HBASE-20664 Reduce the broad scope of outToken in ThriftHttpServlet

Signed-off-by: Andrew Purtell <apurtell@apache.org>
apache · May 31, 2018 · bf25c1c · bf25c1c
1 parent 0b239bd
commit bf25c1c
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java
@@ -57,7 +57,6 @@ public class ThriftHttpServlet extends TServlet {
   private final boolean securityEnabled;
   private final boolean doAsEnabled;
   private transient ThriftServerRunner.HBaseHandler hbaseHandler;
-  private String outToken;
 
   // HTTP Header related constants.
   public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
@@ -83,10 +82,11 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
       try {
         // As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889),
         // Kerberos authentication is being done at servlet level.
-        effectiveUser = doKerberosAuth(request);
+        final RemoteUserIdentity identity = doKerberosAuth(request);
+        effectiveUser = identity.principal;
         // It is standard for client applications expect this header.
         // Please see http://tools.ietf.org/html/rfc4559 for more details.
-        response.addHeader(WWW_AUTHENTICATE,  NEGOTIATE + " " + outToken);
+        response.addHeader(WWW_AUTHENTICATE,  NEGOTIATE + " " + identity.outToken);
       } catch (HttpAuthenticationException e) {
         LOG.error("Kerberos Authentication failed", e);
         // Send a 401 to the client
@@ -127,19 +127,31 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
    * We already have a logged in subject in the form of serviceUGI,
    * which GSS-API will extract information from.
    */
-  private String doKerberosAuth(HttpServletRequest request)
+  private RemoteUserIdentity doKerberosAuth(HttpServletRequest request)
       throws HttpAuthenticationException {
     HttpKerberosServerAction action = new HttpKerberosServerAction(request, realUser);
     try {
       String principal = realUser.doAs(action);
-      outToken = action.outToken;
-      return principal;
+      return new RemoteUserIdentity(principal, action.outToken);
     } catch (Exception e) {
       LOG.error("Failed to perform authentication");
       throw new HttpAuthenticationException(e);
     }
   }
 
+  /**
+   * Basic "struct" class to hold the final base64-encoded, authenticated GSSAPI token
+   * for the user with the given principal talking to the Thrift server.
+   */
+  private static class RemoteUserIdentity {
+    final String outToken;
+    final String principal;
+
+    RemoteUserIdentity(String principal, String outToken) {
+      this.principal = principal;
+      this.outToken = outToken;
+    }
+  }
 
   private static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> {
     HttpServletRequest request;