kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ale...@apache.org
Subject [2/3] kudu git commit: master: don't issue new authn tokens to TOKEN-authenticated users
Date Thu, 23 Feb 2017 04:58:29 GMT
master: don't issue new authn tokens to TOKEN-authenticated users

Doing so would basically be equivalent to non-expiring tokens.

Change-Id: I6cb1daf75680bb78e6e5b3331ee346a9faa41ac0
Reviewed-on: http://gerrit.cloudera.org:8080/6119
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <aserbin@cloudera.com>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/38df0f19
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/38df0f19
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/38df0f19

Branch: refs/heads/master
Commit: 38df0f197f14907cbdf228517a045611e1a19df6
Parents: 362eb53
Author: Todd Lipcon <todd@apache.org>
Authored: Wed Feb 22 15:24:01 2017 -0800
Committer: Todd Lipcon <todd@apache.org>
Committed: Thu Feb 23 04:00:08 2017 +0000

----------------------------------------------------------------------
 src/kudu/master/master_service.cc | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/38df0f19/src/kudu/master/master_service.cc
----------------------------------------------------------------------
diff --git a/src/kudu/master/master_service.cc b/src/kudu/master/master_service.cc
index 6bdb518..f35d4b9 100644
--- a/src/kudu/master/master_service.cc
+++ b/src/kudu/master/master_service.cc
@@ -382,22 +382,21 @@ void MasterServiceImpl::ConnectToMaster(const ConnectToMasterRequestPB*
/*req*/,
     // exactly as the leader is changing.
     resp->add_ca_cert_der(server_->cert_authority()->ca_cert_der());
 
-    // Issue an authentication token for the caller.
-    // TODO(PKI): we should probably only issue a token if the client is
-    // authenticated by kerberos, and not by another token. Otherwise we're
-    // essentially allowing unlimited renewal, which is probably not what
-    // we want.
-    SignedTokenPB authn_token;
-    Status s = server_->token_signer()->GenerateAuthnToken(
-        rpc->remote_user().username(),
-        &authn_token);
-    if (!s.ok()) {
-      KLOG_EVERY_N_SECS(WARNING, 1)
-          << "Unable to generate signed token for " << rpc->requestor_string()
-          << ": " << s.ToString();
-    } else {
-      // TODO(todd): this might be a good spot for some auditing code?
-      resp->mutable_authn_token()->Swap(&authn_token);
+    // Issue an authentication token for the caller, unless they are
+    // already using a token to authenticate.
+    if (rpc->remote_user().authenticated_by() != rpc::RemoteUser::AUTHN_TOKEN) {
+      SignedTokenPB authn_token;
+      Status s = server_->token_signer()->GenerateAuthnToken(
+          rpc->remote_user().username(),
+          &authn_token);
+      if (!s.ok()) {
+        KLOG_EVERY_N_SECS(WARNING, 1)
+            << "Unable to generate signed token for " << rpc->requestor_string()
+            << ": " << s.ToString();
+      } else {
+        // TODO(todd): this might be a good spot for some auditing code?
+        resp->mutable_authn_token()->Swap(&authn_token);
+      }
     }
   }
   rpc->RespondSuccess();


Mime
View raw message