anuengineer commented on a change in pull request #110: HDDS-2321. Ozone Block
Token verify should not apply to all datanode …
URL: https://github.com/apache/hadoop-ozone/pull/110#discussion_r341825738
##########
File path:
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/token/BlockTokenVerifier.java
##########
@@ -55,68 +57,68 @@ private boolean isExpired(long expiryDate) {
}
@Override
- public UserGroupInformation verify(String user, String tokenStr)
- throws SCMSecurityException {
- if (conf.isBlockTokenEnabled()) {
- // TODO: add audit logs.
-
- if (Strings.isNullOrEmpty(tokenStr)) {
- throw new BlockTokenException("Fail to find any token (empty or " +
- "null.)");
- }
- final Token<OzoneBlockTokenIdentifier> token = new Token();
- OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier();
- try {
- token.decodeFromUrlString(tokenStr);
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("Verifying token:{} for user:{} ", token, user);
- }
- ByteArrayInputStream buf = new ByteArrayInputStream(
- token.getIdentifier());
- DataInputStream in = new DataInputStream(buf);
- tokenId.readFields(in);
-
- } catch (IOException ex) {
- throw new BlockTokenException("Failed to decode token : " + tokenStr);
- }
+ public void verify(String user, String tokenStr,
+ ContainerProtos.Type cmd, String id) throws SCMSecurityException {
+ if (!conf.isBlockTokenEnabled() || !HddsUtils.requireOmBlockToken(cmd)) {
+ return;
+ }
+
+ // TODO: add audit logs.
+ if (Strings.isNullOrEmpty(tokenStr)) {
+ throw new BlockTokenException("Fail to find any token (empty or " +
+ "null.)");
+ }
- if (caClient == null) {
- throw new SCMSecurityException("Certificate client not available " +
- "to validate token");
+ final Token<OzoneBlockTokenIdentifier> token = new Token();
+ OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier();
+ try {
+ token.decodeFromUrlString(tokenStr);
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("Verifying token:{} for user:{} ", token, user);
}
+ ByteArrayInputStream buf = new ByteArrayInputStream(
+ token.getIdentifier());
+ DataInputStream in = new DataInputStream(buf);
+ tokenId.readFields(in);
- X509Certificate singerCert;
- singerCert = caClient.getCertificate(tokenId.getOmCertSerialId());
+ } catch (IOException ex) {
+ throw new BlockTokenException("Failed to decode token : " + tokenStr);
+ }
- if (singerCert == null) {
- throw new BlockTokenException("Can't find signer certificate " +
- "(OmCertSerialId: " + tokenId.getOmCertSerialId() +
- ") of the block token for user: " + tokenId.getUser());
- }
- boolean validToken = caClient.verifySignature(tokenId.getBytes(),
- token.getPassword(), singerCert);
- if (!validToken) {
- throw new BlockTokenException("Invalid block token for user: " +
- tokenId.getUser());
- }
+ if (caClient == null) {
+ throw new SCMSecurityException("Certificate client not available " +
+ "to validate token");
+ }
- // check expiration
- if (isExpired(tokenId.getExpiryDate())) {
- UserGroupInformation tokenUser = tokenId.getUser();
- tokenUser.setAuthenticationMethod(
- UserGroupInformation.AuthenticationMethod.TOKEN);
- throw new BlockTokenException("Expired block token for user: " +
- tokenUser);
- }
- // defer access mode, bcsid and maxLength check to container dispatcher
- UserGroupInformation ugi = tokenId.getUser();
- ugi.addToken(token);
- ugi.setAuthenticationMethod(UserGroupInformation
- .AuthenticationMethod.TOKEN);
- return ugi;
- } else {
- return UserGroupInformation.createRemoteUser(user);
+ UserGroupInformation tokenUser = tokenId.getUser();
+ X509Certificate singerCert;
Review comment:
typo: singerCert -> signerCert?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
