Repository: hbase Updated Branches: refs/heads/branch-1 08b7ed165 -> 7c1366de4 refs/heads/branch-1.2 6594f2656 -> f7e503463 refs/heads/branch-1.3 405a30404 -> 5f03fb399 refs/heads/branch-1.4 304f92763 -> 30e98b445 refs/heads/branch-2 b22409d51 -> f6c440592 refs/heads/branch-2.0 f43676a38 -> dbebacbcf refs/heads/master da3ecf1f1 -> 0c42acbdf Updated Tags: refs/tags/1.2.6.1RC0 [created] 7f40516cb refs/tags/1.3.2.1RC0 [created] 2f3eec217
HBASE-20664 Reduce the broad scope of outToken in ThriftHttpServlet Signed-off-by: Andrew Purtell <apurt...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/30e98b44 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/30e98b44 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/30e98b44 Branch: refs/heads/branch-1.4 Commit: 30e98b4455f971c9cb3c02ac7b2daeebe4ee6f2d Parents: 304f927 Author: Josh Elser <els...@apache.org> Authored: Thu May 31 13:02:53 2018 -0400 Committer: Josh Elser <els...@apache.org> Committed: Thu May 31 19:36:29 2018 -0400 ---------------------------------------------------------------------- .../hadoop/hbase/thrift/ThriftHttpServlet.java | 24 +++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/30e98b44/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java ---------------------------------------------------------------------- diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java index 28aa0e1..3dfa50a 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java @@ -57,7 +57,6 @@ public class ThriftHttpServlet extends TServlet { private final boolean securityEnabled; private final boolean doAsEnabled; private transient ThriftServerRunner.HBaseHandler hbaseHandler; - private String outToken; // HTTP Header related constants. public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; @@ -83,10 +82,11 @@ public class ThriftHttpServlet extends TServlet { try { // As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889), // Kerberos authentication is being done at servlet level. - effectiveUser = doKerberosAuth(request); + final RemoteUserIdentity identity = doKerberosAuth(request); + effectiveUser = identity.principal; // It is standard for client applications expect this header. // Please see http://tools.ietf.org/html/rfc4559 for more details. - response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + outToken); + response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + identity.outToken); } catch (HttpAuthenticationException e) { LOG.error("Kerberos Authentication failed", e); // Send a 401 to the client @@ -127,19 +127,31 @@ public class ThriftHttpServlet extends TServlet { * We already have a logged in subject in the form of serviceUGI, * which GSS-API will extract information from. */ - private String doKerberosAuth(HttpServletRequest request) + private RemoteUserIdentity doKerberosAuth(HttpServletRequest request) throws HttpAuthenticationException { HttpKerberosServerAction action = new HttpKerberosServerAction(request, realUser); try { String principal = realUser.doAs(action); - outToken = action.outToken; - return principal; + return new RemoteUserIdentity(principal, action.outToken); } catch (Exception e) { LOG.error("Failed to perform authentication"); throw new HttpAuthenticationException(e); } } + /** + * Basic "struct" class to hold the final base64-encoded, authenticated GSSAPI token + * for the user with the given principal talking to the Thrift server. + */ + private static class RemoteUserIdentity { + final String outToken; + final String principal; + + RemoteUserIdentity(String principal, String outToken) { + this.principal = principal; + this.outToken = outToken; + } + } private static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> { HttpServletRequest request;