knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: KNOX-215, enhance AbstractIdentityAssertionFilter to make use of ldap groups looked up by shiro
Date Tue, 03 Dec 2013 18:33:58 GMT
Updated Branches:
  refs/heads/master ad6a2aa76 -> 8a9c3adc0


KNOX-215, enhance AbstractIdentityAssertionFilter to make use of ldap groups looked up by
shiro


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/8a9c3adc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/8a9c3adc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/8a9c3adc

Branch: refs/heads/master
Commit: 8a9c3adc029a1264d1a1c04494bb11ab8857b874
Parents: ad6a2aa
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Tue Dec 3 10:32:35 2013 -0800
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Tue Dec 3 10:32:35 2013 -0800

----------------------------------------------------------------------
 .../security/AbstractIdentityAssertionFilter.java | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/8a9c3adc/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
index 6246fc4..fdd1e06 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
@@ -42,6 +42,8 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.ServletException;
 
+import java.util.Set;
+
 public abstract class AbstractIdentityAssertionFilter extends AbstractIdentityAssertionBase
implements Filter {
 
   private static final GatewaySpiMessages LOG = MessagesFactory.get( GatewaySpiMessages.class
);
@@ -92,7 +94,11 @@ public abstract class AbstractIdentityAssertionFilter extends AbstractIdentityAs
     // an impersonatedPrincipal and/or mapped group principals
     boolean impersonationNeeded = false;
     boolean groupsMapped = false;
+    
+    // look up the current Java Subject and assosciated group principals
     Subject currentSubject = Subject.getSubject(AccessController.getContext());
+    Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
+    
     primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
     if (primaryPrincipal != null) {
       if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
@@ -106,12 +112,20 @@ public abstract class AbstractIdentityAssertionFilter extends AbstractIdentityAs
       // TODO: log as appropriate
       primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
     }
-    groupsMapped = areGroupsMappedForPrincipal(mappedPrincipalName);
+    
+    groupsMapped = areGroupsMappedForPrincipal(mappedPrincipalName) || !currentGroups.isEmpty();
     
     if (impersonationNeeded || groupsMapped) {
       // gonna need a new subject and doAs
       subject = new Subject();
-      subject.getPrincipals().add(primaryPrincipal);
+      Set<Principal> principals = subject.getPrincipals();
+      principals.add(primaryPrincipal);
+      
+      // map group principals from current Subject into newly created Subject
+      for (Object obj : currentGroups) {
+        principals.add((Principal)obj);
+      }
+      
       if (impersonationNeeded) {
         impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
         subject.getPrincipals().add(impersonationPrincipal);


Mime
View raw message