HADOOP-10566. Add toLowerCase support to auth_to_local rules for service name. (tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1593105 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Alejandro Abdelnur 2014-05-07 18:20:11 +00:00
parent 2d5362073c
commit dca7350a36
4 changed files with 36 additions and 4 deletions

View File

@ -21,6 +21,7 @@ package org.apache.hadoop.security.authentication.util;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Locale;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@ -66,7 +67,7 @@ public class KerberosName {
*/ */
private static final Pattern ruleParser = private static final Pattern ruleParser =
Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+ Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+
"(s/([^/]*)/([^/]*)/(g)?)?))"); "(s/([^/]*)/([^/]*)/(g)?)?))/?(L)?");
/** /**
* A pattern that recognizes simple/non-simple names. * A pattern that recognizes simple/non-simple names.
@ -171,6 +172,7 @@ public class KerberosName {
private final Pattern fromPattern; private final Pattern fromPattern;
private final String toPattern; private final String toPattern;
private final boolean repeat; private final boolean repeat;
private final boolean toLowerCase;
Rule() { Rule() {
isDefault = true; isDefault = true;
@ -180,10 +182,11 @@ public class KerberosName {
fromPattern = null; fromPattern = null;
toPattern = null; toPattern = null;
repeat = false; repeat = false;
toLowerCase = false;
} }
Rule(int numOfComponents, String format, String match, String fromPattern, Rule(int numOfComponents, String format, String match, String fromPattern,
String toPattern, boolean repeat) { String toPattern, boolean repeat, boolean toLowerCase) {
isDefault = false; isDefault = false;
this.numOfComponents = numOfComponents; this.numOfComponents = numOfComponents;
this.format = format; this.format = format;
@ -192,6 +195,7 @@ public class KerberosName {
fromPattern == null ? null : Pattern.compile(fromPattern); fromPattern == null ? null : Pattern.compile(fromPattern);
this.toPattern = toPattern; this.toPattern = toPattern;
this.repeat = repeat; this.repeat = repeat;
this.toLowerCase = toLowerCase;
} }
@Override @Override
@ -220,6 +224,9 @@ public class KerberosName {
buf.append('g'); buf.append('g');
} }
} }
if (toLowerCase) {
buf.append("/L");
}
} }
return buf.toString(); return buf.toString();
} }
@ -308,6 +315,9 @@ public class KerberosName {
throw new NoMatchingRule("Non-simple name " + result + throw new NoMatchingRule("Non-simple name " + result +
" after auth_to_local rule " + this); " after auth_to_local rule " + this);
} }
if (toLowerCase && result != null) {
result = result.toLowerCase(Locale.ENGLISH);
}
return result; return result;
} }
} }
@ -328,7 +338,8 @@ public class KerberosName {
matcher.group(7), matcher.group(7),
matcher.group(9), matcher.group(9),
matcher.group(10), matcher.group(10),
"g".equals(matcher.group(11)))); "g".equals(matcher.group(11)),
"L".equals(matcher.group(12))));
} }
remaining = remaining.substring(matcher.end()); remaining = remaining.substring(matcher.end());
} }

View File

@ -91,6 +91,22 @@ public class TestKerberosName {
checkBadTranslation("root/joe@FOO.COM"); checkBadTranslation("root/joe@FOO.COM");
} }
@Test
public void testToLowerCase() throws Exception {
String rules =
"RULE:[1:$1]/L\n" +
"RULE:[2:$1]/L\n" +
"RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" +
"RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" +
"DEFAULT";
KerberosName.setRules(rules);
KerberosName.printRules();
checkTranslation("Joe@FOO.COM", "joe");
checkTranslation("Joe/root@FOO.COM", "joe");
checkTranslation("Joe/admin@FOO.COM", "joe");
checkTranslation("Joe/guestguest@FOO.COM", "joe");
}
@After @After
public void clear() { public void clear() {
System.clearProperty("java.security.krb5.realm"); System.clearProperty("java.security.krb5.realm");

View File

@ -371,6 +371,9 @@ Release 2.5.0 - UNRELEASED
HADOOP-10471. Reduce the visibility of constants in ProxyUsers. HADOOP-10471. Reduce the visibility of constants in ProxyUsers.
(Benoy Antony via wheat9) (Benoy Antony via wheat9)
HADOOP-10566. Add toLowerCase support to auth_to_local rules
for service name. (tucu)
OPTIMIZATIONS OPTIMIZATIONS
BUG FIXES BUG FIXES

View File

@ -176,9 +176,11 @@ KVNO Timestamp Principal
the rule specified by <<<hadoop.security.auth_to_local>>> the rule specified by <<<hadoop.security.auth_to_local>>>
which works in the same way as the <<<auth_to_local>>> in which works in the same way as the <<<auth_to_local>>> in
{{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}. {{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}.
In addition, Hadoop <<<auth_to_local>>> mapping supports the <</L>> flag that
lowercases the returned name.
By default, it picks the first component of principal name as a user name By default, it picks the first component of principal name as a user name
if the realms matches to the <<<defalut_realm>>> (usually defined in /etc/krb5.conf). if the realms matches to the <<<default_realm>>> (usually defined in /etc/krb5.conf).
For example, <<<host/full.qualified.domain.name@REALM.TLD>>> is mapped to <<<host>>> For example, <<<host/full.qualified.domain.name@REALM.TLD>>> is mapped to <<<host>>>
by default rule. by default rule.