Re: [PR] HBASE-29244 Support admin users acl setting with LDAP (Web UI only) [hbase]

Mon, 19 May 2025 06:32:15 -0700 


PDavid commented on code in PR #6923:
URL: https://github.com/apache/hbase/pull/6923#discussion_r2095633376


##########
hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java:
##########
@@ -77,34 +77,46 @@ public InfoServer(String name, String bindAddress, int 
port, boolean findPort,
           c.get("ssl.server.truststore.type", "jks"));
       builder.excludeCiphers(c.get("ssl.server.exclude.cipher.list"));
     }
+
+    final String httpAuthType = c.get(HttpServer.HTTP_UI_AUTHENTICATION, 
"").toLowerCase();
     // Enable SPNEGO authentication
-    if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, 
null))) {
+    if ("kerberos".equals(httpAuthType)) {
       
builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY)
         .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY)
         
.setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY)
         
.setSignatureSecretFileKey(HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY)
         .setSecurityEnabled(true);
+    }
 
-      // Set an admin ACL on sensitive webUI endpoints
+    // Set an admin ACL on sensitive webUI endpoints (works only if SPNEGO or 
LDAP is enabled)
+    if ("ldap".equals(httpAuthType) || "kerberos".equals(httpAuthType)) {
       AccessControlList acl = buildAdminAcl(c);
       builder.setACL(acl);
     }
+
     this.httpServer = builder.build();
   }
 
   /**
    * Builds an ACL that will restrict the users who can issue commands to 
endpoints on the UI which
    * are meant only for administrators.
    */
-  AccessControlList buildAdminAcl(Configuration conf) {
-    final String userGroups = 
conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
+  static AccessControlList buildAdminAcl(Configuration conf) {
+    // Initialize admin users based on whether http ui auth is set to ldap or 
kerberos
+    String httpAuthType = conf.get(HttpServer.HTTP_UI_AUTHENTICATION, 
"").toLowerCase();
+    String adminUsers = null;
+    if ("kerberos".equals(httpAuthType)) {
+      adminUsers = 
conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
+    } else if ("ldap".equals(httpAuthType)) {
+      adminUsers = 
conf.get(HttpServer.HTTP_LDAP_AUTHENTICATION_ADMIN_USERS_KEY, null);
+    }

Review Comment:
   Many thanks. :+1: 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to