Return-Path: X-Original-To: apmail-ambari-commits-archive@www.apache.org Delivered-To: apmail-ambari-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 29D3F19899 for ; Tue, 26 Apr 2016 14:54:39 +0000 (UTC) Received: (qmail 91190 invoked by uid 500); 26 Apr 2016 14:54:39 -0000 Delivered-To: apmail-ambari-commits-archive@ambari.apache.org Received: (qmail 91160 invoked by uid 500); 26 Apr 2016 14:54:39 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 91151 invoked by uid 99); 26 Apr 2016 14:54:39 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Apr 2016 14:54:39 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id E937FDFE5F; Tue, 26 Apr 2016 14:54:38 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: rlevas@apache.org To: commits@ambari.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: ambari git commit: AMBARI-16023. Auth-to-local rule generation duplicates default rules when adding case-insensitive default rules (rlevas) Date: Tue, 26 Apr 2016 14:54:38 +0000 (UTC) Repository: ambari Updated Branches: refs/heads/trunk 980420449 -> 2e2588efc AMBARI-16023. Auth-to-local rule generation duplicates default rules when adding case-insensitive default rules (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/2e2588ef Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/2e2588ef Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/2e2588ef Branch: refs/heads/trunk Commit: 2e2588efc5dbc12b16e58e8f709e600acd7decd1 Parents: 9804204 Author: Robert Levas Authored: Tue Apr 26 10:54:18 2016 -0400 Committer: Robert Levas Committed: Tue Apr 26 10:54:23 2016 -0400 ---------------------------------------------------------------------- .../server/controller/AuthToLocalBuilder.java | 29 +++---- .../controller/AuthToLocalBuilderTest.java | 80 ++++++++++++++++++++ 2 files changed, 91 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/2e2588ef/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java index 9d6db0a..1fb912e 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java @@ -167,7 +167,6 @@ public class AuthToLocalBuilder implements Cloneable { Rule rule = createHostAgnosticRule(p, localUsername); setRules.add(rule); - addDefaultRealmRule(rule.getPrincipal()); } } @@ -198,12 +197,18 @@ public class AuthToLocalBuilder implements Cloneable { StringBuilder builder = new StringBuilder(); // ensure that a default rule is added for this realm if (!StringUtils.isEmpty(defaultRealm)) { - setRules.add(createDefaultRealmRule(defaultRealm)); + // Remove existing default rule.... this is in the event we are switching case sensitivity... + setRules.remove(createDefaultRealmRule(defaultRealm, !caseInsensitiveUser)); + // Add (new) default rule.... + setRules.add(createDefaultRealmRule(defaultRealm, caseInsensitiveUser)); } // ensure that a default realm rule is added for the specified additional realms for (String additionalRealm : additionalRealms) { - setRules.add(createDefaultRealmRule(additionalRealm)); + // Remove existing default rule.... this is in the event we are switching case sensitivity... + setRules.remove(createDefaultRealmRule(additionalRealm, !caseInsensitiveUser)); + // Add (new) default rule.... + setRules.add(createDefaultRealmRule(additionalRealm, caseInsensitiveUser)); } if (concatenationType == null) { @@ -247,19 +252,6 @@ public class AuthToLocalBuilder implements Cloneable { } /** - * Add a default realm rule for the realm associated with a principal. - * If the realm is null or is a wildcard ".*" then no rule id added. - * - * @param principal principal which contains the realm - */ - private void addDefaultRealmRule(Principal principal) { - String realm = principal.getRealm(); - if (realm != null && !realm.equals(".*")) { - setRules.add(createDefaultRealmRule(realm)); - } - } - - /** * Create a rule that expects 2 components in the principal and ignores hostname in the comparison. * * @param principal principal @@ -279,10 +271,11 @@ public class AuthToLocalBuilder implements Cloneable { * Create a default rule for a realm which matches all principals with 1 component and the same realm. * * @param realm realm that the rule is being created for + * @param caseInsensitive true if the rule should be case-insensitive; otherwise false * @return a new default realm rule */ - private Rule createDefaultRealmRule(String realm) { - String caseSensitivityRule = caseInsensitiveUser ? "/L" : ""; + private Rule createDefaultRealmRule(String realm, boolean caseInsensitive) { + String caseSensitivityRule = caseInsensitive ? "/L" : ""; return new Rule(new Principal(String.format(".*@%s", realm)), 1, 1, String.format("RULE:[1:$1@$0](.*@%s)s/@.*//" + caseSensitivityRule, realm)); http://git-wip-us.apache.org/repos/asf/ambari/blob/2e2588ef/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java index c88acc1..cad77ed 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java @@ -91,6 +91,86 @@ public class AuthToLocalBuilderTest { } @Test + public void testRuleGeneration_changeToCaseInsensitiveSupport() { + AuthToLocalBuilder builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.emptyList(), false); + + builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs"); + // Duplicate principal for secondary namenode, should be filtered out... + builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn"); + builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred"); + builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase"); + builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase"); + + String existingRules = builder.generate(); + + builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.emptyList(), true); + builder.addRules(existingRules); + + builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn"); + builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred"); + builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase"); + builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase"); + + assertEquals( + "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L\n" + + "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" + + "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" + + "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" + + "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" + + "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" + + "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" + + "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" + + "DEFAULT", + builder.generate()); + } + + @Test + public void testRuleGeneration_changeToCaseSensitiveSupport() { + AuthToLocalBuilder builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.emptyList(), true); + + builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs"); + // Duplicate principal for secondary namenode, should be filtered out... + builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn"); + builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred"); + builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase"); + builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase"); + + String existingRules = builder.generate(); + + builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.emptyList(), false); + builder.addRules(existingRules); + + builder.addRule("nn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("dn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("jn/_HOST@EXAMPLE.COM", "hdfs"); + builder.addRule("rm/_HOST@EXAMPLE.COM", "yarn"); + builder.addRule("jhs/_HOST@EXAMPLE.COM", "mapred"); + builder.addRule("hm/_HOST@EXAMPLE.COM", "hbase"); + builder.addRule("rs/_HOST@EXAMPLE.COM", "hbase"); + + assertEquals( + "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\n" + + "RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/\n" + + "RULE:[2:$1@$0](hm@EXAMPLE.COM)s/.*/hbase/\n" + + "RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/\n" + + "RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/\n" + + "RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/\n" + + "RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/\n" + + "RULE:[2:$1@$0](rs@EXAMPLE.COM)s/.*/hbase/\n" + + "DEFAULT", + builder.generate()); + } + + @Test public void testRuleGeneration_ExistingRules() { AuthToLocalBuilder builder = new AuthToLocalBuilder("EXAMPLE.COM", Collections.emptyList(), false); // previously generated non-host specific rules