Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 * <p>
010 * http://www.apache.org/licenses/LICENSE-2.0
011 * <p>
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.security;
019
020import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
021import org.apache.hadoop.security.authorize.AuthorizationException;
022import org.apache.hadoop.security.authorize.ProxyUsers;
023import org.apache.hadoop.util.HttpExceptionUtils;
024import org.apache.http.NameValuePair;
025import org.apache.http.client.utils.URLEncodedUtils;
026
027import javax.servlet.FilterChain;
028import javax.servlet.ServletException;
029import javax.servlet.http.HttpServletRequest;
030import javax.servlet.http.HttpServletRequestWrapper;
031import javax.servlet.http.HttpServletResponse;
032import java.io.IOException;
033import java.nio.charset.Charset;
034import java.util.List;
035
036/**
037 * Extend the function of {@link AuthenticationFilter} to
038 * support authorizing proxy user. If the query string
039 * contains doAs parameter, then check the proxy user,
040 * otherwise do the next filter.
041 */
042public class AuthenticationWithProxyUserFilter extends AuthenticationFilter {
043
044  /**
045   * Constant used in URL's query string to perform a proxy user request, the
046   * value of the <code>DO_AS</code> parameter is the user the request will be
047   * done on behalf of.
048   */
049  private static final String DO_AS = "doAs";
050
051  private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
052
053
054  /**
055   * This method provide the ability to do pre/post tasks
056   * in filter chain. Override this method to authorize
057   * proxy user between AuthenticationFilter and next filter.
058   * @param filterChain the filter chain object.
059   * @param request the request object.
060   * @param response the response object.
061   *
062   * @throws IOException
063   * @throws ServletException
064   */
065  @Override
066  protected void doFilter(FilterChain filterChain, HttpServletRequest request,
067      HttpServletResponse response) throws IOException, ServletException {
068
069    // authorize proxy user before calling next filter.
070    String proxyUser = getDoAs(request);
071    if (proxyUser != null) {
072      UserGroupInformation realUser =
073          UserGroupInformation.createRemoteUser(request.getRemoteUser());
074      UserGroupInformation proxyUserInfo =
075          UserGroupInformation.createProxyUser(proxyUser, realUser);
076
077      try {
078        ProxyUsers.authorize(proxyUserInfo, request.getRemoteAddr());
079      } catch (AuthorizationException ex) {
080        HttpExceptionUtils.createServletExceptionResponse(response,
081            HttpServletResponse.SC_FORBIDDEN, ex);
082        // stop filter chain if there is an Authorization Exception.
083        return;
084      }
085
086      final UserGroupInformation finalProxyUser = proxyUserInfo;
087      // Change the remote user after proxy user is authorized.
088      request = new HttpServletRequestWrapper(request) {
089        @Override
090        public String getRemoteUser() {
091          return finalProxyUser.getUserName();
092        }
093      };
094
095    }
096    filterChain.doFilter(request, response);
097  }
098
099  /**
100   * Get proxy user from query string.
101   * @param request the request object
102   * @return proxy user
103   */
104  public static String getDoAs(HttpServletRequest request) {
105    String queryString = request.getQueryString();
106    if (queryString == null) {
107      return null;
108    }
109    List<NameValuePair> list = URLEncodedUtils.parse(queryString, UTF8_CHARSET);
110    if (list != null) {
111      for (NameValuePair nv : list) {
112        if (DO_AS.equalsIgnoreCase(nv.getName())) {
113          return nv.getValue();
114        }
115      }
116    }
117    return null;
118  }
119}