You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by am...@apache.org on 2018/10/17 23:42:53 UTC
sentry git commit: SENTRY-2427: Use Hadoop KerberosName class to
derive shortName (Arjun Mishra reviewed by Na Li and Sergio Pena)
Repository: sentry
Updated Branches:
refs/heads/master 170b0c38b -> 542e984ba
SENTRY-2427: Use Hadoop KerberosName class to derive shortName (Arjun Mishra reviewed by Na Li and Sergio Pena)
Change-Id: Iab39a07c68d651e4d779fd33a4bccceb0de04b14
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/542e984b
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/542e984b
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/542e984b
Branch: refs/heads/master
Commit: 542e984ba844b33d452e80946b87ae3cefde4be6
Parents: 170b0c3
Author: amishra <am...@cloudera.com>
Authored: Wed Oct 17 17:21:10 2018 -0500
Committer: amishra <am...@cloudera.com>
Committed: Wed Oct 17 17:37:53 2018 -0500
----------------------------------------------------------------------
.../sentry/service/thrift/GSSCallback.java | 28 +++++++-
.../sentry/service/thrift/TestGSSCallback.java | 75 ++++++++++++++++++++
2 files changed, 102 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/542e984b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
index d2d85d3..bc2817d 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
@@ -26,8 +26,11 @@ import javax.security.sasl.AuthorizeCallback;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.hadoop.security.authentication.util.KerberosName.NoMatchingRule;
import org.apache.sentry.core.common.exception.ConnectionDeniedException;
import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.slf4j.LoggerFactory;
public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
@@ -60,7 +63,30 @@ public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
if (allowedPrincipals == null) {
return false;
}
- String principalShortName = getShortName(principal);
+ String principalShortName;
+ if (KerberosName.hasRulesBeenSet()) {
+ try {
+ KerberosName krbName = new KerberosName(principal);
+ principalShortName = krbName.getShortName();
+ //To accommodate HADOOP-12751 where some versions don't throw NoMatchingRule exception
+ if (principalShortName.equals(principal)) {
+ principalShortName = getShortName(principal);
+ }
+ } catch (NoMatchingRule e) {
+ LoggerFactory.getLogger(GSSCallback.class)
+ .debug("No matching rule found for principal " + principal, e);
+ principalShortName = getShortName(principal);
+ } catch (Exception e) {
+ LoggerFactory.getLogger(GSSCallback.class)
+ .debug("Cannot derive short name from KerberosName. "
+ + "Use principal name prefix to authenticate", e);
+ principalShortName = getShortName(principal);
+ }
+
+ } else {
+ principalShortName = getShortName(principal);
+ }
+
List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*"));
for (String item : items) {
if (comparePrincipals(item, principalShortName)) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/542e984b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
new file mode 100644
index 0000000..aec1a63
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ *
+ */
+public class TestGSSCallback {
+
+ private static final Configuration conf = new Configuration();
+ private GSSCallback callBack;
+
+ @Before
+ public void setUp() {
+ conf.set(ServerConfig.ALLOW_CONNECT, "hive");
+ callBack = new GSSCallback(conf);
+ }
+
+ @Test
+ public void testAllowConnectOnKerberosPrincipal() {
+ //Test with ruleset not set
+ String validPrincipal = "hive@GCE.CLOUDERA.COM";
+ assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal));
+
+ String invalidPrincipal = "impala@GCE.CLOUDERA.COM";
+ assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal));
+
+ //Test with ruleset set to DEFAULT
+ String ruleString = "DEFAULT";
+ KerberosName.setRules(ruleString);
+
+ assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal));
+ assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal));
+ }
+
+ @Test
+ public void testAllowConnectWithRuleSet() {
+
+ String ruleString = "RULE:[1:$1@$0](user1@TEST.REALM.COM)s/.*/hive/";
+ KerberosName.setRules(ruleString);
+
+ String validPrincipal = "user1@TEST.REALM.COM";
+ assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal));
+
+ //New rule for a different user
+ ruleString = "RULE:[1:$1@$0](user2@TEST.REALM.COM)s/.*/solr/";
+ KerberosName.setRules(ruleString);
+ String invalidPrincipal1 = "user2@TEST.REALM.COM";
+ assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal1));
+ String invalidPrincipal2 = "user3@TEST.REALM.COM";
+ assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal2));
+ }
+
+}