8 vuotta sitten · d88497d44a
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
@@ -48,6 +48,8 @@ public class KMSConfiguration {
 
				   public static final int HTTP_PORT_DEFAULT = 9600;
			
 
				   public static final String HTTP_HOST_KEY = "hadoop.kms.http.host";
			
 
				   public static final String HTTP_HOST_DEFAULT = "0.0.0.0";
			
 
				+  public static final String HTTP_ADMINS_KEY =
			
 
				+      "hadoop.kms.http.administrators";
			
 
				 
			
 
				   // SSL properties
			
 
				   public static final String SSL_ENABLED_KEY = "hadoop.kms.ssl.enabled";
			
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
@@ -34,9 +34,7 @@ import org.apache.hadoop.crypto.key.CachingKeyProvider;
 
				 import org.apache.hadoop.crypto.key.KeyProvider;
			
 
				 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
			
 
				 import org.apache.hadoop.crypto.key.KeyProviderFactory;
			
 
				-import org.apache.hadoop.http.HttpServer2;
			
 
				 import org.apache.hadoop.security.UserGroupInformation;
			
 
				-import org.apache.hadoop.security.authorize.AccessControlList;
			
 
				 import org.apache.hadoop.util.VersionInfo;
			
 
				 import org.apache.log4j.PropertyConfigurator;
			
 
				 import org.slf4j.Logger;
			
@@ -144,14 +142,6 @@ public class KMSWebApp implements ServletContextListener {
 
				 
			
 
				       kmsAudit = new KMSAudit(kmsConf);
			
 
				 
			
 
				-      // this is required for the the JMXJsonServlet to work properly.
			
 
				-      // the JMXJsonServlet is behind the authentication filter,
			
 
				-      // thus the '*' ACL.
			
 
				-      sce.getServletContext().setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE,
			
 
				-          kmsConf);
			
 
				-      sce.getServletContext().setAttribute(HttpServer2.ADMINS_ACL,
			
 
				-          new AccessControlList(AccessControlList.WILDCARD_ACL_VALUE));
			
 
				-
			
 
				       // intializing the KeyProvider
			
 
				       String providerString = kmsConf.get(KMSConfiguration.KEY_PROVIDER_URI);
			
 
				       if (providerString == null) {
			
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.classification.InterfaceAudience;
 
				 import org.apache.hadoop.conf.ConfigurationWithLogging;
			
 
				 import org.apache.hadoop.conf.Configuration;
			
 
				 import org.apache.hadoop.http.HttpServer2;
			
 
				+import org.apache.hadoop.security.authorize.AccessControlList;
			
 
				 import org.apache.hadoop.security.ssl.SSLFactory;
			
 
				 import org.apache.hadoop.util.StringUtils;
			
 
				 import org.slf4j.Logger;
			
@@ -84,6 +85,8 @@ public class KMSWebServer {
 
				         .setConf(conf)
			
 
				         .setSSLConf(sslConf)
			
 
				         .authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX)
			
 
				+        .setACL(new AccessControlList(conf.get(
			
 
				+            KMSConfiguration.HTTP_ADMINS_KEY, " ")))
			
 
				         .addEndpoint(endpoint)
			
 
				         .build();
			
 
				   }
			
--- a/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml
+++ b/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml
@@ -37,6 +37,20 @@
 
				     </description>
			
 
				   </property>
			
 
				 
			
 
				+  <property>
			
 
				+    <name>hadoop.kms.http.administrators</name>
			
 
				+    <value></value>
			
 
				+    <description>ACL for the admins, this configuration is used to control
			
 
				+      who can access the default KMS servlets. The value should be a comma
			
 
				+      separated list of users and groups. The user list comes first and is
			
 
				+      separated by a space followed by the group list,
			
 
				+      e.g. "user1,user2 group1,group2". Both users and groups are optional,
			
 
				+      so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
			
 
				+      are all valid (note the leading space in " group1"). '*' grants access
			
 
				+      to all users and groups, e.g. '*', '* ' and ' *' are all valid.
			
 
				+    </description>
			
 
				+  </property>
			
 
				+
			
 
				   <property>
			
 
				     <name>hadoop.kms.ssl.enabled</name>
			
 
				     <value>false</value>
			
--- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
@@ -1063,13 +1063,13 @@ configuration properties instead.
 
				 
			
 
				 Environment Variable     | Configuration Property       | Configuration File
			
 
				 -------------------------|------------------------------|--------------------
			
 
				+KMS_TEMP                 | hadoop.http.temp.dir         | kms-site.xml
			
 
				 KMS_HTTP_PORT            | hadoop.kms.http.port         | kms-site.xml
			
 
				 KMS_MAX_HTTP_HEADER_SIZE | hadoop.http.max.request.header.size and hadoop.http.max.response.header.size | kms-site.xml
			
 
				 KMS_MAX_THREADS          | hadoop.http.max.threads      | kms-site.xml
			
 
				 KMS_SSL_ENABLED          | hadoop.kms.ssl.enabled       | kms-site.xml
			
 
				 KMS_SSL_KEYSTORE_FILE    | ssl.server.keystore.location | ssl-server.xml
			
 
				 KMS_SSL_KEYSTORE_PASS    | ssl.server.keystore.password | ssl-server.xml
			
 
				-KMS_TEMP                 | hadoop.http.temp.dir         | kms-site.xml
			
 
				 
			
 
				 $H3 Default HTTP Services
			
 
				 
			
@@ -1080,4 +1080,38 @@ Name               | Description
 
				 /logLevel          | Get or set log level per class
			
 
				 /logs              | Display log files
			
 
				 /stacks            | Display JVM stacks
			
 
				-/static/index.html | The static home page
			
 
				+/static/index.html | The static home page
			
 
				+
			
 
				+To control the access to servlet `/conf`, `/jmx`, `/logLevel`, `/logs`,
			
 
				+and `/stacks`, configure the following properties in `kms-site.xml`:
			
 
				+
			
 
				+```xml
			
 
				+  <property>
			
 
				+    <name>hadoop.security.authorization</name>
			
 
				+    <value>true</value>
			
 
				+    <description>Is service-level authorization enabled?</description>
			
 
				+  </property>
			
 
				+
			
 
				+  <property>
			
 
				+    <name>hadoop.security.instrumentation.requires.admin</name>
			
 
				+    <value>true</value>
			
 
				+    <description>
			
 
				+      Indicates if administrator ACLs are required to access
			
 
				+      instrumentation servlets (JMX, METRICS, CONF, STACKS).
			
 
				+    </description>
			
 
				+  </property>
			
 
				+
			
 
				+  <property>
			
 
				+    <name>hadoop.kms.http.administrators</name>
			
 
				+    <value></value>
			
 
				+    <description>ACL for the admins, this configuration is used to control
			
 
				+      who can access the default KMS servlets. The value should be a comma
			
 
				+      separated list of users and groups. The user list comes first and is
			
 
				+      separated by a space followed by the group list,
			
 
				+      e.g. "user1,user2 group1,group2". Both users and groups are optional,
			
 
				+      so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
			
 
				+      are all valid (note the leading space in " group1"). '*' grants access
			
 
				+      to all users and groups, e.g. '*', '* ' and ' *' are all valid.
			
 
				+    </description>
			
 
				+  </property>
			
 
				+```