sentry git commit: SENTRY-2427: Use Hadoop KerberosName class to derive shortName (Arjun Mishra reviewed by Na Li and Sergio Pena)

[amishra]

Repository: sentry
Updated Branches:
  refs/heads/master 170b0c38b -> 542e984ba


SENTRY-2427: Use Hadoop KerberosName class to derive shortName (Arjun Mishra 
reviewed by Na Li and Sergio Pena)

Change-Id: Iab39a07c68d651e4d779fd33a4bccceb0de04b14


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/542e984b
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/542e984b
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/542e984b

Branch: refs/heads/master
Commit: 542e984ba844b33d452e80946b87ae3cefde4be6
Parents: 170b0c3
Author: amishra <amis...@cloudera.com>
Authored: Wed Oct 17 17:21:10 2018 -0500
Committer: amishra <amis...@cloudera.com>
Committed: Wed Oct 17 17:37:53 2018 -0500

----------------------------------------------------------------------
 .../sentry/service/thrift/GSSCallback.java      | 28 +++++++-
 .../sentry/service/thrift/TestGSSCallback.java  | 75 ++++++++++++++++++++
 2 files changed, 102 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/542e984b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
----------------------------------------------------------------------
diff --git 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
index d2d85d3..bc2817d 100644
--- 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
+++ 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
@@ -26,8 +26,11 @@ import javax.security.sasl.AuthorizeCallback;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import 
org.apache.hadoop.security.authentication.util.KerberosName.NoMatchingRule;
 import org.apache.sentry.core.common.exception.ConnectionDeniedException;
 import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.slf4j.LoggerFactory;
 
 public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
 
@@ -60,7 +63,30 @@ public class GSSCallback extends 
SaslRpcServer.SaslGssCallbackHandler {
     if (allowedPrincipals == null) {
       return false;
     }
-    String principalShortName = getShortName(principal);
+    String principalShortName;
+    if (KerberosName.hasRulesBeenSet()) {
+      try {
+        KerberosName krbName = new KerberosName(principal);
+        principalShortName = krbName.getShortName();
+        //To accommodate HADOOP-12751 where some versions don't throw 
NoMatchingRule exception
+        if (principalShortName.equals(principal)) {
+          principalShortName = getShortName(principal);
+        }
+      } catch (NoMatchingRule e) {
+        LoggerFactory.getLogger(GSSCallback.class)
+            .debug("No matching rule found for principal " + principal, e);
+        principalShortName = getShortName(principal);
+      } catch (Exception e) {
+        LoggerFactory.getLogger(GSSCallback.class)
+            .debug("Cannot derive short name from KerberosName. "
+                + "Use principal name prefix to authenticate", e);
+        principalShortName = getShortName(principal);
+      }
+
+    } else {
+      principalShortName = getShortName(principal);
+    }
+
     List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*"));
     for (String item : items) {
       if (comparePrincipals(item, principalShortName)) {

http://git-wip-us.apache.org/repos/asf/sentry/blob/542e984b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
----------------------------------------------------------------------
diff --git 
a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
 
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
new file mode 100644
index 0000000..aec1a63
--- /dev/null
+++ 
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/TestGSSCallback.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more 
contributor license
+ * agreements.  See the NOTICE file distributed with this work for additional 
information regarding
+ * copyright ownership.  The ASF licenses this file to you under the Apache 
License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the 
License.  You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 
KIND, either express
+ * or implied. See the License for the specific language governing permissions 
and limitations under
+ * the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ *
+ */
+public class TestGSSCallback {
+
+  private static final Configuration conf = new Configuration();
+  private GSSCallback callBack;
+
+  @Before
+  public void setUp() {
+    conf.set(ServerConfig.ALLOW_CONNECT, "hive");
+    callBack = new GSSCallback(conf);
+  }
+
+  @Test
+  public void testAllowConnectOnKerberosPrincipal() {
+    //Test with ruleset not set
+    String validPrincipal = "h...@gce.cloudera.com";
+    assertTrue("Authenticate valid user", 
callBack.allowConnect(validPrincipal));
+
+    String invalidPrincipal = "imp...@gce.cloudera.com";
+    assertFalse("Do not authenticate invalid user", 
callBack.allowConnect(invalidPrincipal));
+
+    //Test with ruleset set to DEFAULT
+    String ruleString = "DEFAULT";
+    KerberosName.setRules(ruleString);
+
+    assertTrue("Authenticate valid user", 
callBack.allowConnect(validPrincipal));
+    assertFalse("Do not authenticate invalid user", 
callBack.allowConnect(invalidPrincipal));
+  }
+
+  @Test
+  public void testAllowConnectWithRuleSet() {
+
+    String ruleString = "RULE:[1:$1@$0](us...@test.realm.com)s/.*/hive/";
+    KerberosName.setRules(ruleString);
+
+    String validPrincipal = "us...@test.realm.com";
+    assertTrue("Authenticate valid user", 
callBack.allowConnect(validPrincipal));
+
+    //New rule for a different user
+    ruleString = "RULE:[1:$1@$0](us...@test.realm.com)s/.*/solr/";
+    KerberosName.setRules(ruleString);
+    String invalidPrincipal1 = "us...@test.realm.com";
+    assertFalse("Do not authenticate invalid user", 
callBack.allowConnect(invalidPrincipal1));
+    String invalidPrincipal2 = "us...@test.realm.com";
+    assertFalse("Do not authenticate invalid user", 
callBack.allowConnect(invalidPrincipal2));
+  }
+
+}