HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n

REST and Thrift servers started failing because the check in
BuiltinProviderSelector wasn't checking the "real" user for kerberos
credentials. This resulted in the KerberosAuthnProvider not being
invoked when it should have been.

Closes #1080

Signed-off-by: Peter Somogyi <psomogyi@apache.org>
This commit is contained in:
Josh Elser 2020-01-21 18:38:26 -05:00 committed by Peter Somogyi
parent 5e607a122e
commit f8a28c3ea6
1 changed files with 8 additions and 3 deletions

View File

@ -123,11 +123,16 @@ public class BuiltInProviderSelector implements AuthenticationProviderSelector {
return new Pair<>(digestAuth, token); return new Pair<>(digestAuth, token);
} }
} }
if (user.getUGI().hasKerberosCredentials()) { // Unwrap PROXY auth'n method if that's what we have coming in.
if (user.getUGI().hasKerberosCredentials() ||
user.getUGI().getRealUser().hasKerberosCredentials()) {
return new Pair<>(krbAuth, null); return new Pair<>(krbAuth, null);
} }
LOG.debug( // This indicates that a client is requesting some authentication mechanism which the servers
"No matching SASL authentication provider and supporting token found from providers."); // don't know how to process (e.g. there is no provider which can support it). This may be
// a bug or simply a misconfiguration of client *or* server.
LOG.warn("No matching SASL authentication provider and supporting token found from providers"
+ " for user: {}", user);
return null; return null;
} }