KNOX-465: Initial audit record can contain leftover principal name
Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/f03d3021 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/f03d3021 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/f03d3021 Branch: refs/heads/v0.5.1 Commit: f03d302114878cecefb520b187ee2dd483bdabe0 Parents: 34b72b0 Author: Kevin Minder <kevin.min...@hortonworks.com> Authored: Sat Nov 1 19:59:22 2014 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Fri Nov 21 15:58:49 2014 -0500 ---------------------------------------------------------------------- .../filter/ShiroSubjectIdentityAdapter.java | 2 +- .../apache/hadoop/gateway/GatewayFilter.java | 2 +- .../apache/hadoop/gateway/GatewayServlet.java | 39 ++++++++++++-------- .../apache/hadoop/gateway/AuditLoggingTest.java | 8 ++++ .../hadoop/gateway/GatewayFilterTest.java | 13 +++++++ 5 files changed, 46 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/f03d3021/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java index 408d051..2f0de73 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java @@ -100,7 +100,7 @@ public class ShiroSubjectIdentityAdapter implements Filter { Set<Principal> principals = new HashSet<Principal>(); Principal p = new PrimaryPrincipal(principal); principals.add(p); - auditService.createContext().setUsername( principal ); + auditService.getContext().setUsername( principal ); //KM: Audit Fix String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME ); auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS ); http://git-wip-us.apache.org/repos/asf/knox/blob/f03d3021/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayFilter.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayFilter.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayFilter.java index da903a8..7e6e6af 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayFilter.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayFilter.java @@ -116,7 +116,7 @@ public class GatewayFilter implements Filter { assignCorrelationRequestId(); // Populate Audit/correlation parameters - AuditContext auditContext = auditService.createContext(); + AuditContext auditContext = auditService.getContext(); auditContext.setTargetServiceName( match == null ? null : match.getValue().getResourceRole() ); auditContext.setRemoteIp( servletRequest.getRemoteAddr() ); auditContext.setRemoteHostname( servletRequest.getRemoteHost() ); http://git-wip-us.apache.org/repos/asf/knox/blob/f03d3021/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServlet.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServlet.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServlet.java index b25ec17..27febb5 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServlet.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServlet.java @@ -19,6 +19,7 @@ package org.apache.hadoop.gateway; import org.apache.hadoop.gateway.audit.api.Action; import org.apache.hadoop.gateway.audit.api.ActionOutcome; +import org.apache.hadoop.gateway.audit.api.AuditService; import org.apache.hadoop.gateway.audit.api.AuditServiceFactory; import org.apache.hadoop.gateway.audit.api.Auditor; import org.apache.hadoop.gateway.audit.api.ResourceType; @@ -53,7 +54,8 @@ public class GatewayServlet implements Servlet { private static final GatewayResources res = ResourcesFactory.get( GatewayResources.class ); private static final GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class ); - + + private static AuditService auditService = AuditServiceFactory.getAuditService(); private static Auditor auditor = AuditServiceFactory.getAuditService() .getAuditor( AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME ); @@ -111,23 +113,28 @@ public class GatewayServlet implements Servlet { @Override public void service( ServletRequest servletRequest, ServletResponse servletResponse ) throws ServletException, IOException { - GatewayFilter f = filter; - if( f != null ) { - try { - f.doFilter( servletRequest, servletResponse ); - } catch( IOException e ) { - LOG.failedToExecuteFilter( e ); - throw e; - } catch( ServletException e ) { - LOG.failedToExecuteFilter( e ); - throw e; + try { + auditService.createContext(); + GatewayFilter f = filter; + if( f != null ) { + try { + f.doFilter( servletRequest, servletResponse ); + } catch( IOException e ) { + LOG.failedToExecuteFilter( e ); + throw e; + } catch( ServletException e ) { + LOG.failedToExecuteFilter( e ); + throw e; + } + } else { + ((HttpServletResponse)servletResponse).setStatus( HttpServletResponse.SC_SERVICE_UNAVAILABLE ); } - } else { - ((HttpServletResponse)servletResponse).setStatus( HttpServletResponse.SC_SERVICE_UNAVAILABLE ); + String requestUri = (String)servletRequest.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME ); + int status = ((HttpServletResponse)servletResponse).getStatus(); + auditor.audit( Action.ACCESS, requestUri, ResourceType.URI, ActionOutcome.SUCCESS, res.responseStatus( status ) ); + } finally { + auditService.detachContext(); } - String requestUri = (String)servletRequest.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME ); - int status = ((HttpServletResponse)servletResponse).getStatus(); - auditor.audit( Action.ACCESS, requestUri, ResourceType.URI, ActionOutcome.SUCCESS, res.responseStatus( status ) ); } @Override http://git-wip-us.apache.org/repos/asf/knox/blob/f03d3021/gateway-server/src/test/java/org/apache/hadoop/gateway/AuditLoggingTest.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/AuditLoggingTest.java b/gateway-server/src/test/java/org/apache/hadoop/gateway/AuditLoggingTest.java index ae31b20..b15c56b 100644 --- a/gateway-server/src/test/java/org/apache/hadoop/gateway/AuditLoggingTest.java +++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/AuditLoggingTest.java @@ -40,6 +40,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.hadoop.gateway.audit.api.Action; import org.apache.hadoop.gateway.audit.api.ActionOutcome; import org.apache.hadoop.gateway.audit.api.AuditContext; +import org.apache.hadoop.gateway.audit.api.AuditServiceFactory; import org.apache.hadoop.gateway.audit.api.CorrelationContext; import org.apache.hadoop.gateway.audit.api.ResourceType; import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants; @@ -50,6 +51,7 @@ import org.apache.hadoop.gateway.i18n.resources.ResourcesFactory; import org.apache.hadoop.test.log.CollectAppender; import org.apache.log4j.spi.LoggingEvent; import org.easymock.EasyMock; +import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -63,9 +65,15 @@ public class AuditLoggingTest { @Before public void loggingSetup() { + AuditServiceFactory.getAuditService().createContext(); CollectAppender.queue.clear(); } + @After + public void reset() { + AuditServiceFactory.getAuditService().detachContext(); + } + @Test /** * Empty filter chain. Two events with same correlation ID are expected: http://git-wip-us.apache.org/repos/asf/knox/blob/f03d3021/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayFilterTest.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayFilterTest.java b/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayFilterTest.java index 973fd99..5c55929 100644 --- a/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayFilterTest.java +++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayFilterTest.java @@ -17,10 +17,13 @@ */ package org.apache.hadoop.gateway; +import org.apache.hadoop.gateway.audit.api.AuditServiceFactory; import org.apache.hadoop.gateway.filter.AbstractGatewayFilter; import org.apache.hadoop.test.category.FastTests; import org.apache.hadoop.test.category.UnitTests; import org.easymock.EasyMock; +import org.junit.After; +import org.junit.Before; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -39,6 +42,16 @@ import static org.hamcrest.MatcherAssert.assertThat; @Category( { UnitTests.class, FastTests.class } ) public class GatewayFilterTest { + @Before + public void setup() { + AuditServiceFactory.getAuditService().createContext(); + } + + @After + public void reset() { + AuditServiceFactory.getAuditService().detachContext(); + } + @Test public void testNoFilters() throws ServletException, IOException {