[hbase] branch master updated: HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n

Wed, 22 Jan 2020 01:12:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

psomogyi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new ae6a2de  HBASE-23709 Unwrap the real user to properly dispatch 
proxy-user auth'n
ae6a2de is described below

commit ae6a2de56035dc7c88cc5b540fb0e3c3cfb71f7f
Author: Josh Elser <[email protected]>
AuthorDate: Tue Jan 21 18:38:26 2020 -0500

    HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n
    
    REST and Thrift servers started failing because the check in
    BuiltinProviderSelector wasn't checking the "real" user for kerberos
    credentials. This resulted in the KerberosAuthnProvider not being
    invoked when it should have been.
    
    Closes #1080
    
    Signed-off-by: Peter Somogyi <[email protected]>
---
 .../hbase/security/provider/BuiltInProviderSelector.java      | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git 
a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
 
b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
index 8286380..8d20171 100644
--- 
a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
+++ 
b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
@@ -123,11 +123,16 @@ public class BuiltInProviderSelector implements 
AuthenticationProviderSelector {
         return new Pair<>(digestAuth, token);
       }
     }
-    if (user.getUGI().hasKerberosCredentials()) {
+    // Unwrap PROXY auth'n method if that's what we have coming in.
+    if (user.getUGI().hasKerberosCredentials() ||
+        user.getUGI().getRealUser().hasKerberosCredentials()) {
       return new Pair<>(krbAuth, null);
     }
-    LOG.debug(
-        "No matching SASL authentication provider and supporting token found 
from providers.");
+    // This indicates that a client is requesting some authentication 
mechanism which the servers
+    // don't know how to process (e.g. there is no provider which can support 
it). This may be
+    // a bug or simply a misconfiguration of client *or* server.
+    LOG.warn("No matching SASL authentication provider and supporting token 
found from providers"
+        + " for user: {}", user);
     return null;
   }

Reply via email to