Repository: ranger Updated Branches: refs/heads/master cfb2cdade -> df4c01307
RANGER-2076 : Handle proxy users for Kerberos based authentication Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/7a216a80 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/7a216a80 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/7a216a80 Branch: refs/heads/master Commit: 7a216a80afc9fda0a96cb2d07b839dbaf9355946 Parents: cfb2cda Author: Mehul Parikh <[email protected]> Authored: Mon May 14 10:32:43 2018 +0530 Committer: Mehul Parikh <[email protected]> Committed: Mon May 14 10:32:43 2018 +0530 ---------------------------------------------------------------------- .../filter/RangerKRBAuthenticationFilter.java | 22 ++++++++++++++++++++ 1 file changed, 22 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/7a216a80/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java index 7cdb2fe..b4a3f93 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java @@ -215,6 +215,28 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter { RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider(); Authentication authentication = authenticationProvider.authenticate(finalAuthentication); authentication = getGrantedAuthority(authentication); + if(authentication != null && authentication.isAuthenticated()) { + if (request.getParameterMap().containsKey("doAs")) { + if(!response.isCommitted()) { + if(LOG.isDebugEnabled()) { + LOG.debug("Request contains unsupported parameter, doAs."); + } + request.setAttribute("spnegoenabled", false); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Missing authentication token."); + } + } + if(request.getParameterMap().containsKey("user.name")) { + if(!response.isCommitted()) { + if(LOG.isDebugEnabled()) { + LOG.debug("Request contains an unsupported parameter user.name"); + } + request.setAttribute("spnegoenabled", false); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Missing authentication token."); + } else { + LOG.info("Response seems to be already committed for user.name."); + } + } + } SecurityContextHolder.getContext().setAuthentication(authentication); request.setAttribute("spnegoEnabled", true); LOG.info("Logged into Ranger as = "+userName);
