Backport HDFS-2264: NamenodeProtocol has the wrong value for clientPrincipal in KerberosInfo annotation.

CHANGES.txt

@@ -21,13 +21,15 @@ Release 1.3.0 - unreleased
     HDFS-5245. shouldRetry() in WebHDFSFileSystem generates excessive warnings.
     (Haohui Mai via jing9)
 
-
     HDFS-4794. Browsing filesystem via webui throws kerberos exception when NN 
     service RPC is enabled in a secure cluster. (Benoy Antony via jing9)
 
     HDFS-5944. LeaseManager:findLeaseWithPrefixPath can't handle path like /a/b/
     and cause SecondaryNameNode failed do checkpoint (Yunjiong Zhao via brandonli)
 
+    HDFS-2264. NamenodeProtocol has the wrong value for clientPrincipal in
+    KerberosInfo annotation. (Aaron T. Myers, backported by jing9)
+
 Release 1.2.2 - unreleased
 
   INCOMPATIBLE CHANGES

src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java

@@ -5929,7 +5929,7 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
     checkPermission(pc, path, false, null, null, null, null);
   }
 
-  private void checkSuperuserPrivilege() throws AccessControlException {
+  void checkSuperuserPrivilege() throws AccessControlException {
     if (isPermissionEnabled) {
       FSPermissionChecker pc = getPermissionChecker();
       pc.checkSuperuserPrivilege();

src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java

@@ -90,15 +90,15 @@ import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.PolicyProvider;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;
 import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.ServicePlugin;
 import org.apache.hadoop.util.StringUtils;
-import org.apache.hadoop.security.authorize.PolicyProvider;
-import org.apache.hadoop.util.ReflectionUtils;
 
 /**********************************************************
  * NameNode serves as both directory namespace manager and
@@ -143,6 +143,7 @@ public class NameNode implements ClientProtocol, DatanodeProtocol,
     Configuration.addDefaultResource("hdfs-site.xml");
   }
   
+  @Override
   public long getProtocolVersion(String protocol, 
                                  long clientVersion) throws IOException {
     if (protocol.equals(ClientProtocol.class.getName())) {
@@ -636,20 +637,14 @@ public class NameNode implements ClientProtocol, DatanodeProtocol,
   /////////////////////////////////////////////////////
   // NamenodeProtocol
   /////////////////////////////////////////////////////
-  /**
-   * return a list of blocks & their locations on <code>datanode</code> whose
-   * total size is <code>size</code>
-   * 
-   * @param datanode on which blocks are located
-   * @param size total size of blocks
-   */
+  @Override // NameNodeProtocol
   public BlocksWithLocations getBlocks(DatanodeInfo datanode, long size)
   throws IOException {
     if(size <= 0) {
       throw new IllegalArgumentException(
         "Unexpected not positive size: "+size);
     }
-
+    namesystem.checkSuperuserPrivilege();
     return namesystem.getBlocks(datanode, size); 
   }
   
@@ -1022,24 +1017,21 @@ public class NameNode implements ClientProtocol, DatanodeProtocol,
     namesystem.refreshNodes(new Configuration());
   }
 
-  /**
-   * Returns the size of the current edit log.
-   */
+  @Override // NameNodeProtocol
   public long getEditLogSize() throws IOException {
+    namesystem.checkSuperuserPrivilege();
     return namesystem.getEditLogSize();
   }
 
-  /**
-   * Roll the edit log.
-   */
+  @Override // NameNodeProtocol
   public CheckpointSignature rollEditLog() throws IOException {
+    namesystem.checkSuperuserPrivilege();
     return namesystem.rollEditLog();
   }
 
-  /**
-   * Roll the image 
-   */
+  @Override // NameNodeProtocol
   public void rollFsImage() throws IOException {
+    namesystem.checkSuperuserPrivilege();
     namesystem.rollFSImage();
   }
     
@@ -1164,8 +1156,9 @@ public class NameNode implements ClientProtocol, DatanodeProtocol,
     }
   }
 
-  /** {@inheritDoc} */
+  @Override // NameNodeProtocol
   public ExportedBlockKeys getBlockKeys() throws IOException {
+    namesystem.checkSuperuserPrivilege();
     return namesystem.getBlockKeys();
   }
 
@@ -1187,8 +1180,13 @@ public class NameNode implements ClientProtocol, DatanodeProtocol,
       namesystem.removeDatanode(nodeReg);            
     }
   }
-    
+  
+  @Override // VersionedProtocol
   public NamespaceInfo versionRequest() throws IOException {
+    // currently this method is only called by DN and SNN (although this method
+    // is also included in ClientProtocol), thus we can/should check the super
+    // user privilege.
+    namesystem.checkSuperuserPrivilege();
     return namesystem.getNamespaceInfo();
   }
 

src/hdfs/org/apache/hadoop/hdfs/server/protocol/NamenodeProtocol.java

@@ -32,8 +32,7 @@ import org.apache.hadoop.security.KerberosInfo;
  * It's used to get part of the name node state
  *****************************************************************************/
 @KerberosInfo(
-    serverPrincipal = DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY,
-    clientPrincipal = DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY)
+    serverPrincipal = DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY)
 public interface NamenodeProtocol extends VersionedProtocol {
   /**
    * 3: new method added: getAccessKeys()