View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.rest;
20  
21  import java.io.IOException;
22  
23  import javax.servlet.ServletException;
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpServletResponse;
26  
27  import org.apache.hadoop.hbase.classification.InterfaceAudience;
28  
29  import com.sun.jersey.spi.container.servlet.ServletContainer;
30  
31  import org.apache.hadoop.security.UserGroupInformation;
32  import org.apache.hadoop.security.authorize.AuthorizationException;
33  import org.apache.hadoop.security.authorize.ProxyUsers;
34  import org.apache.hadoop.conf.Configuration;
35  
36  /**
37   * REST servlet container. It is used to get the remote request user
38   * without going through @HttpContext, so that we can minimize code changes.
39   */
40  @InterfaceAudience.Private
41  public class RESTServletContainer extends ServletContainer {
42    private static final long serialVersionUID = -2474255003443394314L;
43  
44    /**
45     * This container is used only if authentication and
46     * impersonation is enabled. The remote request user is used
47     * as a proxy user for impersonation in invoking any REST service.
48     */
49    @Override
50    public void service(final HttpServletRequest request,
51        final HttpServletResponse response) throws ServletException, IOException {
52      final String doAsUserFromQuery = request.getParameter("doAs");
53      RESTServlet servlet = RESTServlet.getInstance();
54      if (doAsUserFromQuery != null) {
55        Configuration conf = servlet.getConfiguration();
56        if (!servlet.supportsProxyuser()) {
57          throw new ServletException("Support for proxyuser is not configured");
58        }
59        // Authenticated remote user is attempting to do 'doAs' proxy user.
60        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
61        // create and attempt to authorize a proxy user (the client is attempting
62        // to do proxy user)
63        ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
64        // validate the proxy user authorization
65        try {
66          ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
67        } catch(AuthorizationException e) {
68          throw new ServletException(e.getMessage());
69        }
70        servlet.setEffectiveUser(doAsUserFromQuery);
71      } else {
72        String effectiveUser = request.getRemoteUser();
73        servlet.setEffectiveUser(effectiveUser);
74      }
75      super.service(request, response);
76    }
77  }