HBASE-20664 Reduce the broad scope of outToken in ThriftHttpServlet Signed-off-by: Andrew Purtell <apurt...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/0c42acbd Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/0c42acbd Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/0c42acbd Branch: refs/heads/master Commit: 0c42acbdf86d08af3003105a26a2201f75f2e2c3 Parents: da3ecf1 Author: Josh Elser <els...@apache.org> Authored: Thu May 31 13:02:53 2018 -0400 Committer: Josh Elser <els...@apache.org> Committed: Thu May 31 20:02:25 2018 -0400 ---------------------------------------------------------------------- .../hadoop/hbase/thrift/ThriftHttpServlet.java | 24 +++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/0c42acbd/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java ---------------------------------------------------------------------- diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java index 4f55a01..8d68964 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java @@ -57,7 +57,6 @@ public class ThriftHttpServlet extends TServlet { private final boolean securityEnabled; private final boolean doAsEnabled; private transient ThriftServerRunner.HBaseHandler hbaseHandler; - private String outToken; // HTTP Header related constants. public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; @@ -83,10 +82,11 @@ public class ThriftHttpServlet extends TServlet { try { // As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889), // Kerberos authentication is being done at servlet level. - effectiveUser = doKerberosAuth(request); + final RemoteUserIdentity identity = doKerberosAuth(request); + effectiveUser = identity.principal; // It is standard for client applications expect this header. // Please see http://tools.ietf.org/html/rfc4559 for more details. - response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + outToken); + response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + identity.outToken); } catch (HttpAuthenticationException e) { LOG.error("Kerberos Authentication failed", e); // Send a 401 to the client @@ -127,19 +127,31 @@ public class ThriftHttpServlet extends TServlet { * We already have a logged in subject in the form of serviceUGI, * which GSS-API will extract information from. */ - private String doKerberosAuth(HttpServletRequest request) + private RemoteUserIdentity doKerberosAuth(HttpServletRequest request) throws HttpAuthenticationException { HttpKerberosServerAction action = new HttpKerberosServerAction(request, realUser); try { String principal = realUser.doAs(action); - outToken = action.outToken; - return principal; + return new RemoteUserIdentity(principal, action.outToken); } catch (Exception e) { LOG.error("Failed to perform authentication"); throw new HttpAuthenticationException(e); } } + /** + * Basic "struct" class to hold the final base64-encoded, authenticated GSSAPI token + * for the user with the given principal talking to the Thrift server. + */ + private static class RemoteUserIdentity { + final String outToken; + final String principal; + + RemoteUserIdentity(String principal, String outToken) { + this.principal = principal; + this.outToken = outToken; + } + } private static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> { HttpServletRequest request;
