This is an automated email from the ASF dual-hosted git repository.
dengzh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 00a121e3c74 HIVE-27764: Add "WWW-Authenticate: Negotiate" header to
the response when the client is unauthorized and Kerberos is enabled (Gergely
Farkas, reviewed by Zhihua Deng)
00a121e3c74 is described below
commit 00a121e3c74fc1f46568d9fb4ffefc6931a53784
Author: Gergely Farkas <[email protected]>
AuthorDate: Wed Oct 11 15:06:21 2023 +0200
HIVE-27764: Add "WWW-Authenticate: Negotiate" header to the response when
the client is unauthorized and Kerberos is enabled (Gergely Farkas, reviewed by
Zhihua Deng)
Closes #4774
---
.../hive/service/cli/thrift/ThriftHttpServlet.java | 3 +-
.../service/cli/thrift/ThriftHttpServletTest.java | 34 +++++++++++++++++++++-
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git
a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
index a7130bcc190..a6566cd0733 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
@@ -283,7 +283,8 @@ public class ThriftHttpServlet extends TServlet {
}
// Send a 401 to the client
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- if(isAuthTypeEnabled(request, HiveAuthConstants.AuthTypes.KERBEROS)) {
+ if (e instanceof HttpEmptyAuthenticationException &&
+ authType.isEnabled(HiveAuthConstants.AuthTypes.KERBEROS)) {
response.addHeader(HttpAuthUtils.WWW_AUTHENTICATE,
HttpAuthUtils.NEGOTIATE);
} else {
try {
diff --git
a/service/src/test/org/apache/hive/service/cli/thrift/ThriftHttpServletTest.java
b/service/src/test/org/apache/hive/service/cli/thrift/ThriftHttpServletTest.java
index 02b24dd846b..8278331958c 100644
---
a/service/src/test/org/apache/hive/service/cli/thrift/ThriftHttpServletTest.java
+++
b/service/src/test/org/apache/hive/service/cli/thrift/ThriftHttpServletTest.java
@@ -21,7 +21,6 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.service.auth.HiveAuthConstants;
import org.apache.hive.service.auth.HttpAuthUtils;
import org.apache.hive.service.auth.ldap.HttpEmptyAuthenticationException;
-import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@@ -76,4 +75,37 @@ public class ThriftHttpServletTest {
thriftHttpServlet.doKerberosAuth(httpServletRequest);
}
+ @Test
+ public void testWwwAuthenticateNegotiateHeaderAddedToTheResponse() throws
Exception {
+ HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
+ HttpServletResponse mockResponse = Mockito.mock(HttpServletResponse.class);
+ PrintWriter mockPrintWriter = Mockito.mock(PrintWriter.class);
+ Mockito.when(mockResponse.getWriter()).thenReturn(mockPrintWriter);
+
+ thriftHttpServlet.doPost(mockRequest, mockResponse);
+
+ Mockito.verify(mockResponse)
+ .setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ Mockito.verify(mockPrintWriter)
+ .println("Authentication Error: Authorization header received from the
client is empty.");
+ Mockito.verify(mockResponse)
+ .addHeader(HttpAuthUtils.WWW_AUTHENTICATE, HttpAuthUtils.NEGOTIATE);
+ }
+
+ @Test
+ public void
testWwwAuthenticateNegotiateHeaderNotAddedToTheResponseWhenNotEmptyAuthorizationHeaderExists()
throws Exception {
+ HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
+
Mockito.when(mockRequest.getHeader(HttpAuthUtils.AUTHORIZATION)).thenReturn("Authorization:
Negotiate");
+ HttpServletResponse mockResponse = Mockito.mock(HttpServletResponse.class);
+ PrintWriter mockPrintWriter = Mockito.mock(PrintWriter.class);
+ Mockito.when(mockResponse.getWriter()).thenReturn(mockPrintWriter);
+
+ thriftHttpServlet.doPost(mockRequest, mockResponse);
+
+ Mockito.verify(mockResponse)
+ .setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ Mockito.verify(mockResponse, Mockito.times(0))
+ .addHeader(HttpAuthUtils.WWW_AUTHENTICATE, HttpAuthUtils.NEGOTIATE);
+ }
+
}
