Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) 

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1378142 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Zhihong Yu 2012-08-28 14:05:45 +00:00
parent c9b028862a
commit fdd28ab069
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
View File

@ -31,6 +31,7 @@ import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
@ -78,8 +79,7 @@ public class TokenProvider extends BaseEndpointCoprocessor
}
if (currentUser == null) {
throw new AccessDeniedException("No authenticated user for request!");
} else if (ugi.getAuthenticationMethod() !=
UserGroupInformation.AuthenticationMethod.KERBEROS) {
} else if (!isAllowedDelegationTokenOp(ugi)) {
LOG.warn("Token generation denied for user="+currentUser.getName()
+", authMethod="+ugi.getAuthenticationMethod());
throw new AccessDeniedException(
@ -89,6 +89,23 @@ public class TokenProvider extends BaseEndpointCoprocessor
return secretManager.generateToken(currentUser.getName());
}
/**
* @param ugi
* @return true if delegation token operation is allowed
*/
private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
if (authMethod == AuthenticationMethod.PROXY) {
authMethod = ugi.getRealUser().getAuthenticationMethod();
}
if (authMethod != AuthenticationMethod.KERBEROS
&& authMethod != AuthenticationMethod.KERBEROS_SSL
&& authMethod != AuthenticationMethod.CERTIFICATE) {
return false;
}
return true;
}
@Override
public String whoami() {
return RequestContext.getRequestUserName();