This is an automated email from the ASF dual-hosted git repository. krisden pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push: new d05d307 KNOX-2223 - HS2 cookie not stored in HadoopAuthCookieStore (#253) d05d307 is described below commit d05d307e0b1bea9f2f1a63a02392a917b35814c0 Author: Kevin Risden <risd...@users.noreply.github.com> AuthorDate: Wed Feb 5 16:14:19 2020 -0500 KNOX-2223 - HS2 cookie not stored in HadoopAuthCookieStore (#253) This ensures that Knox principal both short and long will be compared against the cookie returned. This will match the HS2 cookie. Signed-off-by: Kevin Risden <kris...@apache.org> --- .../org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java | 6 +++++- .../org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java index 522019b..e3c10fe 100644 --- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java +++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java @@ -41,6 +41,7 @@ public class HadoopAuthCookieStore extends BasicCookieStore { private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth"; private static String knoxPrincipal; + private static String shortKnoxPrincipal; HadoopAuthCookieStore(GatewayConfig config) { // Read knoxPrincipal from krb5 login jaas config file @@ -56,6 +57,8 @@ public class HadoopAuthCookieStore extends BasicCookieStore { configuredKnoxPrincipal.length() - 1); } knoxPrincipal = configuredKnoxPrincipal; + // Break out the short principal name from the principal + shortKnoxPrincipal = knoxPrincipal.split("/", 2)[0]; } catch (IOException e) { LOG.errorReadingKerberosLoginConfig(krb5Config, e); } @@ -87,7 +90,8 @@ public class HadoopAuthCookieStore extends BasicCookieStore { // somewhere in the cookie value. if (cookie != null) { String value = cookie.getValue(); - if (value != null && value.contains(knoxPrincipal)) { + if (value != null && + (value.contains('=' + knoxPrincipal) || value.contains('=' + shortKnoxPrincipal))) { result = true; } } diff --git a/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java b/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java index cc58347..6bfcf52 100644 --- a/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java +++ b/gateway-spi/src/test/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStoreTest.java @@ -92,7 +92,7 @@ public class HadoopAuthCookieStoreTest { @Test public void testKnoxCookieInclusionDefaultUser() { - doTestKnoxCookieExclusion("u=knox&p=anotherUser/myhost.example....@example.com&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8="); + doTestKnoxCookieInclusion("u=knox&p=anotherUser/myhost.example....@example.com&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8="); } @Test @@ -126,7 +126,7 @@ public class HadoopAuthCookieStoreTest { @Test public void testKnoxCookieInclusionDefaultUserAndMissingPrincipal() { - doTestKnoxCookieExclusion("u=knox&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8="); + doTestKnoxCookieInclusion("u=knox&t=kerberos&e=1517900515610&s=HpSXUOhoXR/2wXrsgPz5lSbNuf8="); } private void doTestKnoxCookieInclusion(final String cookieValue) {