You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2017/01/30 15:40:36 UTC
[15/30] ambari git commit: AMBARI-19767. Inconsistent auth-to-local
rules processing during Kerberos authentication (rlevas)
AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/716b2fca
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/716b2fca
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/716b2fca
Branch: refs/heads/branch-dev-patch-upgrade
Commit: 716b2fca38a9db43b3211b9380f18149a3342256
Parents: e0765d9
Author: Robert Levas <rl...@hortonworks.com>
Authored: Sun Jan 29 11:14:59 2017 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Sun Jan 29 11:15:24 2017 -0500
----------------------------------------------------------------------
.../AmbariAuthToLocalUserDetailsService.java | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/716b2fca/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
index c85503c..1e4f6ea 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
@@ -49,6 +49,8 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService {
private final List<UserType> userTypeOrder;
+ private final String authToLocalRules;
+
/**
* Constructor.
* <p>
@@ -80,18 +82,23 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService {
orderedUserTypes = Collections.singletonList(UserType.LDAP);
}
- KerberosName.setRules(authToLocalRules);
-
this.users = users;
this.userTypeOrder = orderedUserTypes;
+ this.authToLocalRules = authToLocalRules;
}
@Override
public UserDetails loadUserByUsername(String principal) throws UsernameNotFoundException {
- KerberosName kerberosName = new KerberosName(principal);
-
try {
- String username = kerberosName.getShortName();
+ String username;
+
+ // Since KerberosName relies on a static variable to hold on to the auth-to-local rules, attempt
+ // to protect access to the rule set by blocking other threads from chaning the rules out from
+ // under us during this operation. Similar logic is used in org.apache.ambari.server.view.ViewContextImpl.getUsername().
+ synchronized (KerberosName.class) {
+ KerberosName.setRules(authToLocalRules);
+ username = new KerberosName(principal).getShortName();
+ }
if (username == null) {
String message = String.format("Failed to translate %s to a local username during Kerberos authentication.", principal);