HADOOP-10566. Add toLowerCase support to auth_to_local rules for service name. (tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1593105 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
2d5362073c
commit
dca7350a36
|
@ -21,6 +21,7 @@ package org.apache.hadoop.security.authentication.util;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import java.util.Locale;
|
||||||
import java.util.regex.Matcher;
|
import java.util.regex.Matcher;
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
@ -66,7 +67,7 @@ public class KerberosName {
|
||||||
*/
|
*/
|
||||||
private static final Pattern ruleParser =
|
private static final Pattern ruleParser =
|
||||||
Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+
|
Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+
|
||||||
"(s/([^/]*)/([^/]*)/(g)?)?))");
|
"(s/([^/]*)/([^/]*)/(g)?)?))/?(L)?");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A pattern that recognizes simple/non-simple names.
|
* A pattern that recognizes simple/non-simple names.
|
||||||
|
@ -171,6 +172,7 @@ public class KerberosName {
|
||||||
private final Pattern fromPattern;
|
private final Pattern fromPattern;
|
||||||
private final String toPattern;
|
private final String toPattern;
|
||||||
private final boolean repeat;
|
private final boolean repeat;
|
||||||
|
private final boolean toLowerCase;
|
||||||
|
|
||||||
Rule() {
|
Rule() {
|
||||||
isDefault = true;
|
isDefault = true;
|
||||||
|
@ -180,10 +182,11 @@ public class KerberosName {
|
||||||
fromPattern = null;
|
fromPattern = null;
|
||||||
toPattern = null;
|
toPattern = null;
|
||||||
repeat = false;
|
repeat = false;
|
||||||
|
toLowerCase = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
Rule(int numOfComponents, String format, String match, String fromPattern,
|
Rule(int numOfComponents, String format, String match, String fromPattern,
|
||||||
String toPattern, boolean repeat) {
|
String toPattern, boolean repeat, boolean toLowerCase) {
|
||||||
isDefault = false;
|
isDefault = false;
|
||||||
this.numOfComponents = numOfComponents;
|
this.numOfComponents = numOfComponents;
|
||||||
this.format = format;
|
this.format = format;
|
||||||
|
@ -192,6 +195,7 @@ public class KerberosName {
|
||||||
fromPattern == null ? null : Pattern.compile(fromPattern);
|
fromPattern == null ? null : Pattern.compile(fromPattern);
|
||||||
this.toPattern = toPattern;
|
this.toPattern = toPattern;
|
||||||
this.repeat = repeat;
|
this.repeat = repeat;
|
||||||
|
this.toLowerCase = toLowerCase;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -220,6 +224,9 @@ public class KerberosName {
|
||||||
buf.append('g');
|
buf.append('g');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (toLowerCase) {
|
||||||
|
buf.append("/L");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return buf.toString();
|
return buf.toString();
|
||||||
}
|
}
|
||||||
|
@ -308,6 +315,9 @@ public class KerberosName {
|
||||||
throw new NoMatchingRule("Non-simple name " + result +
|
throw new NoMatchingRule("Non-simple name " + result +
|
||||||
" after auth_to_local rule " + this);
|
" after auth_to_local rule " + this);
|
||||||
}
|
}
|
||||||
|
if (toLowerCase && result != null) {
|
||||||
|
result = result.toLowerCase(Locale.ENGLISH);
|
||||||
|
}
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -328,7 +338,8 @@ public class KerberosName {
|
||||||
matcher.group(7),
|
matcher.group(7),
|
||||||
matcher.group(9),
|
matcher.group(9),
|
||||||
matcher.group(10),
|
matcher.group(10),
|
||||||
"g".equals(matcher.group(11))));
|
"g".equals(matcher.group(11)),
|
||||||
|
"L".equals(matcher.group(12))));
|
||||||
}
|
}
|
||||||
remaining = remaining.substring(matcher.end());
|
remaining = remaining.substring(matcher.end());
|
||||||
}
|
}
|
||||||
|
|
|
@ -91,6 +91,22 @@ public class TestKerberosName {
|
||||||
checkBadTranslation("root/joe@FOO.COM");
|
checkBadTranslation("root/joe@FOO.COM");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testToLowerCase() throws Exception {
|
||||||
|
String rules =
|
||||||
|
"RULE:[1:$1]/L\n" +
|
||||||
|
"RULE:[2:$1]/L\n" +
|
||||||
|
"RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" +
|
||||||
|
"RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" +
|
||||||
|
"DEFAULT";
|
||||||
|
KerberosName.setRules(rules);
|
||||||
|
KerberosName.printRules();
|
||||||
|
checkTranslation("Joe@FOO.COM", "joe");
|
||||||
|
checkTranslation("Joe/root@FOO.COM", "joe");
|
||||||
|
checkTranslation("Joe/admin@FOO.COM", "joe");
|
||||||
|
checkTranslation("Joe/guestguest@FOO.COM", "joe");
|
||||||
|
}
|
||||||
|
|
||||||
@After
|
@After
|
||||||
public void clear() {
|
public void clear() {
|
||||||
System.clearProperty("java.security.krb5.realm");
|
System.clearProperty("java.security.krb5.realm");
|
||||||
|
|
|
@ -371,6 +371,9 @@ Release 2.5.0 - UNRELEASED
|
||||||
HADOOP-10471. Reduce the visibility of constants in ProxyUsers.
|
HADOOP-10471. Reduce the visibility of constants in ProxyUsers.
|
||||||
(Benoy Antony via wheat9)
|
(Benoy Antony via wheat9)
|
||||||
|
|
||||||
|
HADOOP-10566. Add toLowerCase support to auth_to_local rules
|
||||||
|
for service name. (tucu)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
|
|
@ -176,9 +176,11 @@ KVNO Timestamp Principal
|
||||||
the rule specified by <<<hadoop.security.auth_to_local>>>
|
the rule specified by <<<hadoop.security.auth_to_local>>>
|
||||||
which works in the same way as the <<<auth_to_local>>> in
|
which works in the same way as the <<<auth_to_local>>> in
|
||||||
{{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}.
|
{{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}.
|
||||||
|
In addition, Hadoop <<<auth_to_local>>> mapping supports the <</L>> flag that
|
||||||
|
lowercases the returned name.
|
||||||
|
|
||||||
By default, it picks the first component of principal name as a user name
|
By default, it picks the first component of principal name as a user name
|
||||||
if the realms matches to the <<<defalut_realm>>> (usually defined in /etc/krb5.conf).
|
if the realms matches to the <<<default_realm>>> (usually defined in /etc/krb5.conf).
|
||||||
For example, <<<host/full.qualified.domain.name@REALM.TLD>>> is mapped to <<<host>>>
|
For example, <<<host/full.qualified.domain.name@REALM.TLD>>> is mapped to <<<host>>>
|
||||||
by default rule.
|
by default rule.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue