You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2020/02/05 21:14:29 UTC
[knox] branch master updated: KNOX-2223 - HS2 cookie not stored in
HadoopAuthCookieStore (#253)
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new d05d307 KNOX-2223 - HS2 cookie not stored in HadoopAuthCookieStore (#253)
d05d307 is described below
commit d05d307e0b1bea9f2f1a63a02392a917b35814c0
Author: Kevin Risden <ri...@users.noreply.github.com>
AuthorDate: Wed Feb 5 16:14:19 2020 -0500
KNOX-2223 - HS2 cookie not stored in HadoopAuthCookieStore (#253)
This ensures that Knox principal both short
and long will be compared against the cookie
returned. This will match the HS2 cookie.
Signed-off-by: Kevin Risden <kr...@apache.org>
---
.../org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java | 6 +++++-
.../org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java | 4 ++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
index 522019b..e3c10fe 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
@@ -41,6 +41,7 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth";
private static String knoxPrincipal;
+ private static String shortKnoxPrincipal;
HadoopAuthCookieStore(GatewayConfig config) {
// Read knoxPrincipal from krb5 login jaas config file
@@ -56,6 +57,8 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
configuredKnoxPrincipal.length() - 1);
}
knoxPrincipal = configuredKnoxPrincipal;
+ // Break out the short principal name from the principal
+ shortKnoxPrincipal = knoxPrincipal.split("/", 2)[0];
} catch (IOException e) {
LOG.errorReadingKerberosLoginConfig(krb5Config, e);
}
@@ -87,7 +90,8 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
// somewhere in the cookie value.
if (cookie != null) {
String value = cookie.getValue();
- if (value != null && value.contains(knoxPrincipal)) {
+ if (value != null &&
+ (value.contains('=' + knoxPrincipal) || value.contains('=' + shortKnoxPrincipal))) {
result = true;
}
}
diff --git a/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java b/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java
index cc58347..6bfcf52 100644
--- a/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java
+++ b/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java
@@ -92,7 +92,7 @@ public class HadoopAuthCookieStoreTest {
@Test
public void testKnoxCookieInclusionDefaultUser() {
- doTestKnoxCookieExclusion("u=knox&p=anotherUser/myhost.example.com@EXAMPLE.COM&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8=");
+ doTestKnoxCookieInclusion("u=knox&p=anotherUser/myhost.example.com@EXAMPLE.COM&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8=");
}
@Test
@@ -126,7 +126,7 @@ public class HadoopAuthCookieStoreTest {
@Test
public void testKnoxCookieInclusionDefaultUserAndMissingPrincipal() {
- doTestKnoxCookieExclusion("u=knox&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8=");
+ doTestKnoxCookieInclusion("u=knox&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8=");
}
private void doTestKnoxCookieInclusion(final String cookieValue) {