ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas)
Date Sun, 29 Jan 2017 16:15:45 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk e0765d922 -> 716b2fca3


AMBARI-19767. Inconsistent auth-to-local rules processing during Kerberos authentication (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/716b2fca
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/716b2fca
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/716b2fca

Branch: refs/heads/trunk
Commit: 716b2fca38a9db43b3211b9380f18149a3342256
Parents: e0765d9
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Sun Jan 29 11:14:59 2017 -0500
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Sun Jan 29 11:15:24 2017 -0500

----------------------------------------------------------------------
 .../AmbariAuthToLocalUserDetailsService.java       | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/716b2fca/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
index c85503c..1e4f6ea 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
@@ -49,6 +49,8 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService
{
 
   private final List<UserType> userTypeOrder;
 
+  private final String authToLocalRules;
+
   /**
    * Constructor.
    * <p>
@@ -80,18 +82,23 @@ public class AmbariAuthToLocalUserDetailsService implements UserDetailsService
{
       orderedUserTypes = Collections.singletonList(UserType.LDAP);
     }
 
-    KerberosName.setRules(authToLocalRules);
-
     this.users = users;
     this.userTypeOrder = orderedUserTypes;
+    this.authToLocalRules = authToLocalRules;
   }
 
   @Override
   public UserDetails loadUserByUsername(String principal) throws UsernameNotFoundException
{
-    KerberosName kerberosName = new KerberosName(principal);
-
     try {
-      String username = kerberosName.getShortName();
+      String username;
+
+      // Since KerberosName relies on a static variable to hold on to the auth-to-local rules,
attempt
+      // to protect access to the rule set by blocking other threads from chaning the rules
out from
+      // under us during this operation.  Similar logic is used in org.apache.ambari.server.view.ViewContextImpl.getUsername().
+      synchronized (KerberosName.class) {
+        KerberosName.setRules(authToLocalRules);
+        username = new KerberosName(principal).getShortName();
+      }
 
       if (username == null) {
         String message = String.format("Failed to translate %s to a local username during
Kerberos authentication.", principal);


Mime
View raw message