You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/30 06:09:50 UTC

git commit: KNOX-171 added support for wild carded ip address acts. Fixed an issue where users that had no groups in their Subject where not passing a wildcard test for groups. Also, fixed an issue for when there were no principal.mappings in the identit

Updated Branches:
  refs/heads/master 82edc13b4 -> 700023750


KNOX-171 added support for wild carded ip address acts. Fixed an issue where users that had no groups in their Subject where not passing a wildcard test for groups. Also, fixed an issue for when there were no principal.mappings in the identity-assertion provider config.

Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/70002375
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/70002375
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/70002375

Branch: refs/heads/master
Commit: 700023750cc1399952761555514c59ca94e5c70b
Parents: 82edc13
Author: Larry McCay <lm...@hortonworks.com>
Authored: Mon Sep 30 00:09:26 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Mon Sep 30 00:09:26 2013 -0400

----------------------------------------------------------------------
 .../gateway/filter/AclsAuthorizationFilter.java | 30 ++++++++++++++++++++
 .../principal/SimplePrincipalMapper.java        | 28 +++++++++---------
 2 files changed, 45 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/70002375/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
index a0fddee..57738fc 100644
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
@@ -45,10 +45,12 @@ public class AclsAuthorizationFilter implements Filter {
   private ArrayList<String> users;
   private ArrayList<String> groups;
   private ArrayList<String> ipaddr;
+  private ArrayList<String> wildCardIPs;
   private boolean anyUser = true;
   private boolean anyGroup = true;
   private boolean anyIP = true;
   private String aclProcessingMode = null;
+
   
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
@@ -94,9 +96,17 @@ public class AclsAuthorizationFilter implements Filter {
       }
 
       ipaddr = new ArrayList<String>();
+      wildCardIPs = new ArrayList<String>();
       Collections.addAll(ipaddr, parts[2].split(","));
       if (!ipaddr.contains("*")) {
         anyIP = false;
+        // check whether there are any wildcarded ip's - example: 192.* or 192.168.* or 192.168.1.*
+        for (String addr : ipaddr) {
+          if (addr.contains("*")) {
+            wildCardIPs.add(addr);
+            break;
+          }
+        }
       }
     }
     else {
@@ -157,6 +167,15 @@ public class AclsAuthorizationFilter implements Filter {
       groupAccess = checkGroupAcls(groups);
       log.groupPrincipalHasAccess(groupAccess);
     }
+    else {
+      // if we have no groups in the subject then make
+      // it true if there is an anyGroup acl
+      // for AND mode and acls like *;*;127.0.0.* we need to
+      // make it pass
+      if (anyGroup && aclProcessingMode.equals("AND")) {
+        groupAccess = true;
+      }
+    }
     log.remoteIPAddress(req.getRemoteAddr());
     ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
     log.remoteIPAddressHasAccess(ipAddrAccess);
@@ -190,6 +209,17 @@ public class AclsAuthorizationFilter implements Filter {
       if (ipaddr.contains(remoteAddr)) {
         allowed = true;
       }
+      else {
+        // check for wildcards if there are wildcardIP acls configured
+        if (wildCardIPs.size() > 0) {
+          for (String ipacl : wildCardIPs) {
+            if (remoteAddr.startsWith(ipacl.substring(0, ipacl.lastIndexOf('*')))) {
+              allowed = true;
+              break;
+            }
+          }
+        }
+      }
     }
     return allowed;
   }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/70002375/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
index 7947ba3..6c91b2c 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
@@ -47,19 +47,21 @@ public class SimplePrincipalMapper implements PrincipalMapper {
     HashMap<String, String[]> table = new HashMap<String, String[]>();
     try {
       StringTokenizer t = new StringTokenizer(mappings, ";");
-      do {
-        String mapping = t.nextToken();
- //        System.out.println("+++++++++++++ Mapping: " + mapping);
-        String principals = mapping.substring(0, mapping.indexOf('='));
- //        System.out.println("+++++++++++++ Principals: " + principals);
-        String value = mapping.substring(mapping.indexOf('=')+1);
-        String[] v = value.split(",");
-        String[] p = principals.split(",");
-        for(int i = 0; i < p.length; i++) {
-          table.put(p[i], v);
- //          System.out.println("+++++++++++++ Mapping into Table: " + p[i] + "->" + value);
-        }
-      } while(t.hasMoreTokens());
+      if (t.hasMoreTokens()) {
+        do {
+          String mapping = t.nextToken();
+   //        System.out.println("+++++++++++++ Mapping: " + mapping);
+          String principals = mapping.substring(0, mapping.indexOf('='));
+   //        System.out.println("+++++++++++++ Principals: " + principals);
+          String value = mapping.substring(mapping.indexOf('=')+1);
+          String[] v = value.split(",");
+          String[] p = principals.split(",");
+          for(int i = 0; i < p.length; i++) {
+            table.put(p[i], v);
+   //          System.out.println("+++++++++++++ Mapping into Table: " + p[i] + "->" + value);
+          }
+        } while(t.hasMoreTokens());
+      }
       return table;
     }
     catch (Exception e) {