예제 #1
0
        /// <exception cref="System.IO.IOException"/>
        protected internal virtual bool IsValidRequestor(HttpServletRequest request, Configuration
                                                         conf)
        {
            string remotePrincipal = request.GetUserPrincipal().GetName();
            string remoteShortName = request.GetRemoteUser();

            if (remotePrincipal == null)
            {
                // This really shouldn't happen...
                Log.Warn("Received null remoteUser while authorizing access to " + "GetJournalEditServlet"
                         );
                return(false);
            }
            if (Log.IsDebugEnabled())
            {
                Log.Debug("Validating request made by " + remotePrincipal + " / " + remoteShortName
                          + ". This user is: " + UserGroupInformation.GetLoginUser());
            }
            ICollection <string> validRequestors = new HashSet <string>();

            Sharpen.Collections.AddAll(validRequestors, DFSUtil.GetAllNnPrincipals(conf));
            try
            {
                validRequestors.AddItem(SecurityUtil.GetServerPrincipal(conf.Get(DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey
                                                                                 ), SecondaryNameNode.GetHttpAddress(conf).GetHostName()));
            }
            catch (Exception e)
            {
                // Don't halt if SecondaryNameNode principal could not be added.
                Log.Debug("SecondaryNameNode principal could not be added", e);
                string msg = string.Format("SecondaryNameNode principal not considered, %s = %s, %s = %s"
                                           , DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey, conf.Get(DFSConfigKeys
                                                                                                              .DfsSecondaryNamenodeKerberosPrincipalKey), DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey
                                           , conf.Get(DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey, DFSConfigKeys.DfsNamenodeSecondaryHttpAddressDefault
                                                      ));
                Log.Warn(msg);
            }
            // Check the full principal name of all the configured valid requestors.
            foreach (string v in validRequestors)
            {
                if (Log.IsDebugEnabled())
                {
                    Log.Debug("isValidRequestor is comparing to valid requestor: " + v);
                }
                if (v != null && v.Equals(remotePrincipal))
                {
                    if (Log.IsDebugEnabled())
                    {
                        Log.Debug("isValidRequestor is allowing: " + remotePrincipal);
                    }
                    return(true);
                }
            }
            // Additionally, we compare the short name of the requestor to this JN's
            // username, because we want to allow requests from other JNs during
            // recovery, but we can't enumerate the full list of JNs.
            if (remoteShortName.Equals(UserGroupInformation.GetLoginUser().GetShortUserName()
                                       ))
            {
                if (Log.IsDebugEnabled())
                {
                    Log.Debug("isValidRequestor is allowing other JN principal: " + remotePrincipal);
                }
                return(true);
            }
            if (Log.IsDebugEnabled())
            {
                Log.Debug("isValidRequestor is rejecting: " + remotePrincipal);
            }
            return(false);
        }