You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/30 06:09:50 UTC
git commit: KNOX-171 added support for wild carded ip address acts.
Fixed an issue where users that had no groups in their Subject where not
passing a wildcard test for groups. Also,
fixed an issue for when there were no principal.mappings in the identit
Updated Branches:
refs/heads/master 82edc13b4 -> 700023750
KNOX-171 added support for wild carded ip address acts. Fixed an issue where users that had no groups in their Subject where not passing a wildcard test for groups. Also, fixed an issue for when there were no principal.mappings in the identity-assertion provider config.
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/70002375
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/70002375
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/70002375
Branch: refs/heads/master
Commit: 700023750cc1399952761555514c59ca94e5c70b
Parents: 82edc13
Author: Larry McCay <lm...@hortonworks.com>
Authored: Mon Sep 30 00:09:26 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Mon Sep 30 00:09:26 2013 -0400
----------------------------------------------------------------------
.../gateway/filter/AclsAuthorizationFilter.java | 30 ++++++++++++++++++++
.../principal/SimplePrincipalMapper.java | 28 +++++++++---------
2 files changed, 45 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/70002375/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
index a0fddee..57738fc 100644
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
@@ -45,10 +45,12 @@ public class AclsAuthorizationFilter implements Filter {
private ArrayList<String> users;
private ArrayList<String> groups;
private ArrayList<String> ipaddr;
+ private ArrayList<String> wildCardIPs;
private boolean anyUser = true;
private boolean anyGroup = true;
private boolean anyIP = true;
private String aclProcessingMode = null;
+
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -94,9 +96,17 @@ public class AclsAuthorizationFilter implements Filter {
}
ipaddr = new ArrayList<String>();
+ wildCardIPs = new ArrayList<String>();
Collections.addAll(ipaddr, parts[2].split(","));
if (!ipaddr.contains("*")) {
anyIP = false;
+ // check whether there are any wildcarded ip's - example: 192.* or 192.168.* or 192.168.1.*
+ for (String addr : ipaddr) {
+ if (addr.contains("*")) {
+ wildCardIPs.add(addr);
+ break;
+ }
+ }
}
}
else {
@@ -157,6 +167,15 @@ public class AclsAuthorizationFilter implements Filter {
groupAccess = checkGroupAcls(groups);
log.groupPrincipalHasAccess(groupAccess);
}
+ else {
+ // if we have no groups in the subject then make
+ // it true if there is an anyGroup acl
+ // for AND mode and acls like *;*;127.0.0.* we need to
+ // make it pass
+ if (anyGroup && aclProcessingMode.equals("AND")) {
+ groupAccess = true;
+ }
+ }
log.remoteIPAddress(req.getRemoteAddr());
ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
log.remoteIPAddressHasAccess(ipAddrAccess);
@@ -190,6 +209,17 @@ public class AclsAuthorizationFilter implements Filter {
if (ipaddr.contains(remoteAddr)) {
allowed = true;
}
+ else {
+ // check for wildcards if there are wildcardIP acls configured
+ if (wildCardIPs.size() > 0) {
+ for (String ipacl : wildCardIPs) {
+ if (remoteAddr.startsWith(ipacl.substring(0, ipacl.lastIndexOf('*')))) {
+ allowed = true;
+ break;
+ }
+ }
+ }
+ }
}
return allowed;
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/70002375/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
index 7947ba3..6c91b2c 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
@@ -47,19 +47,21 @@ public class SimplePrincipalMapper implements PrincipalMapper {
HashMap<String, String[]> table = new HashMap<String, String[]>();
try {
StringTokenizer t = new StringTokenizer(mappings, ";");
- do {
- String mapping = t.nextToken();
- // System.out.println("+++++++++++++ Mapping: " + mapping);
- String principals = mapping.substring(0, mapping.indexOf('='));
- // System.out.println("+++++++++++++ Principals: " + principals);
- String value = mapping.substring(mapping.indexOf('=')+1);
- String[] v = value.split(",");
- String[] p = principals.split(",");
- for(int i = 0; i < p.length; i++) {
- table.put(p[i], v);
- // System.out.println("+++++++++++++ Mapping into Table: " + p[i] + "->" + value);
- }
- } while(t.hasMoreTokens());
+ if (t.hasMoreTokens()) {
+ do {
+ String mapping = t.nextToken();
+ // System.out.println("+++++++++++++ Mapping: " + mapping);
+ String principals = mapping.substring(0, mapping.indexOf('='));
+ // System.out.println("+++++++++++++ Principals: " + principals);
+ String value = mapping.substring(mapping.indexOf('=')+1);
+ String[] v = value.split(",");
+ String[] p = principals.split(",");
+ for(int i = 0; i < p.length; i++) {
+ table.put(p[i], v);
+ // System.out.println("+++++++++++++ Mapping into Table: " + p[i] + "->" + value);
+ }
+ } while(t.hasMoreTokens());
+ }
return table;
}
catch (Exception e) {