You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/30 21:46:27 UTC
git commit: KNOX-172 - added utility class for Subject to provide
access to primary,
impersonated and effective principal names. Also updated existing classes to
leverage it.
Updated Branches:
refs/heads/master d03cf8c98 -> c72c1327e
KNOX-172 - added utility class for Subject to provide access to primary, impersonated and effective principal names. Also updated existing classes to leverage it.
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/c72c1327
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/c72c1327
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/c72c1327
Branch: refs/heads/master
Commit: c72c1327ea5040bd6d9c362feb5d62f99103b71e
Parents: d03cf8c
Author: Larry McCay <lm...@hortonworks.com>
Authored: Mon Sep 30 15:46:13 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Mon Sep 30 15:46:13 2013 -0400
----------------------------------------------------------------------
.../function/UsernameFunctionProcessor.java | 6 +-
.../security/AbstractIdentityAssertionBase.java | 22 +----
.../hadoop/gateway/security/SubjectUtils.java | 85 ++++++++++++++++++++
.../hadoop/gateway/GatewayBasicFuncTest.java | 5 +-
4 files changed, 91 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/c72c1327/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/function/UsernameFunctionProcessor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/function/UsernameFunctionProcessor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/function/UsernameFunctionProcessor.java
index b3c90f5..1e65f89 100644
--- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/function/UsernameFunctionProcessor.java
+++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/identityasserter/function/UsernameFunctionProcessor.java
@@ -23,6 +23,7 @@ import org.apache.hadoop.gateway.filter.rewrite.spi.UrlRewriteFunctionProcessor;
import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionBase;
import org.apache.hadoop.gateway.i18n.GatewaySpiMessages;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.hadoop.gateway.security.SubjectUtils;
import javax.security.auth.Subject;
import java.security.AccessController;
@@ -30,7 +31,6 @@ import java.util.ArrayList;
import java.util.List;
public class UsernameFunctionProcessor
- extends AbstractIdentityAssertionBase
implements UrlRewriteFunctionProcessor<UsernameFunctionDescriptor> {
private static final GatewaySpiMessages LOG = MessagesFactory.get( GatewaySpiMessages.class );
@@ -58,10 +58,10 @@ public class UsernameFunctionProcessor
@Override
public List<String> resolve( UrlRewriteContext context, List<String> parameters ) throws Exception {
List<String> results = null;
- Subject subject = Subject.getSubject( AccessController.getContext() );
+ Subject subject = SubjectUtils.getCurrentSubject( );
if( subject != null ) {
results = new ArrayList<String>( 1 );
- String username = getPrincipalName( subject );
+ String username = SubjectUtils.getEffectivePrincipalName(subject);
results.add( username );
} else if( parameters != null && parameters.size() > 0 ) {
results = new ArrayList<String>( 1 );
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/c72c1327/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionBase.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionBase.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionBase.java
index 8e083c8..ec83849 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionBase.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionBase.java
@@ -17,11 +17,9 @@
*/
package org.apache.hadoop.gateway.filter.security;
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.hadoop.gateway.security.SubjectUtils;
import javax.security.auth.Subject;
-import java.security.Principal;
-import java.util.Set;
public class AbstractIdentityAssertionBase {
@@ -32,23 +30,7 @@ public class AbstractIdentityAssertionBase {
* @return principalName
*/
protected String getPrincipalName(Subject subject) {
- // look first for the knox specific PrimaryPrincipal to use as the asserted identity
- // if not found fallback to the first principal found
- String name = null;
- Set<PrimaryPrincipal> primaryPrincipals = subject.getPrincipals(PrimaryPrincipal.class);
- if (primaryPrincipals.size() > 0) {
- return ((PrimaryPrincipal)primaryPrincipals.toArray()[0]).getName();
- }
-
- // LJM TODO: this implementation assumes the first one found
- // should configure through context param based on knowledge
- // of the authentication provider in use
- Set<Principal> principals = subject.getPrincipals();
- for (Principal p : principals) {
- name = p.getName();
- break;
- }
- return name;
+ return SubjectUtils.getPrimaryPrincipalName(subject);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/c72c1327/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/SubjectUtils.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/SubjectUtils.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/SubjectUtils.java
new file mode 100644
index 0000000..d40613e
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/SubjectUtils.java
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security;
+
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+/**
+ * General utility methods for interrogating the standard java Subject
+ */
+public class SubjectUtils {
+
+ public static Subject getCurrentSubject() {
+ return Subject.getSubject( AccessController.getContext() );
+ }
+
+ public static String getPrimaryPrincipalName(Subject subject) {
+ String name = null;
+
+ Set<PrimaryPrincipal> primaryPrincipals = subject.getPrincipals(PrimaryPrincipal.class);
+ if (primaryPrincipals.size() > 0) {
+ return ((PrimaryPrincipal)primaryPrincipals.toArray()[0]).getName();
+ }
+
+ // LJM TODO: this implementation assumes the first one found.
+ // We should configure through context param based on knowledge
+ // of the authentication provider in use
+ Set<Principal> principals = subject.getPrincipals();
+ for (Principal p : principals) {
+ name = p.getName();
+ break;
+ }
+
+ return name;
+ }
+
+ public static boolean isImpersonating(Subject subject) {
+ boolean impersonating = false;
+
+ impersonating = (subject.getPrincipals(ImpersonatedPrincipal.class).size() > 0);
+
+ return impersonating;
+ }
+
+ public static String getImpersonatedPrincipalName(Subject subject) {
+ String name = null;
+
+ Set<ImpersonatedPrincipal> impPrincipals = subject.getPrincipals(ImpersonatedPrincipal.class);
+ if (impPrincipals.size() > 0) {
+ return ((PrimaryPrincipal)impPrincipals.toArray()[0]).getName();
+ }
+
+ return name;
+ }
+
+ public static String getEffectivePrincipalName(Subject subject) {
+ String name = null;
+
+ name = getImpersonatedPrincipalName(subject);
+ if (name == null) {
+ name = getPrimaryPrincipalName(subject);
+ }
+
+ return name;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/c72c1327/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
index 61a38ee..11eeb0c 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
@@ -176,11 +176,8 @@ public class GatewayBasicFuncTest {
.addTag( "enabled" ).addText( "true" )
.addTag( "name" ).addText( "AclsAuthz" ).gotoParent()
.addTag( "param" )
- .addTag( "name" ).addText( "namenode-acls" )
+ .addTag( "name" ).addText( "webhdfs-acl" )
.addTag( "value" ).addText( "hdfs;*;*" ).gotoParent()
- .addTag( "param" )
- .addTag( "name" ).addText( "acl.processing.mode" )
- .addTag( "value" ).addText( "AND" ).gotoParent().gotoParent()
.gotoRoot()
.addTag( "service" )
.addTag( "role" ).addText( "WEBHDFS" )