Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDDS-3280. Ozone BaseHTTPServer should honor ozone.security.enabled c… #758

Merged
merged 4 commits into from Apr 7, 2020
Merged

HDDS-3280. Ozone BaseHTTPServer should honor ozone.security.enabled c… #758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e7cc588
HDDS-3280. Ozone BaseHTTPServer should honor ozone.security.enabled c…
vivekratnavel Apr 2, 2020
1702b3d
Fix integration test failures
vivekratnavel Apr 2, 2020
3c8f7e8
Merge remote-tracking branch 'apache/master' into HDDS-3280
vivekratnavel Apr 3, 2020
d9eeea1
Address review comments.
vivekratnavel Apr 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
View file
Open in desktop
Expand Up @@ -347,6 +347,10 @@ public final class OzoneConfigKeys {
"ozone.security.enabled";
public static final boolean OZONE_SECURITY_ENABLED_DEFAULT = false;

public static final String OZONE_HTTP_SECURITY_ENABLED_KEY =
"ozone.security.http.kerberos.enabled";
public static final boolean OZONE_HTTP_SECURITY_ENABLED_DEFAULT = false;

public static final String OZONE_CONTAINER_COPY_WORKDIR =
"hdds.datanode.replication.work.dir";

Expand Down
8 changes: 8 additions & 0 deletions hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
View file
Open in desktop
Expand Up @@ -18,6 +18,8 @@

package org.apache.hadoop.ozone;

import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_DEFAULT;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;

Expand Down Expand Up @@ -61,6 +63,12 @@ public static boolean isSecurityEnabled(Configuration conf) {
OZONE_SECURITY_ENABLED_DEFAULT);
}

public static boolean isHttpSecurityEnabled(Configuration conf) {
return isSecurityEnabled(conf) &&
conf.getBoolean(OZONE_HTTP_SECURITY_ENABLED_KEY,
OZONE_HTTP_SECURITY_ENABLED_DEFAULT);
}

/**
* Returns Keys status.
*
Expand Down
12 changes: 11 additions & 1 deletion hadoop-hdds/common/src/main/resources/ozone-default.xml
View file
Open in desktop
Expand Up @@ -1497,11 +1497,21 @@
<property>
<name>ozone.security.enabled</name>
<value>false</value>
<tag> OZONE, SECURITY</tag>
<tag>OZONE, SECURITY</tag>
<description>True if security is enabled for ozone. When this property is
true, hadoop.security.authentication should be Kerberos.
</description>
</property>
<property>
<name>ozone.security.http.kerberos.enabled</name>
<value>false</value>
<tag>OZONE, SECURITY</tag>
<description>True if Kerberos authentication for Ozone HTTP web consoles
is enabled using the SPNEGO protocol. When this property is
true, hadoop.security.authentication should be Kerberos and
ozone.security.enabled should be set to true.
</description>
</property>

<property>
<name>ozone.client.checksum.type</name>
Expand Down
9 changes: 5 additions & 4 deletions hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
View file
Open in desktop
Expand Up @@ -31,6 +31,7 @@
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
Expand Down Expand Up @@ -134,8 +135,6 @@ public BaseHttpServer(Configuration conf, String name) throws IOException {
}
}



/**
* Return a HttpServer.Builder that the OzoneManager/SCM/Datanode/S3Gateway/
* Recon to initialize their HTTP / HTTPS server.
Expand All @@ -145,16 +144,18 @@ public static HttpServer2.Builder newHttpServer2BuilderForOzone(
final InetSocketAddress httpsAddr, String name, String spnegoUserNameKey,
String spnegoKeytabFileKey) throws IOException {
HttpConfig.Policy policy = getHttpPolicy(conf);
boolean isSecurityEnabled = UserGroupInformation.isSecurityEnabled() &&
OzoneSecurityUtil.isHttpSecurityEnabled(conf);

HttpServer2.Builder builder = new HttpServer2.Builder().setName(name)
.setConf(conf).setACL(new AccessControlList(conf.get(
OZONE_ADMINISTRATORS, " ")))
.setSecurityEnabled(UserGroupInformation.isSecurityEnabled())
.setSecurityEnabled(isSecurityEnabled)
.setUsernameConfKey(spnegoUserNameKey)
.setKeytabConfKey(spnegoKeytabFileKey);

// initialize the webserver for uploading/downloading files.
if (UserGroupInformation.isSecurityEnabled()) {
if (isSecurityEnabled) {
LOG.info("Starting web server as: "
+ SecurityUtil.getServerPrincipal(conf.get(spnegoUserNameKey),
httpAddr.getHostName()));
Expand Down