Skip to content

fix: use short name from authToLocal rules as Kerberos authenticated identity#19429

Closed
JWuCines wants to merge 1 commit into
apache:masterfrom
JWuCines:druid-kerberos-get-username
Closed

fix: use short name from authToLocal rules as Kerberos authenticated identity#19429
JWuCines wants to merge 1 commit into
apache:masterfrom
JWuCines:druid-kerberos-get-username

Conversation

@JWuCines
Copy link
Copy Markdown
Contributor

@JWuCines JWuCines commented May 7, 2026

Description

The Kerberos authenticator was using token.getName() (the full Kerberos principal, e.g., user@EXAMPLE.COM) instead of token.getUserName() (the short name, e.g., user) when constructing the AuthenticationResult identity. This caused the authenticated identity to bypass authToLocal name mapping rules, resulting in users being unable to authenticate when authorizer rules reference short names.

Fixed the identity used in AuthenticationResult

Changed KerberosAuthenticator to use token.getUserName() instead of token.getName() when setting the AuthenticationResult identity. This is consistent with:

  • How getRemoteUser() already returns token.getUserName() in the same filter
  • How DruidKerberosAuthenticationHandler creates the token with new AuthenticationToken(userName, clientPrincipal, getType()) where userName is the result of KerberosName.getShortName() (i.e., the authToLocal-mapped name)
  • The purpose of the authToLocal configuration property, which exists to map Kerberos principals to local user names for authorization

Added unit tests

Added KerberosAuthenticatorFilterTest (4 tests) and DruidKerberosAuthenticationHandlerTokenTest (6 tests) to verify that:

  • AuthenticationToken.getUserName() returns the short name and getName() returns the full principal
  • AuthenticationResult identity uses the short name across simple principals, service principals, and custom authToLocal rules

Updated documentation

Added a "User identity and authToLocal rules" section to the Kerberos extension documentation explaining that the short name is used for authorization, with an upgrade note for users who may have authorizer rules referencing full Kerberos principals.

Release note

The Kerberos authenticator now correctly uses the short name derived from authToLocal rules as the authenticated user identity, instead of the full Kerberos principal. If you have authorizer rules that reference full Kerberos principals (e.g., user@EXAMPLE.COM), update them to use the short name (e.g., user) after upgrading.

Key changed/added classes in this PR
  • KerberosAuthenticator
  • KerberosAuthenticatorFilterTest
  • DruidKerberosAuthenticationHandlerTokenTest

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.

@JWuCines JWuCines closed this May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Area - Documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JWuCines