From ae6a2de56035dc7c88cc5b540fb0e3c3cfb71f7f Mon Sep 17 00:00:00 2001 From: Josh Elser Date: Tue, 21 Jan 2020 18:38:26 -0500 Subject: [PATCH] HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n REST and Thrift servers started failing because the check in BuiltinProviderSelector wasn't checking the "real" user for kerberos credentials. This resulted in the KerberosAuthnProvider not being invoked when it should have been. Closes #1080 Signed-off-by: Peter Somogyi --- .../security/provider/BuiltInProviderSelector.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java index 8286380a4df..8d20171c596 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java @@ -123,11 +123,16 @@ public class BuiltInProviderSelector implements AuthenticationProviderSelector { return new Pair<>(digestAuth, token); } } - if (user.getUGI().hasKerberosCredentials()) { + // Unwrap PROXY auth'n method if that's what we have coming in. + if (user.getUGI().hasKerberosCredentials() || + user.getUGI().getRealUser().hasKerberosCredentials()) { return new Pair<>(krbAuth, null); } - LOG.debug( - "No matching SASL authentication provider and supporting token found from providers."); + // This indicates that a client is requesting some authentication mechanism which the servers + // don't know how to process (e.g. there is no provider which can support it). This may be + // a bug or simply a misconfiguration of client *or* server. + LOG.warn("No matching SASL authentication provider and supporting token found from providers" + + " for user: {}", user); return null; }