Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-3460

HttpFS proxyuser validation with Kerberos ON uses full principal name

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 2.0.2-alpha
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      The HttpFSServer.getEffectiveUser() method uses the principal name for proxy user verification. If the Kerberos is ON and the proxy user is a service principal (NAME/HOST) then the verification fails, instead the short name (just NAME) should be used.

      1. HDFS-3460.patch
        2 kB
        Alejandro Abdelnur

        Activity

        Hide
        Alejandro Abdelnur added a comment -

        A kerberos principal is the full name, not the short name. The Java Principal does not have an accessor to get the short principal. The patch tries to cast the Java Principal to AuthenticationToken and if successful it extracts the username which is the short principal.

        I've tested this in a deployed setup with Kerberos and it works fine.

        Show
        Alejandro Abdelnur added a comment - A kerberos principal is the full name, not the short name. The Java Principal does not have an accessor to get the short principal. The patch tries to cast the Java Principal to AuthenticationToken and if successful it extracts the username which is the short principal. I've tested this in a deployed setup with Kerberos and it works fine.
        Hide
        Aaron T. Myers added a comment -

        The patch looks good to me. +1 pending Jenkins.

        Please unset the fix version until it's committed, and set the "target version" appropriately.

        Show
        Aaron T. Myers added a comment - The patch looks good to me. +1 pending Jenkins. Please unset the fix version until it's committed, and set the "target version" appropriately.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12528821/HDFS-3460.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs-httpfs:

        org.apache.hadoop.test.TestHTestCase

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12528821/HDFS-3460.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs-httpfs: org.apache.hadoop.test.TestHTestCase +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2512//console This message is automatically generated.
        Hide
        Alejandro Abdelnur added a comment -

        the failure seems unrelated and a one off, I cannot reproduce it in my environment, if I see it again in Jenkins I'll open a JIRA as a flaky test to fix.

        the patch does not have testcase that verifies the change, I've verified the change in a Kerberos deployment using a service principal.

        Show
        Alejandro Abdelnur added a comment - the failure seems unrelated and a one off, I cannot reproduce it in my environment, if I see it again in Jenkins I'll open a JIRA as a flaky test to fix. the patch does not have testcase that verifies the change, I've verified the change in a Kerberos deployment using a service principal.
        Hide
        Alejandro Abdelnur added a comment -

        committed to trunk and branch-2

        Show
        Alejandro Abdelnur added a comment - committed to trunk and branch-2
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk #1056 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1056/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1056 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1056/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk #1090 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1090/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = ABORTED
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1090 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1090/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = ABORTED tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk-Commit #2361 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2361/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #2361 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2361/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #2288 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2288/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #2288 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2288/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk-Commit #2307 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2307/)
        HDFS-3460. HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334)

        Result = FAILURE
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #2307 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2307/ ) HDFS-3460 . HttpFS proxyuser validation with Kerberos ON uses full principal name. (tucu) (Revision 1342334) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1342334 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSServer.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt

          People

          • Assignee:
            Alejandro Abdelnur
            Reporter:
            Alejandro Abdelnur
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development