Repository: incubator-sentry Updated Branches: refs/heads/master 3071da2fc -> 38c4294ba
SENTRY-283: Secure connection from HS2 to Sentry service fails (Prasad Mujumdar via Jarek Jarcec Cecho) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/38c4294b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/38c4294b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/38c4294b Branch: refs/heads/master Commit: 38c4294ba398f85d8d0f1ad5b38ae48167d876f7 Parents: 3071da2 Author: Jarek Jarcec Cecho <[email protected]> Authored: Tue Jun 10 07:19:52 2014 -0700 Committer: Jarek Jarcec Cecho <[email protected]> Committed: Tue Jun 10 07:19:52 2014 -0700 ---------------------------------------------------------------------- .../java/org/apache/sentry/service/thrift/GSSCallback.java | 8 +++++++- .../apache/sentry/service/thrift/KerberosConfiguration.java | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/38c4294b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java index 22f31cd..38eb4be 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java @@ -59,15 +59,21 @@ public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler { if (allowedPrincipals == null) { return false; } + String principalShortName = getShortName(principal); List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*")); for (String item : items) { - if(comparePrincipals(item, principal)) { + if (comparePrincipals(item, principalShortName)) { return true; } } return false; } + private String getShortName(String principal) { + String parts[] = SaslRpcServer.splitKerberosName(principal); + return parts[0]; + } + @Override public void handle(Callback[] callbacks) throws UnsupportedCallbackException, ConnectionDeniedException { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/38c4294b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java index 41e4fe4..203858e 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java @@ -24,6 +24,10 @@ import java.util.Map; import javax.security.auth.login.AppConfigurationEntry; public class KerberosConfiguration extends javax.security.auth.login.Configuration { + static { + System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); + } + private String principal; private String keytab; private boolean isInitiator;
