You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2017/01/30 15:40:36 UTC

[15/30] ambari git commit: AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas)

AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/716b2fca
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/716b2fca
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/716b2fca

Branch: refs/heads/branch-dev-patch-upgrade
Commit: 716b2fca38a9db43b3211b9380f18149a3342256
Parents: e0765d9
Author: Robert Levas <rl...@hortonworks.com>
Authored: Sun Jan 29 11:14:59 2017 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Sun Jan 29 11:15:24 2017 -0500

----------------------------------------------------------------------
 .../AmbariAuthToLocalUserDetailsService.java       | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/716b2fca/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
index c85503c..1e4f6ea 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
@@ -49,6 +49,8 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService {
 
   private final List<UserType> userTypeOrder;
 
+  private final String authToLocalRules;
+
   /**
    * Constructor.
    * <p>
@@ -80,18 +82,23 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService {
       orderedUserTypes = Collections.singletonList(UserType.LDAP);
     }
 
-    KerberosName.setRules(authToLocalRules);
-
     this.users = users;
     this.userTypeOrder = orderedUserTypes;
+    this.authToLocalRules = authToLocalRules;
   }
 
   @Override
   public UserDetails loadUserByUsername(String principal) throws UsernameNotFoundException {
-    KerberosName kerberosName = new KerberosName(principal);
-
     try {
-      String username = kerberosName.getShortName();
+      String username;
+
+      // Since KerberosName relies on a static variable to hold on to the auth-to-local rules, attempt
+      // to protect access to the rule set by blocking other threads from chaning the rules out from
+      // under us during this operation.  Similar logic is used in org.apache.ambari.server.view.ViewContextImpl.getUsername().
+      synchronized (KerberosName.class) {
+        KerberosName.setRules(authToLocalRules);
+        username = new KerberosName(principal).getShortName();
+      }
 
       if (username == null) {
         String message = String.format("Failed to translate %s to a local username during Kerberos authentication.", principal);