HBASE-20664 Reduce the broad scope of outToken in ThriftHttpServlet

Signed-off-by: Andrew Purtell <apurtell@apache.org>
2018-05-31 13:02:53 -04:00 · 2018-05-31 13:02:53 -04:00 · 0c42acbdf8
parent da3ecf1f13
commit 0c42acbdf8
1 changed files with 18 additions and 6 deletions
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java
@ -57,7 +57,6 @@ public class ThriftHttpServlet extends TServlet {
  private final boolean securityEnabled;
  private final boolean doAsEnabled;
  private transient ThriftServerRunner.HBaseHandler hbaseHandler;
-  private String outToken;

  // HTTP Header related constants.
  public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
@ -83,10 +82,11 @@ public class ThriftHttpServlet extends TServlet {
      try {
        // As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889),
        // Kerberos authentication is being done at servlet level.
-        effectiveUser = doKerberosAuth(request);
+        final RemoteUserIdentity identity = doKerberosAuth(request);
+        effectiveUser = identity.principal;
        // It is standard for client applications expect this header.
        // Please see http://tools.ietf.org/html/rfc4559 for more details.
-        response.addHeader(WWW_AUTHENTICATE,  NEGOTIATE + " " + outToken);
+        response.addHeader(WWW_AUTHENTICATE,  NEGOTIATE + " " + identity.outToken);
      } catch (HttpAuthenticationException e) {
        LOG.error("Kerberos Authentication failed", e);
        // Send a 401 to the client
@ -127,19 +127,31 @@ public class ThriftHttpServlet extends TServlet {
   * We already have a logged in subject in the form of serviceUGI,
   * which GSS-API will extract information from.
   */
-  private String doKerberosAuth(HttpServletRequest request)
+  private RemoteUserIdentity doKerberosAuth(HttpServletRequest request)
      throws HttpAuthenticationException {
    HttpKerberosServerAction action = new HttpKerberosServerAction(request, realUser);
    try {
      String principal = realUser.doAs(action);
-      outToken = action.outToken;
-      return principal;
+      return new RemoteUserIdentity(principal, action.outToken);
    } catch (Exception e) {
      LOG.error("Failed to perform authentication");
      throw new HttpAuthenticationException(e);
    }
  }

+  /**
+   * Basic "struct" class to hold the final base64-encoded, authenticated GSSAPI token
+   * for the user with the given principal talking to the Thrift server.
+   */
+  private static class RemoteUserIdentity {
+    final String outToken;
+    final String principal;
+
+    RemoteUserIdentity(String principal, String outToken) {
+      this.principal = principal;
+      this.outToken = outToken;
+    }
+  }

  private static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> {
    HttpServletRequest request;