[hbase] branch branch-2 updated: HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n

Wed, 22 Jan 2020 01:17:58 -0800 

This is an automated email from the ASF dual-hosted git repository.

psomogyi pushed a commit to branch branch-2
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/branch-2 by this push:
     new f8a28c3  HBASE-23709 Unwrap the real user to properly dispatch 
proxy-user auth'n
f8a28c3 is described below

commit f8a28c3ea6a572ccccf953e12f7736d73448e6bb
Author: Josh Elser <[email protected]>
AuthorDate: Tue Jan 21 18:38:26 2020 -0500

    HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n
    
    REST and Thrift servers started failing because the check in
    BuiltinProviderSelector wasn't checking the "real" user for kerberos
    credentials. This resulted in the KerberosAuthnProvider not being
    invoked when it should have been.
    
    Closes #1080
    
    Signed-off-by: Peter Somogyi <[email protected]>
---
 .../hbase/security/provider/BuiltInProviderSelector.java      | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git 
a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
 
b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
index 8286380..8d20171 100644
--- 
a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
+++ 
b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java
@@ -123,11 +123,16 @@ public class BuiltInProviderSelector implements 
AuthenticationProviderSelector {
         return new Pair<>(digestAuth, token);
       }
     }
-    if (user.getUGI().hasKerberosCredentials()) {
+    // Unwrap PROXY auth'n method if that's what we have coming in.
+    if (user.getUGI().hasKerberosCredentials() ||
+        user.getUGI().getRealUser().hasKerberosCredentials()) {
       return new Pair<>(krbAuth, null);
     }
-    LOG.debug(
-        "No matching SASL authentication provider and supporting token found 
from providers.");
+    // This indicates that a client is requesting some authentication 
mechanism which the servers
+    // don't know how to process (e.g. there is no provider which can support 
it). This may be
+    // a bug or simply a misconfiguration of client *or* server.
+    LOG.warn("No matching SASL authentication provider and supporting token 
found from providers"
+        + " for user: {}", user);
     return null;
   }

Reply via email to