Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/1040#discussion_r158117860 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.java --- @@ -0,0 +1,151 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +package org.apache.drill.exec.server.rest.auth; + + +import org.apache.drill.common.exceptions.DrillException; +import org.apache.drill.exec.ExecConstants; +import org.apache.drill.exec.server.DrillbitContext; +import org.apache.drill.exec.server.options.SystemOptionManager; +import org.apache.drill.exec.util.ImpersonationUtil; +import org.apache.hadoop.security.UserGroupInformation; +import org.eclipse.jetty.security.DefaultIdentityService; +import org.eclipse.jetty.security.SpnegoLoginService; +import org.eclipse.jetty.server.UserIdentity; +import org.eclipse.jetty.util.B64Code; +import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.GSSManager; +import org.ietf.jgss.GSSName; +import org.ietf.jgss.Oid; + +import javax.security.auth.Subject; +import java.lang.reflect.Field; +import java.security.Principal; +import java.security.PrivilegedExceptionAction; +import java.util.ArrayList; +import java.util.List; + +/** + * Custom implementation of DrillSpnegoLoginService to avoid the need of passing targetName in a config file, + * to include the SPNEGO OID and the way UserIdentity is created. + */ +public class DrillSpnegoLoginService extends SpnegoLoginService { + private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(DrillSpnegoLoginService.class); + + private static final String TARGET_NAME_FIELD_NAME = "_targetName"; + + private final DrillbitContext drillContext; + + private final SpnegoUtil spnegoUtil; + + private final UserGroupInformation loggedInUgi; + + public DrillSpnegoLoginService(DrillbitContext drillBitContext) throws DrillException { + super(DrillSpnegoLoginService.class.getName()); + setIdentityService(new DefaultIdentityService()); + drillContext = drillBitContext; + + // Load and verify SPNEGO config. Then Login using creds to get an UGI instance + spnegoUtil = new SpnegoUtil(drillBitContext.getConfig()); + spnegoUtil.validateSpnegoConfig(); + loggedInUgi = spnegoUtil.getLoggedInUgi(); + } + + @Override + protected void doStart() throws Exception { + // Override the parent implementation, setting _targetName to be the serverPrincipal + // without the need for a one-line file to do the same thing. + final Field targetNameField = SpnegoLoginService.class.getDeclaredField(TARGET_NAME_FIELD_NAME); + targetNameField.setAccessible(true); + targetNameField.set(this, spnegoUtil.getSpnegoPrincipal()); + } + + @Override + public UserIdentity login(final String username, final Object credentials) { + + UserIdentity identity = null; + try { + identity = loggedInUgi.doAs(new PrivilegedExceptionAction<UserIdentity>() { + @Override + public UserIdentity run() { + return spnegoLogin(username, credentials); + } + }); + } catch (Exception e) { + logger.error("Failed to login using SPNEGO"); + } + + return identity; + } + + private UserIdentity spnegoLogin(String username, Object credentials) { --- End diff -- Removed.
---