Repository: ambari Updated Branches: refs/heads/trunk e0765d922 -> 716b2fca3
AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/716b2fca Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/716b2fca Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/716b2fca Branch: refs/heads/trunk Commit: 716b2fca38a9db43b3211b9380f18149a3342256 Parents: e0765d9 Author: Robert Levas <[email protected]> Authored: Sun Jan 29 11:14:59 2017 -0500 Committer: Robert Levas <[email protected]> Committed: Sun Jan 29 11:15:24 2017 -0500 ---------------------------------------------------------------------- .../AmbariAuthToLocalUserDetailsService.java | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/716b2fca/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java index c85503c..1e4f6ea 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java @@ -49,6 +49,8 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService { private final List<UserType> userTypeOrder; + private final String authToLocalRules; + /** * Constructor. * <p> @@ -80,18 +82,23 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService { orderedUserTypes = Collections.singletonList(UserType.LDAP); } - KerberosName.setRules(authToLocalRules); - this.users = users; this.userTypeOrder = orderedUserTypes; + this.authToLocalRules = authToLocalRules; } @Override public UserDetails loadUserByUsername(String principal) throws UsernameNotFoundException { - KerberosName kerberosName = new KerberosName(principal); - try { - String username = kerberosName.getShortName(); + String username; + + // Since KerberosName relies on a static variable to hold on to the auth-to-local rules, attempt + // to protect access to the rule set by blocking other threads from chaning the rules out from + // under us during this operation. Similar logic is used in org.apache.ambari.server.view.ViewContextImpl.getUsername(). + synchronized (KerberosName.class) { + KerberosName.setRules(authToLocalRules); + username = new KerberosName(principal).getShortName(); + } if (username == null) { String message = String.format("Failed to translate %s to a local username during Kerberos authentication.", principal);
