Skip to content

Commit

Permalink
HBASE-20664 Reduce the broad scope of outToken in ThriftHttpServlet
Browse files Browse the repository at this point in the history
Signed-off-by: Andrew Purtell <[email protected]>
  • Loading branch information
joshelser committed May 31, 2018
1 parent 2f9b9e1 commit 625d4d0
Showing 1 changed file with 18 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ public class ThriftHttpServlet extends TServlet {
private final boolean securityEnabled;
private final boolean doAsEnabled;
private transient ThriftServerRunner.HBaseHandler hbaseHandler;
private String outToken;

// HTTP Header related constants.
public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
Expand All @@ -83,10 +82,11 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
try {
// As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889),
// Kerberos authentication is being done at servlet level.
effectiveUser = doKerberosAuth(request);
final RemoteUserIdentity identity = doKerberosAuth(request);
effectiveUser = identity.principal;
// It is standard for client applications expect this header.
// Please see http://tools.ietf.org/html/rfc4559 for more details.
response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + outToken);
response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + identity.outToken);
} catch (HttpAuthenticationException e) {
LOG.error("Kerberos Authentication failed", e);
// Send a 401 to the client
Expand Down Expand Up @@ -127,19 +127,31 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
* We already have a logged in subject in the form of serviceUGI,
* which GSS-API will extract information from.
*/
private String doKerberosAuth(HttpServletRequest request)
private RemoteUserIdentity doKerberosAuth(HttpServletRequest request)
throws HttpAuthenticationException {
HttpKerberosServerAction action = new HttpKerberosServerAction(request, realUser);
try {
String principal = realUser.doAs(action);
outToken = action.outToken;
return principal;
return new RemoteUserIdentity(principal, action.outToken);
} catch (Exception e) {
LOG.error("Failed to perform authentication");
throw new HttpAuthenticationException(e);
}
}

/**
* Basic "struct" class to hold the final base64-encoded, authenticated GSSAPI token
* for the user with the given principal talking to the Thrift server.
*/
private static class RemoteUserIdentity {
final String outToken;
final String principal;

RemoteUserIdentity(String principal, String outToken) {
this.principal = principal;
this.outToken = outToken;
}
}

private static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> {
HttpServletRequest request;
Expand Down

0 comments on commit 625d4d0

Please sign in to comment.