Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-3460

HttpFS proxyuser validation with Kerberos ON uses full principal name

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 2.0.2-alpha
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      The HttpFSServer.getEffectiveUser() method uses the principal name for proxy user verification. If the Kerberos is ON and the proxy user is a service principal (NAME/HOST) then the verification fails, instead the short name (just NAME) should be used.

      1. HDFS-3460.patch
        2 kB
        Alejandro Abdelnur

        Activity

        Alejandro Abdelnur created issue -
        Hide
        Alejandro Abdelnur added a comment -

        A kerberos principal is the full name, not the short name. The Java Principal does not have an accessor to get the short principal. The patch tries to cast the Java Principal to AuthenticationToken and if successful it extracts the username which is the short principal.

        I've tested this in a deployed setup with Kerberos and it works fine.

        Show
        Alejandro Abdelnur added a comment - A kerberos principal is the full name, not the short name. The Java Principal does not have an accessor to get the short principal. The patch tries to cast the Java Principal to AuthenticationToken and if successful it extracts the username which is the short principal. I've tested this in a deployed setup with Kerberos and it works fine.
        Alejandro Abdelnur made changes -
        Field Original Value New Value
        Attachment HDFS-3460.patch [ 12528821 ]
        Alejandro Abdelnur made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Hide
        Aaron T. Myers added a comment -

        The patch looks good to me. +1 pending Jenkins.

        Please unset the fix version until it's committed, and set the "target version" appropriately.

        Show
        Aaron T. Myers added a comment - The patch looks good to me. +1 pending Jenkins. Please unset the fix version until it's committed, and set the "target version" appropriately.
        Alejandro Abdelnur made changes -
        Fix Version/s 2.0.1-alpha [ 12321440 ]
        Alejandro Abdelnur made changes -
        Target Version/s 2.0.1-alpha [ 12321440 ]
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12528821/HDFS-3460.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs-httpfs:

        org.apache.hadoop.test.TestHTestCase

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12528821/HDFS-3460.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs-httpfs: org.apache.hadoop.test.TestHTestCase +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//console This message is automatically generated.
        Hide
        Alejandro Abdelnur added a comment -

        the failure seems unrelated and a one off, I cannot reproduce it in my environment, if I see it again in Jenkins I'll open a JIRA as a flaky test to fix.

        the patch does not have testcase that verifies the change, I've verified the change in a Kerberos deployment using a service principal.

        Show
        Alejandro Abdelnur added a comment - the failure seems unrelated and a one off, I cannot reproduce it in my environment, if I see it again in Jenkins I'll open a JIRA as a flaky test to fix. the patch does not have testcase that verifies the change, I've verified the change in a Kerberos deployment using a service principal.
        Hide
        Alejandro Abdelnur added a comment -

        committed to trunk and branch-2

        Show
        Alejandro Abdelnur added a comment - committed to trunk and branch-2
        Alejandro Abdelnur made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags Reviewed [ 10343 ]
        Fix Version/s 2.0.1-alpha [ 12321440 ]
        Resolution Fixed [ 1 ]
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk #1056 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1056/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1056 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1056/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk #1090 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1090/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = ABORTED
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1090 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1090/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = ABORTED tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk-Commit #2361 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2361/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #2361 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2361/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #2288 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2288/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #2288 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2288/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk-Commit #2307 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2307/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = FAILURE
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #2307 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2307/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Arun C Murthy made changes -
        Fix Version/s 2.0.2-alpha [ 12322472 ]
        Fix Version/s 2.1.0-alpha [ 12321440 ]
        Arun C Murthy made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Patch Available Patch Available
        2h 34m 1 Alejandro Abdelnur 24/May/12 00:40
        Patch Available Patch Available Resolved Resolved
        21h 44m 1 Alejandro Abdelnur 24/May/12 22:25
        Resolved Resolved Closed Closed
        139d 20h 20m 1 Arun C Murthy 11/Oct/12 18:46

          People

          • Assignee:
            Alejandro Abdelnur
            Reporter:
            Alejandro Abdelnur
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development