You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by sm...@apache.org on 2022/05/12 07:29:48 UTC
[knox] branch master updated: KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575)
This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 1b177a263 KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575)
1b177a263 is described below
commit 1b177a2638126afb5280ad5c113e901e42fec375
Author: Attila Magyar <m....@gmail.com>
AuthorDate: Thu May 12 09:29:43 2022 +0200
KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575)
---
.../filter/CommonIdentityAssertionFilter.java | 10 +++-
.../groups/filter/HadoopGroupProviderFilter.java | 7 ++-
.../filter/HadoopGroupProviderFilterTest.java | 61 +++++++++++++++++++++-
3 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
index 4c3429141..c15019064 100644
--- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
+++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
@@ -152,7 +152,7 @@ public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilt
mappedPrincipalName = mapUserPrincipal(mappedPrincipalName);
String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName, subject);
String[] groups = mapGroupPrincipals(mappedPrincipalName, subject);
- String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName, groups(subject), request).toArray(new String[0]);
+ String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName, combine(subject, groups), request).toArray(new String[0]);
groups = combineGroupMappings(mappedGroups, groups);
groups = combineGroupMappings(virtualGroups, groups);
@@ -162,6 +162,14 @@ public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilt
continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, unique(groups));
}
+ private Set<String> combine(Subject subject, String[] groups) {
+ Set<String> result = groups(subject);
+ if (groups != null) {
+ result.addAll(Arrays.asList(groups));
+ }
+ return result;
+ }
+
private static String[] unique(String[] groups) {
return new HashSet<>(Arrays.asList(groups)).toArray(new String[0]);
}
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
index 95026a325..b53695c83 100644
--- a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilter.java
@@ -96,8 +96,7 @@ public class HadoopGroupProviderFilter extends CommonIdentityAssertionFilter {
/* return the groups as seen by Hadoop */
String[] groups;
try {
- final List<String> groupList = hadoopGroups
- .getGroups(mappedPrincipalName);
+ final List<String> groupList = hadoopGroups(mappedPrincipalName);
LOG.groupsFound(mappedPrincipalName, groupList.toString());
groups = groupList.toArray(new String[0]);
@@ -114,6 +113,10 @@ public class HadoopGroupProviderFilter extends CommonIdentityAssertionFilter {
return groups;
}
+ protected List<String> hadoopGroups(String mappedPrincipalName) throws IOException {
+ return hadoopGroups.getGroups(mappedPrincipalName);
+ }
+
@Override
public String mapUserPrincipal(final String principalName) {
/* return the passed principal */
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
index 18bcb0cb2..5ed4bc97c 100644
--- a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
@@ -19,17 +19,27 @@ package org.apache.knox.gateway.identityasserter.hadoop.groups.filter;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.assertEquals;
import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.easymock.EasyMock;
import org.junit.Test;
@@ -40,7 +50,7 @@ import org.junit.Test;
* @since 0.11.0
*/
public class HadoopGroupProviderFilterTest {
-
+ private static final String USER_NAME = "knox";
/**
* System username
*/
@@ -201,4 +211,53 @@ public class HadoopGroupProviderFilterTest {
}
+ @Test
+ public void testGroupsWithVirtualGroup() throws Exception {
+ Set<String> calculatedGroups = new HashSet<>();
+ FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
+ ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+ EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
+ EasyMock.expect(config.getInitParameterNames()).
+ andReturn(Collections.enumeration(Arrays.asList(
+ CommonIdentityAssertionFilter.VIRTUAL_GROUP_MAPPING_PREFIX + "test-virtual-group")))
+ .anyTimes();
+ EasyMock.expect(config.getInitParameter(CommonIdentityAssertionFilter.VIRTUAL_GROUP_MAPPING_PREFIX + "test-virtual-group")).
+ andReturn("(and (username 'knox') (member 'hadoop-group'))").anyTimes();
+
+ EasyMock.replay(config);
+ EasyMock.replay(context);
+
+ HttpServletRequest request = EasyMock.createNiceMock( HttpServletRequest.class );
+ EasyMock.replay(request);
+
+ HttpServletResponse response = EasyMock.createNiceMock( HttpServletResponse.class );
+ EasyMock.replay(response);
+
+ FilterChain chain = (req, resp) -> {};
+
+ HadoopGroupProviderFilter filter = new HadoopGroupProviderFilter() {
+ @Override
+ protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response, FilterChain chain, String mappedPrincipalName, String[] groups) {
+ calculatedGroups.addAll(Arrays.asList(groups));
+ }
+
+ @Override
+ protected List<String> hadoopGroups(String mappedPrincipalName) {
+ return Collections.singletonList("hadoop-group");
+ }
+ };
+
+ Subject subject = new Subject();
+ subject.getPrincipals().add(new PrimaryPrincipal(USER_NAME));
+ Subject.doAs(
+ subject,
+ (PrivilegedExceptionAction<Object>) () -> {
+ filter.init(config);
+ filter.doFilter(request, response, chain);
+ return null;
+ });
+
+ assertEquals(
+ new HashSet<>(Arrays.asList("hadoop-group", "test-virtual-group")), calculatedGroups);
+ }
}