From 2d683525d2d9d1ec18561616b5d7dd9284332624 Mon Sep 17 00:00:00 2001 From: Alejandro Abdelnur Date: Wed, 7 May 2014 18:22:12 +0000 Subject: [PATCH] HADOOP-10566. Add toLowerCase support to auth_to_local rules for service name. (tucu) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1593106 13f79535-47bb-0310-9956-ffa450edef68 --- .../authentication/util/KerberosName.java | 17 ++++++++++++++--- .../authentication/util/TestKerberosName.java | 16 ++++++++++++++++ hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../src/site/apt/SecureMode.apt.vm | 4 +++- 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java index 6c511869c0f..62bb00acab4 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java @@ -21,6 +21,7 @@ package org.apache.hadoop.security.authentication.util; import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.Locale; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -66,7 +67,7 @@ public class KerberosName { */ private static final Pattern ruleParser = Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+ - "(s/([^/]*)/([^/]*)/(g)?)?))"); + "(s/([^/]*)/([^/]*)/(g)?)?))/?(L)?"); /** * A pattern that recognizes simple/non-simple names. @@ -171,6 +172,7 @@ public class KerberosName { private final Pattern fromPattern; private final String toPattern; private final boolean repeat; + private final boolean toLowerCase; Rule() { isDefault = true; @@ -180,10 +182,11 @@ public class KerberosName { fromPattern = null; toPattern = null; repeat = false; + toLowerCase = false; } Rule(int numOfComponents, String format, String match, String fromPattern, - String toPattern, boolean repeat) { + String toPattern, boolean repeat, boolean toLowerCase) { isDefault = false; this.numOfComponents = numOfComponents; this.format = format; @@ -192,6 +195,7 @@ public class KerberosName { fromPattern == null ? null : Pattern.compile(fromPattern); this.toPattern = toPattern; this.repeat = repeat; + this.toLowerCase = toLowerCase; } @Override @@ -220,6 +224,9 @@ public class KerberosName { buf.append('g'); } } + if (toLowerCase) { + buf.append("/L"); + } } return buf.toString(); } @@ -308,6 +315,9 @@ public class KerberosName { throw new NoMatchingRule("Non-simple name " + result + " after auth_to_local rule " + this); } + if (toLowerCase && result != null) { + result = result.toLowerCase(Locale.ENGLISH); + } return result; } } @@ -328,7 +338,8 @@ public class KerberosName { matcher.group(7), matcher.group(9), matcher.group(10), - "g".equals(matcher.group(11)))); + "g".equals(matcher.group(11)), + "L".equals(matcher.group(12)))); } remaining = remaining.substring(matcher.end()); } diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java index e82a0a6c182..354917efe20 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java @@ -91,6 +91,22 @@ public class TestKerberosName { checkBadTranslation("root/joe@FOO.COM"); } + @Test + public void testToLowerCase() throws Exception { + String rules = + "RULE:[1:$1]/L\n" + + "RULE:[2:$1]/L\n" + + "RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" + + "RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" + + "DEFAULT"; + KerberosName.setRules(rules); + KerberosName.printRules(); + checkTranslation("Joe@FOO.COM", "joe"); + checkTranslation("Joe/root@FOO.COM", "joe"); + checkTranslation("Joe/admin@FOO.COM", "joe"); + checkTranslation("Joe/guestguest@FOO.COM", "joe"); + } + @After public void clear() { System.clearProperty("java.security.krb5.realm"); diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index e268b061279..e4d7210c2c0 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -39,6 +39,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10471. Reduce the visibility of constants in ProxyUsers. (Benoy Antony via wheat9) + HADOOP-10566. Add toLowerCase support to auth_to_local rules + for service name. (tucu) + OPTIMIZATIONS BUG FIXES diff --git a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm index 68ca4b0da68..fb1b262ea8d 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm @@ -176,9 +176,11 @@ KVNO Timestamp Principal the rule specified by <<>> which works in the same way as the <<>> in {{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}. + In addition, Hadoop <<>> mapping supports the <> flag that + lowercases the returned name. By default, it picks the first component of principal name as a user name - if the realms matches to the <<>> (usually defined in /etc/krb5.conf). + if the realms matches to the <<>> (usually defined in /etc/krb5.conf). For example, <<>> is mapped to <<>> by default rule.