Repository: ambari Updated Branches: refs/heads/branch-2.5 49ba891ce -> 30c2c3bf1
AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/30c2c3bf Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/30c2c3bf Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/30c2c3bf Branch: refs/heads/branch-2.5 Commit: 30c2c3bf16c3a33ac054a6166b039455867de39c Parents: 49ba891 Author: Robert Levas <[email protected]> Authored: Sun Jan 29 11:16:39 2017 -0500 Committer: Robert Levas <[email protected]> Committed: Sun Jan 29 11:16:39 2017 -0500 ---------------------------------------------------------------------- .../AmbariAuthToLocalUserDetailsService.java | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/30c2c3bf/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java index 3c62646..6e84233 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java @@ -49,6 +49,8 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService { private final List<UserType> userTypeOrder; + private final String authToLocalRules; + /** * Constructor. * <p> @@ -80,18 +82,23 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService { orderedUserTypes = Collections.singletonList(UserType.LDAP); } - KerberosName.setRules(authToLocalRules); - this.users = users; this.userTypeOrder = orderedUserTypes; + this.authToLocalRules = authToLocalRules; } @Override public UserDetails loadUserByUsername(String principal) throws UsernameNotFoundException { - KerberosName kerberosName = new KerberosName(principal); - try { - String username = kerberosName.getShortName(); + String username; + + // Since KerberosName relies on a static variable to hold on to the auth-to-local rules, attempt + // to protect access to the rule set by blocking other threads from chaning the rules out from + // under us during this operation. Similar logic is used in org.apache.ambari.server.view.ViewContextImpl.getUsername(). + synchronized (KerberosName.class) { + KerberosName.setRules(authToLocalRules); + username = new KerberosName(principal).getShortName(); + } if (username == null) { String message = String.format("Failed to translate %s to a local username during Kerberos authentication.", principal);
