----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58429/#review173365 -----------------------------------------------------------
Ship it! Sorry for the delay on this. ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java Line 128 (original), 127 (patched) <https://reviews.apache.org/r/58429/#comment246376> Can you use `org.apache.ambari.server.security.authorization.AmbariUserAuthentication` to be more consistent with other Ambari-specific authentication providers. For example, `org.apache.ambari.server.security.authorization.AmbariLocalUserProvider` - Robert Levas On April 28, 2017, 1:45 p.m., Anita Jebaraj wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58429/ > ----------------------------------------------------------- > > (Updated April 28, 2017, 1:45 p.m.) > > > Review request for Ambari, Attila Doroszlai, Di Li, Vishal Ghugare, Henning > Kropp, Robert Levas, and Tim Thorpe. > > > Bugs: AMBARI-20760 > https://issues.apache.org/jira/browse/AMBARI-20760 > > > Repository: ambari > > > Description > ------- > > After setting up PAM, tried to login as PAM user and access hive view, user > home test fails with the error as in screen shot. > > This issue was pointed out by Henning Kropp in the jira AMBARI-12263, but was > not incorporated in the code. Pasting the comment from Henning below. > > Something we noticed is that in a secured cluster we have issues with the > views, getting the following exception for the Hive view as an example: > > Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, > infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to > validate proxy privilege of ambari for > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32, > ..... > sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege > of ambari for > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119), > serverProtocolVersion:null) > > As you can see it tries to impersonte > "org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32". > Changing the UsernamePasswordAuthenticationToken from Principal to username > fixes this. > > So instead of : > > UsernamePasswordAuthenticationToken token = new > UsernamePasswordAuthenticationToken(principal, null, userAuthorities); > > We use: > > UsernamePasswordAuthenticationToken token = new > UsernamePasswordAuthenticationToken(user.getUserName(), null, > userAuthorities); > > What could potential also work is, overriding toString of the principal like: > > Principal principal = new Principal() { > @Override > public String getName() > { return user.getUserName(); } > > @Override > public String toString() > { return user.getUserName().toString(); } > > }; > > We did not test this! > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java > ca7cd31 > > > Diff: https://reviews.apache.org/r/58429/diff/1/ > > > Testing > ------- > > Ran mvn test and also manually tested the scenario > > > File Attachments > ---------------- > > error screenshot > > https://reviews.apache.org/media/uploaded/files/2017/04/13/4a43b897-e030-41a7-b702-f711432b03b9__error.PNG > > > Thanks, > > Anita Jebaraj > >