JWuCines opened a new pull request, #19429: URL: https://github.com/apache/druid/pull/19429
### Description The Kerberos authenticator was using `token.getName()` (the full Kerberos principal, e.g., `[email protected]`) instead of `token.getUserName()` (the short name, e.g., `user`) when constructing the `AuthenticationResult` identity. This caused the authenticated identity to bypass `authToLocal` name mapping rules, resulting in users being unable to authenticate when authorizer rules reference short names. #### Fixed the identity used in AuthenticationResult Changed `KerberosAuthenticator` to use `token.getUserName()` instead of `token.getName()` when setting the `AuthenticationResult` identity. This is consistent with: - How `getRemoteUser()` already returns `token.getUserName()` in the same filter - How `DruidKerberosAuthenticationHandler` creates the token with `new AuthenticationToken(userName, clientPrincipal, getType())` where `userName` is the result of `KerberosName.getShortName()` (i.e., the `authToLocal`-mapped name) - The purpose of the `authToLocal` configuration property, which exists to map Kerberos principals to local user names for authorization #### Added unit tests Added `KerberosAuthenticatorFilterTest` (4 tests) and `DruidKerberosAuthenticationHandlerTokenTest` (6 tests) to verify that: - `AuthenticationToken.getUserName()` returns the short name and `getName()` returns the full principal - `AuthenticationResult` identity uses the short name across simple principals, service principals, and custom `authToLocal` rules #### Updated documentation Added a "User identity and `authToLocal` rules" section to the Kerberos extension documentation explaining that the short name is used for authorization, with an upgrade note for users who may have authorizer rules referencing full Kerberos principals. #### Release note The Kerberos authenticator now correctly uses the short name derived from `authToLocal` rules as the authenticated user identity, instead of the full Kerberos principal. If you have authorizer rules that reference full Kerberos principals (e.g., `[email protected]`), update them to use the short name (e.g., `user`) after upgrading. <hr> ##### Key changed/added classes in this PR * `KerberosAuthenticator` * `KerberosAuthenticatorFilterTest` * `DruidKerberosAuthenticationHandlerTokenTest` <hr> This PR has: - [x] been self-reviewed. - [x] added documentation for new or modified features or behaviors. - [x] a release note entry in the PR description. - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
