ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-16023. Auth-to-local rule generation duplicates default rules when adding case-insensitive default rules (rlevas)
Date Tue, 26 Apr 2016 14:54:38 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk 980420449 -> 2e2588efc


AMBARI-16023. Auth-to-local rule generation duplicates default rules when adding case-insensitive
default rules (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/2e2588ef
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/2e2588ef
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/2e2588ef

Branch: refs/heads/trunk
Commit: 2e2588efc5dbc12b16e58e8f709e600acd7decd1
Parents: 9804204
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Tue Apr 26 10:54:18 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Tue Apr 26 10:54:23 2016 -0400

----------------------------------------------------------------------
 .../server/controller/AuthToLocalBuilder.java   | 29 +++----
 .../controller/AuthToLocalBuilderTest.java      | 80 ++++++++++++++++++++
 2 files changed, 91 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/2e2588ef/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
index 9d6db0a..1fb912e 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
@@ -167,7 +167,6 @@ public class AuthToLocalBuilder implements Cloneable {
 
       Rule rule = createHostAgnosticRule(p, localUsername);
       setRules.add(rule);
-      addDefaultRealmRule(rule.getPrincipal());
     }
   }
 
@@ -198,12 +197,18 @@ public class AuthToLocalBuilder implements Cloneable {
     StringBuilder builder = new StringBuilder();
     // ensure that a default rule is added for this realm
     if (!StringUtils.isEmpty(defaultRealm)) {
-      setRules.add(createDefaultRealmRule(defaultRealm));
+      // Remove existing default rule.... this is in the event we are switching case sensitivity...
+      setRules.remove(createDefaultRealmRule(defaultRealm, !caseInsensitiveUser));
+      // Add (new) default rule....
+      setRules.add(createDefaultRealmRule(defaultRealm, caseInsensitiveUser));
     }
 
     // ensure that a default realm rule is added for the specified additional realms
     for (String additionalRealm : additionalRealms) {
-      setRules.add(createDefaultRealmRule(additionalRealm));
+      // Remove existing default rule.... this is in the event we are switching case sensitivity...
+      setRules.remove(createDefaultRealmRule(additionalRealm, !caseInsensitiveUser));
+      // Add (new) default rule....
+      setRules.add(createDefaultRealmRule(additionalRealm, caseInsensitiveUser));
     }
 
     if (concatenationType == null) {
@@ -247,19 +252,6 @@ public class AuthToLocalBuilder implements Cloneable {
   }
 
   /**
-   * Add a default realm rule for the realm associated with a principal.
-   * If the realm is null or is a wildcard ".*" then no rule id added.
-   *
-   * @param principal principal which contains the realm
-   */
-  private void addDefaultRealmRule(Principal principal) {
-    String realm = principal.getRealm();
-    if (realm != null && !realm.equals(".*")) {
-      setRules.add(createDefaultRealmRule(realm));
-    }
-  }
-
-  /**
    * Create a rule that expects 2 components in the principal and ignores hostname in the
comparison.
    *
    * @param principal principal
@@ -279,10 +271,11 @@ public class AuthToLocalBuilder implements Cloneable {
    * Create a default rule for a realm which matches all principals with 1 component and
the same realm.
    *
    * @param realm realm that the rule is being created for
+   * @param caseInsensitive true if the rule should be case-insensitive; otherwise false
    * @return a new default realm rule
    */
-  private Rule createDefaultRealmRule(String realm) {
-    String caseSensitivityRule = caseInsensitiveUser ? "/L" : "";
+  private Rule createDefaultRealmRule(String realm, boolean caseInsensitive) {
+    String caseSensitivityRule = caseInsensitive ? "/L" : "";
 
     return new Rule(new Principal(String.format(".*@%s", realm)),
         1, 1, String.format("RULE:[1:$1@$0](.*@%s)s/@.*//" + caseSensitivityRule, realm));

http://git-wip-us.apache.org/repos/asf/ambari/blob/2e2588ef/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
index c88acc1..cad77ed 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
@@ -91,6 +91,86 @@ public class AuthToLocalBuilderTest {
   }
 
   @Test
+  public void testRuleGeneration_changeToCaseInsensitiveSupport() {
+    AuthToLocalBuilder builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.<String>emptyList(),
false);
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    // Duplicate principal for secondary namenode, should be filtered out...
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    String existingRules = builder.generate();
+
+    builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.<String>emptyList(),
true);
+    builder.addRules(existingRules);
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    assertEquals(
+            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L\n" +
+            "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+            "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+            "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+            "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+            "DEFAULT",
+        builder.generate());
+  }
+
+  @Test
+  public void testRuleGeneration_changeToCaseSensitiveSupport() {
+    AuthToLocalBuilder builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.<String>emptyList(),
true);
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    // Duplicate principal for secondary namenode, should be filtered out...
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    String existingRules = builder.generate();
+
+    builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.<String>emptyList(),
false);
+    builder.addRules(existingRules);
+
+    builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs");
+    builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn");
+    builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred");
+    builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase");
+    builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase");
+
+    assertEquals(
+            "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" +
+            "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" +
+            "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" +
+            "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" +
+            "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" +
+            "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" +
+            "DEFAULT",
+        builder.generate());
+  }
+
+  @Test
   public void testRuleGeneration_ExistingRules() {
     AuthToLocalBuilder builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.<String>emptyList(),
false);
     // previously generated non-host specific rules


Mime
View raw message