Repository: sentry Updated Branches: refs/heads/sentry-ha-redesign a62664153 -> 17ed7cb7f
SENTRY-1378: Login fails for a secure Sentry Web UI (Rahul Sharma, Reviewd by: Sravya Tirukkovalur and Hao Hao) Change-Id: Ib02a8f848d903d7d93ec907bee647143e5728667 Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/17ed7cb7 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/17ed7cb7 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/17ed7cb7 Branch: refs/heads/sentry-ha-redesign Commit: 17ed7cb7fa02b67b0c9dd4c0097a981fb977af2f Parents: a626641 Author: hahao <[email protected]> Authored: Mon Jul 18 13:59:17 2016 -0700 Committer: hahao <[email protected]> Committed: Mon Jul 18 13:59:17 2016 -0700 ---------------------------------------------------------------------- .../db/service/thrift/SentryAuthFilter.java | 7 ++--- .../thrift/TestSentryWebServerWithKerberos.java | 31 ++++++++++++++++++++ .../thrift/SentryServiceIntegrationBase.java | 2 ++ 3 files changed, 35 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java index c1cfc1b..b67d6df 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java @@ -83,10 +83,7 @@ public class SentryAuthFilter extends AuthenticationFilter { } private static Set<String> parseConnectUsersFromConf(String value) { - String lcValue = value; - if (lcValue != null) { - lcValue = lcValue.toLowerCase(); - } - return Sets.newHashSet(StringUtils.getStrings(lcValue)); + //Removed the logic to convert the allowed users to lower case, as user names need to be case sensitive + return Sets.newHashSet(StringUtils.getStrings(value)); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java index ece2ee8..09ee6b4 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java @@ -133,4 +133,35 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas } }); } + + @Test + public void testPingWithCaseSensitiveUser() throws Exception { + // USER1 is present in the list of users who are allowed to connect to sentry web ui. + String userPrinciple = "user1/" + SERVER_HOST; + String userKerberosName = userPrinciple + "@" + REALM; + Subject userSubject = new Subject(false, Sets.newHashSet( + new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>()); + File userKeytab = new File(kdcWorkDir, "user1.keytab"); + kdc.createPrincipal(userKeytab, userPrinciple); + LoginContext userLoginContext = new LoginContext("", userSubject, null, + KerberosConfiguration.createClientConfig(userKerberosName, userKeytab)); + userLoginContext.login(); + Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping"); + try { + new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token()); + fail("Login with user1 should fail"); + } catch (AuthenticationException e) { + String expectedError = "status code: 403"; + if (!e.getMessage().contains(expectedError)) { + LOG.error("UnexpectedError: " + e.getMessage(), e); + fail("UnexpectedError: " + e.getMessage()); + } + } + return null; + } + }); + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/17ed7cb7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index 4197e6d..dfd79ae 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -92,6 +92,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase protected static boolean pooled = false; protected static boolean useSSL = false; + protected static String allowedUsers = "hive,USER1"; @BeforeClass public static void setup() throws Exception { @@ -168,6 +169,7 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS); conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath()); + conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowedUsers); } else { conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);
