
+          // user ok-user via proxyuser foo
+          HttpURLConnection conn = aUrl.openConnection(url, token, OK_USER);
+          Assert.assertEquals(HttpURLConnection.HTTP_OK,
+                  conn.getResponseCode());
+          List<String> ret = IOUtils.readLines(conn.getInputStream());
+          Assert.assertEquals(1, ret.size());
+          Assert.assertEquals("realugi=" + FOO_USER +":remoteuser=" + OK_USER +
+                  ":ugi=" + OK_USER, ret.get(0));
+
+          return null;
+        }
+      });
+    } finally {
+      jetty.stop();
+    }
+  }
+
 }