----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49477/#review140271 -----------------------------------------------------------
Hadoop treats the username and group name as case sensitive, same with AD. So, I think we should rather fix the part which is lowercasing these values. What do you think? Also, can you change/add the test to trigger this failure and test your fix? - Sravya Tirukkovalur On June 30, 2016, 11:06 p.m., Rahul Sharma wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49477/ > ----------------------------------------------------------- > > (Updated June 30, 2016, 11:06 p.m.) > > > Review request for sentry and Sravya Tirukkovalur. > > > Repository: sentry > > > Description > ------- > > SENTRY-1378: Login fails for a secure Sentry Web UI > > > When using SPNEGO the kerberos principal is of the form > "HTTP/<hostname>@Domain . So the http request has the user HTTP . Now for the > property sentry.service.web.authentication.allow.connect.users , we change > the list to a lowercase and hence the doFilter method in SentryAuthFilter > throws a Unauthorized user status code: 403 exception. > We need to make the user in the http request to lower case to compare with > set of users present in the property > sentry.service.web.authentication.allow.connect.users. > > > Diffs > ----- > > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java > c1cfc1b7cd2bc3f6c74cbe95b9d7b0d58a208408 > > Diff: https://reviews.apache.org/r/49477/diff/ > > > Testing > ------- > > Tested on a 5.8 cluster, with 5.8 code build. > > > Thanks, > > Rahul Sharma > >