master: don't issue new authn tokens to TOKEN-authenticated users Doing so would basically be equivalent to non-expiring tokens.
Change-Id: I6cb1daf75680bb78e6e5b3331ee346a9faa41ac0 Reviewed-on: http://gerrit.cloudera.org:8080/6119 Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/kudu/repo Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/38df0f19 Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/38df0f19 Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/38df0f19 Branch: refs/heads/master Commit: 38df0f197f14907cbdf228517a045611e1a19df6 Parents: 362eb53 Author: Todd Lipcon <[email protected]> Authored: Wed Feb 22 15:24:01 2017 -0800 Committer: Todd Lipcon <[email protected]> Committed: Thu Feb 23 04:00:08 2017 +0000 ---------------------------------------------------------------------- src/kudu/master/master_service.cc | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kudu/blob/38df0f19/src/kudu/master/master_service.cc ---------------------------------------------------------------------- diff --git a/src/kudu/master/master_service.cc b/src/kudu/master/master_service.cc index 6bdb518..f35d4b9 100644 --- a/src/kudu/master/master_service.cc +++ b/src/kudu/master/master_service.cc @@ -382,22 +382,21 @@ void MasterServiceImpl::ConnectToMaster(const ConnectToMasterRequestPB* /*req*/, // exactly as the leader is changing. resp->add_ca_cert_der(server_->cert_authority()->ca_cert_der()); - // Issue an authentication token for the caller. - // TODO(PKI): we should probably only issue a token if the client is - // authenticated by kerberos, and not by another token. Otherwise we're - // essentially allowing unlimited renewal, which is probably not what - // we want. - SignedTokenPB authn_token; - Status s = server_->token_signer()->GenerateAuthnToken( - rpc->remote_user().username(), - &authn_token); - if (!s.ok()) { - KLOG_EVERY_N_SECS(WARNING, 1) - << "Unable to generate signed token for " << rpc->requestor_string() - << ": " << s.ToString(); - } else { - // TODO(todd): this might be a good spot for some auditing code? - resp->mutable_authn_token()->Swap(&authn_token); + // Issue an authentication token for the caller, unless they are + // already using a token to authenticate. + if (rpc->remote_user().authenticated_by() != rpc::RemoteUser::AUTHN_TOKEN) { + SignedTokenPB authn_token; + Status s = server_->token_signer()->GenerateAuthnToken( + rpc->remote_user().username(), + &authn_token); + if (!s.ok()) { + KLOG_EVERY_N_SECS(WARNING, 1) + << "Unable to generate signed token for " << rpc->requestor_string() + << ": " << s.ToString(); + } else { + // TODO(todd): this might be a good spot for some auditing code? + resp->mutable_authn_token()->Swap(&authn_token); + } } } rpc->RespondSuccess();
