From dca7350a36f051c50078a94ce4d784f53162033a Mon Sep 17 00:00:00 2001 From: Alejandro Abdelnur Date: Wed, 7 May 2014 18:20:11 +0000 Subject: [PATCH] HADOOP-10566. Add toLowerCase support to auth_to_local rules for service name. (tucu) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1593105 13f79535-47bb-0310-9956-ffa450edef68 --- .../authentication/util/KerberosName.java | 17 ++++++++++++++--- .../authentication/util/TestKerberosName.java | 16 ++++++++++++++++ hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../src/site/apt/SecureMode.apt.vm | 4 +++- 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java index 6c511869c0..62bb00acab 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.Locale; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -66,7 +67,7 @@ public class KerberosName { */ private static final Pattern ruleParser = Pattern.compile("\\s*((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?"+ - "(s/([^/]*)/([^/]*)/(g)?)?))"); + "(s/([^/]*)/([^/]*)/(g)?)?))/?(L)?"); /** * A pattern that recognizes simple/non-simple names. @@ -171,6 +172,7 @@ private static class Rule { private final Pattern fromPattern; private final String toPattern; private final boolean repeat; + private final boolean toLowerCase; Rule() { isDefault = true; @@ -180,10 +182,11 @@ private static class Rule { fromPattern = null; toPattern = null; repeat = false; + toLowerCase = false; } Rule(int numOfComponents, String format, String match, String fromPattern, - String toPattern, boolean repeat) { + String toPattern, boolean repeat, boolean toLowerCase) { isDefault = false; this.numOfComponents = numOfComponents; this.format = format; @@ -192,6 +195,7 @@ private static class Rule { fromPattern == null ? null : Pattern.compile(fromPattern); this.toPattern = toPattern; this.repeat = repeat; + this.toLowerCase = toLowerCase; } @Override @@ -220,6 +224,9 @@ public String toString() { buf.append('g'); } } + if (toLowerCase) { + buf.append("/L"); + } } return buf.toString(); } @@ -308,6 +315,9 @@ String apply(String[] params) throws IOException { throw new NoMatchingRule("Non-simple name " + result + " after auth_to_local rule " + this); } + if (toLowerCase && result != null) { + result = result.toLowerCase(Locale.ENGLISH); + } return result; } } @@ -328,7 +338,8 @@ static List parseRules(String rules) { matcher.group(7), matcher.group(9), matcher.group(10), - "g".equals(matcher.group(11)))); + "g".equals(matcher.group(11)), + "L".equals(matcher.group(12)))); } remaining = remaining.substring(matcher.end()); } diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java index e82a0a6c18..354917efe2 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java @@ -91,6 +91,22 @@ public void testAntiPatterns() throws Exception { checkBadTranslation("root/joe@FOO.COM"); } + @Test + public void testToLowerCase() throws Exception { + String rules = + "RULE:[1:$1]/L\n" + + "RULE:[2:$1]/L\n" + + "RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" + + "RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" + + "DEFAULT"; + KerberosName.setRules(rules); + KerberosName.printRules(); + checkTranslation("Joe@FOO.COM", "joe"); + checkTranslation("Joe/root@FOO.COM", "joe"); + checkTranslation("Joe/admin@FOO.COM", "joe"); + checkTranslation("Joe/guestguest@FOO.COM", "joe"); + } + @After public void clear() { System.clearProperty("java.security.krb5.realm"); diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 3b32f99c0b..ae31cb9a6e 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -371,6 +371,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10471. Reduce the visibility of constants in ProxyUsers. (Benoy Antony via wheat9) + HADOOP-10566. Add toLowerCase support to auth_to_local rules + for service name. (tucu) + OPTIMIZATIONS BUG FIXES diff --git a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm index 68ca4b0da6..fb1b262ea8 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm @@ -176,9 +176,11 @@ KVNO Timestamp Principal the rule specified by <<>> which works in the same way as the <<>> in {{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}. + In addition, Hadoop <<>> mapping supports the <> flag that + lowercases the returned name. By default, it picks the first component of principal name as a user name - if the realms matches to the <<>> (usually defined in /etc/krb5.conf). + if the realms matches to the <<>> (usually defined in /etc/krb5.conf). For example, <<>> is mapped to <<>> by default rule.