From f6c4405929055c7e3d7135f49015dfac707c58d6 Mon Sep 17 00:00:00 2001 From: Josh Elser Date: Thu, 31 May 2018 13:02:53 -0400 Subject: [PATCH] HBASE-20664 Reduce the broad scope of outToken in ThriftHttpServlet Signed-off-by: Andrew Purtell --- .../hbase/thrift/ThriftHttpServlet.java | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java index 4f55a01a08f..8d689641130 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java @@ -57,7 +57,6 @@ public class ThriftHttpServlet extends TServlet { private final boolean securityEnabled; private final boolean doAsEnabled; private transient ThriftServerRunner.HBaseHandler hbaseHandler; - private String outToken; // HTTP Header related constants. public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; @@ -83,10 +82,11 @@ public class ThriftHttpServlet extends TServlet { try { // As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889), // Kerberos authentication is being done at servlet level. - effectiveUser = doKerberosAuth(request); + final RemoteUserIdentity identity = doKerberosAuth(request); + effectiveUser = identity.principal; // It is standard for client applications expect this header. // Please see http://tools.ietf.org/html/rfc4559 for more details. - response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + outToken); + response.addHeader(WWW_AUTHENTICATE, NEGOTIATE + " " + identity.outToken); } catch (HttpAuthenticationException e) { LOG.error("Kerberos Authentication failed", e); // Send a 401 to the client @@ -127,19 +127,31 @@ public class ThriftHttpServlet extends TServlet { * We already have a logged in subject in the form of serviceUGI, * which GSS-API will extract information from. */ - private String doKerberosAuth(HttpServletRequest request) + private RemoteUserIdentity doKerberosAuth(HttpServletRequest request) throws HttpAuthenticationException { HttpKerberosServerAction action = new HttpKerberosServerAction(request, realUser); try { String principal = realUser.doAs(action); - outToken = action.outToken; - return principal; + return new RemoteUserIdentity(principal, action.outToken); } catch (Exception e) { LOG.error("Failed to perform authentication"); throw new HttpAuthenticationException(e); } } + /** + * Basic "struct" class to hold the final base64-encoded, authenticated GSSAPI token + * for the user with the given principal talking to the Thrift server. + */ + private static class RemoteUserIdentity { + final String outToken; + final String principal; + + RemoteUserIdentity(String principal, String outToken) { + this.principal = principal; + this.outToken = outToken; + } + } private static class HttpKerberosServerAction implements PrivilegedExceptionAction { HttpServletRequest request;