SPNEGO TLS verification
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
(cherry picked from commit ba66f3b454a5f6ea84f2cf7ac0082c555e2954a7)
(cherry picked from commit 4b7d6667fdc1e252c717fb98a01015f046910672)
diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index 37b66e6..54eada8 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -144,6 +144,7 @@
+ "/v" + VERSION;
public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
+ public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
/**
* Default connection factory may be overridden in tests to use smaller
@@ -173,6 +174,7 @@
private DFSOpsCountStatistics storageStatistics;
private KeyProvider testProvider;
+ private boolean isTLSKrb;
/**
* Return the protocol scheme for the FileSystem.
@@ -235,6 +237,7 @@
.newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
}
+ this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
ugi = UserGroupInformation.getCurrentUser();
this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
@@ -692,6 +695,11 @@
//redirect hostname and port
redirectHost = null;
+ if (url.getProtocol().equals(getTransportScheme()) &&
+ UserGroupInformation.isSecurityEnabled() &&
+ isTLSKrb) {
+ throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
+ }
// resolve redirects for a DN operation unless already resolved
if (op.getRedirect() && !redirected) {