/// <exception cref="System.IO.IOException"/>
protected internal virtual bool IsValidRequestor(HttpServletRequest request, Configuration
conf)
{
string remotePrincipal = request.GetUserPrincipal().GetName();
string remoteShortName = request.GetRemoteUser();
if (remotePrincipal == null)
{
// This really shouldn't happen...
Log.Warn("Received null remoteUser while authorizing access to " + "GetJournalEditServlet"
);
return(false);
}
if (Log.IsDebugEnabled())
{
Log.Debug("Validating request made by " + remotePrincipal + " / " + remoteShortName
+ ". This user is: " + UserGroupInformation.GetLoginUser());
}
ICollection <string> validRequestors = new HashSet <string>();
Sharpen.Collections.AddAll(validRequestors, DFSUtil.GetAllNnPrincipals(conf));
try
{
validRequestors.AddItem(SecurityUtil.GetServerPrincipal(conf.Get(DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey
), SecondaryNameNode.GetHttpAddress(conf).GetHostName()));
}
catch (Exception e)
{
// Don't halt if SecondaryNameNode principal could not be added.
Log.Debug("SecondaryNameNode principal could not be added", e);
string msg = string.Format("SecondaryNameNode principal not considered, %s = %s, %s = %s"
, DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey, conf.Get(DFSConfigKeys
.DfsSecondaryNamenodeKerberosPrincipalKey), DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey
, conf.Get(DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey, DFSConfigKeys.DfsNamenodeSecondaryHttpAddressDefault
));
Log.Warn(msg);
}
// Check the full principal name of all the configured valid requestors.
foreach (string v in validRequestors)
{
if (Log.IsDebugEnabled())
{
Log.Debug("isValidRequestor is comparing to valid requestor: " + v);
}
if (v != null && v.Equals(remotePrincipal))
{
if (Log.IsDebugEnabled())
{
Log.Debug("isValidRequestor is allowing: " + remotePrincipal);
}
return(true);
}
}
// Additionally, we compare the short name of the requestor to this JN's
// username, because we want to allow requests from other JNs during
// recovery, but we can't enumerate the full list of JNs.
if (remoteShortName.Equals(UserGroupInformation.GetLoginUser().GetShortUserName()
))
{
if (Log.IsDebugEnabled())
{
Log.Debug("isValidRequestor is allowing other JN principal: " + remotePrincipal);
}
return(true);
}
if (Log.IsDebugEnabled())
{
Log.Debug("isValidRequestor is rejecting: " + remotePrincipal);
}
return(false);
}
