Author: tucu Date: Wed May 7 18:20:11 2014 New Revision: 1593105 URL: http://svn.apache.org/r1593105 Log: HADOOP-10566. Add toLowerCase support to auth_to_local rules for service name. (tucu)
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt hadoop/common/trunk/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm Modified: hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java?rev=1593105&r1=1593104&r2=1593105&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java Wed May 7 18:20:11 2014 @@ -21,6 +21,7 @@ package org.apache.hadoop.security.authe import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.Locale; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -66,7 +67,7 @@ public class KerberosName { */ private static final Pattern ruleParser = Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+ - "(s/([^/]*)/([^/]*)/(g)?)?))"); + "(s/([^/]*)/([^/]*)/(g)?)?))/?(L)?"); /** * A pattern that recognizes simple/non-simple names. @@ -171,6 +172,7 @@ public class KerberosName { private final Pattern fromPattern; private final String toPattern; private final boolean repeat; + private final boolean toLowerCase; Rule() { isDefault = true; @@ -180,10 +182,11 @@ public class KerberosName { fromPattern = null; toPattern = null; repeat = false; + toLowerCase = false; } Rule(int numOfComponents, String format, String match, String fromPattern, - String toPattern, boolean repeat) { + String toPattern, boolean repeat, boolean toLowerCase) { isDefault = false; this.numOfComponents = numOfComponents; this.format = format; @@ -192,6 +195,7 @@ public class KerberosName { fromPattern == null ? null : Pattern.compile(fromPattern); this.toPattern = toPattern; this.repeat = repeat; + this.toLowerCase = toLowerCase; } @Override @@ -220,6 +224,9 @@ public class KerberosName { buf.append('g'); } } + if (toLowerCase) { + buf.append("/L"); + } } return buf.toString(); } @@ -308,6 +315,9 @@ public class KerberosName { throw new NoMatchingRule("Non-simple name " + result + " after auth_to_local rule " + this); } + if (toLowerCase && result != null) { + result = result.toLowerCase(Locale.ENGLISH); + } return result; } } @@ -328,7 +338,8 @@ public class KerberosName { matcher.group(7), matcher.group(9), matcher.group(10), - "g".equals(matcher.group(11)))); + "g".equals(matcher.group(11)), + "L".equals(matcher.group(12)))); } remaining = remaining.substring(matcher.end()); } Modified: hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java?rev=1593105&r1=1593104&r2=1593105&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java Wed May 7 18:20:11 2014 @@ -91,6 +91,22 @@ public class TestKerberosName { checkBadTranslation("root/j...@foo.com"); } + @Test + public void testToLowerCase() throws Exception { + String rules = + "RULE:[1:$1]/L\n" + + "RULE:[2:$1]/L\n" + + "RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" + + "RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" + + "DEFAULT"; + KerberosName.setRules(rules); + KerberosName.printRules(); + checkTranslation("j...@foo.com", "joe"); + checkTranslation("Joe/r...@foo.com", "joe"); + checkTranslation("Joe/ad...@foo.com", "joe"); + checkTranslation("Joe/guestgu...@foo.com", "joe"); + } + @After public void clear() { System.clearProperty("java.security.krb5.realm"); Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1593105&r1=1593104&r2=1593105&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Wed May 7 18:20:11 2014 @@ -371,6 +371,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10471. Reduce the visibility of constants in ProxyUsers. (Benoy Antony via wheat9) + HADOOP-10566. Add toLowerCase support to auth_to_local rules + for service name. (tucu) + OPTIMIZATIONS BUG FIXES Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm?rev=1593105&r1=1593104&r2=1593105&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm Wed May 7 18:20:11 2014 @@ -176,9 +176,11 @@ KVNO Timestamp Principal the rule specified by <<<hadoop.security.auth_to_local>>> which works in the same way as the <<<auth_to_local>>> in {{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}. + In addition, Hadoop <<<auth_to_local>>> mapping supports the <</L>> flag that + lowercases the returned name. By default, it picks the first component of principal name as a user name - if the realms matches to the <<<defalut_realm>>> (usually defined in /etc/krb5.conf). + if the realms matches to the <<<default_realm>>> (usually defined in /etc/krb5.conf). For example, <<<host/full.qualified.domain.n...@realm.tld>>> is mapped to <<<host>>> by default rule.