You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ha...@apache.org on 2016/07/18 21:00:28 UTC
sentry git commit: SENTRY-1378: Login fails for a secure Sentry Web
UI (Rahul Sharma, Reviewd by: Sravya Tirukkovalur and Hao Hao)
Repository: sentry
Updated Branches:
refs/heads/sentry-ha-redesign a62664153 -> 17ed7cb7f
SENTRY-1378: Login fails for a secure Sentry Web UI (Rahul Sharma, Reviewd by: Sravya Tirukkovalur and Hao Hao)
Change-Id: Ib02a8f848d903d7d93ec907bee647143e5728667
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/17ed7cb7
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/17ed7cb7
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/17ed7cb7
Branch: refs/heads/sentry-ha-redesign
Commit: 17ed7cb7fa02b67b0c9dd4c0097a981fb977af2f
Parents: a626641
Author: hahao <ha...@cloudera.com>
Authored: Mon Jul 18 13:59:17 2016 -0700
Committer: hahao <ha...@cloudera.com>
Committed: Mon Jul 18 13:59:17 2016 -0700
----------------------------------------------------------------------
.../db/service/thrift/SentryAuthFilter.java | 7 ++---
.../thrift/TestSentryWebServerWithKerberos.java | 31 ++++++++++++++++++++
.../thrift/SentryServiceIntegrationBase.java | 2 ++
3 files changed, 35 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
index c1cfc1b..b67d6df 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
@@ -83,10 +83,7 @@ public class SentryAuthFilter extends AuthenticationFilter {
}
private static Set<String> parseConnectUsersFromConf(String value) {
- String lcValue = value;
- if (lcValue != null) {
- lcValue = lcValue.toLowerCase();
- }
- return Sets.newHashSet(StringUtils.getStrings(lcValue));
+ //Removed the logic to convert the allowed users to lower case, as user names need to be case sensitive
+ return Sets.newHashSet(StringUtils.getStrings(value));
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
index ece2ee8..09ee6b4 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
@@ -133,4 +133,35 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas
}
});
}
+
+ @Test
+ public void testPingWithCaseSensitiveUser() throws Exception {
+ // USER1 is present in the list of users who are allowed to connect to sentry web ui.
+ String userPrinciple = "user1/" + SERVER_HOST;
+ String userKerberosName = userPrinciple + "@" + REALM;
+ Subject userSubject = new Subject(false, Sets.newHashSet(
+ new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>());
+ File userKeytab = new File(kdcWorkDir, "user1.keytab");
+ kdc.createPrincipal(userKeytab, userPrinciple);
+ LoginContext userLoginContext = new LoginContext("", userSubject, null,
+ KerberosConfiguration.createClientConfig(userKerberosName, userKeytab));
+ userLoginContext.login();
+ Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
+ try {
+ new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
+ fail("Login with user1 should fail");
+ } catch (AuthenticationException e) {
+ String expectedError = "status code: 403";
+ if (!e.getMessage().contains(expectedError)) {
+ LOG.error("UnexpectedError: " + e.getMessage(), e);
+ fail("UnexpectedError: " + e.getMessage());
+ }
+ }
+ return null;
+ }
+ });
+ }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index 4197e6d..dfd79ae 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -92,6 +92,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
protected static boolean pooled = false;
protected static boolean useSSL = false;
+ protected static String allowedUsers = "hive,USER1";
@BeforeClass
public static void setup() throws Exception {
@@ -168,6 +169,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS);
conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL);
conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath());
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowedUsers);
} else {
conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);