You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ha...@apache.org on 2016/07/18 21:00:28 UTC

sentry git commit: SENTRY-1378: Login fails for a secure Sentry Web UI (Rahul Sharma, Reviewd by: Sravya Tirukkovalur and Hao Hao)

Repository: sentry
Updated Branches:
  refs/heads/sentry-ha-redesign a62664153 -> 17ed7cb7f


SENTRY-1378: Login fails for a secure Sentry Web UI (Rahul Sharma, Reviewd by: Sravya Tirukkovalur and Hao Hao)

Change-Id: Ib02a8f848d903d7d93ec907bee647143e5728667


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/17ed7cb7
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/17ed7cb7
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/17ed7cb7

Branch: refs/heads/sentry-ha-redesign
Commit: 17ed7cb7fa02b67b0c9dd4c0097a981fb977af2f
Parents: a626641
Author: hahao <ha...@cloudera.com>
Authored: Mon Jul 18 13:59:17 2016 -0700
Committer: hahao <ha...@cloudera.com>
Committed: Mon Jul 18 13:59:17 2016 -0700

----------------------------------------------------------------------
 .../db/service/thrift/SentryAuthFilter.java     |  7 ++---
 .../thrift/TestSentryWebServerWithKerberos.java | 31 ++++++++++++++++++++
 .../thrift/SentryServiceIntegrationBase.java    |  2 ++
 3 files changed, 35 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
index c1cfc1b..b67d6df 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
@@ -83,10 +83,7 @@ public class SentryAuthFilter extends AuthenticationFilter {
   }
 
   private static Set<String> parseConnectUsersFromConf(String value) {
-    String lcValue = value;
-    if (lcValue != null) {
-      lcValue = lcValue.toLowerCase();
-    }
-    return Sets.newHashSet(StringUtils.getStrings(lcValue));
+    //Removed the logic to convert the allowed users to lower case, as user names need to be case sensitive
+    return Sets.newHashSet(StringUtils.getStrings(value));
   }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
index ece2ee8..09ee6b4 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
@@ -133,4 +133,35 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas
       }
     });
   }
+
+  @Test
+  public void testPingWithCaseSensitiveUser() throws Exception {
+    // USER1 is present in the list of users who are allowed to connect to sentry web ui.
+    String userPrinciple = "user1/" + SERVER_HOST;
+    String userKerberosName = userPrinciple + "@" + REALM;
+    Subject userSubject = new Subject(false, Sets.newHashSet(
+            new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>());
+    File userKeytab = new File(kdcWorkDir, "user1.keytab");
+    kdc.createPrincipal(userKeytab, userPrinciple);
+    LoginContext userLoginContext = new LoginContext("", userSubject, null,
+            KerberosConfiguration.createClientConfig(userKerberosName, userKeytab));
+    userLoginContext.login();
+    Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
+        try {
+          new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
+          fail("Login with user1 should fail");
+        } catch (AuthenticationException e) {
+          String expectedError = "status code: 403";
+          if (!e.getMessage().contains(expectedError)) {
+            LOG.error("UnexpectedError: " + e.getMessage(), e);
+            fail("UnexpectedError: " + e.getMessage());
+          }
+        }
+        return null;
+      }
+    });
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index 4197e6d..dfd79ae 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -92,6 +92,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
   protected static boolean pooled = false;
 
   protected static boolean useSSL = false;
+  protected static String allowedUsers = "hive,USER1";
 
   @BeforeClass
   public static void setup() throws Exception {
@@ -168,6 +169,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
             ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS);
         conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL);
         conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath());
+        conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowedUsers);
       } else {
         conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
             ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);