001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.hbase.rest;
020
021import java.io.IOException;
022
023import javax.servlet.ServletException;
024import javax.servlet.http.HttpServletRequest;
025import javax.servlet.http.HttpServletResponse;
026
027import org.apache.hadoop.conf.Configuration;
028import org.apache.hadoop.security.UserGroupInformation;
029import org.apache.hadoop.security.authorize.AuthorizationException;
030import org.apache.hadoop.security.authorize.ProxyUsers;
031import org.apache.yetus.audience.InterfaceAudience;
032import org.glassfish.jersey.server.ResourceConfig;
033import org.glassfish.jersey.servlet.ServletContainer;
034
035/**
036 * REST servlet container. It is used to get the remote request user
037 * without going through @HttpContext, so that we can minimize code changes.
038 */
039@InterfaceAudience.Private
040public class RESTServletContainer extends ServletContainer {
041  private static final long serialVersionUID = -2474255003443394314L;
042
043  public RESTServletContainer(ResourceConfig config) {
044    super(config);
045  }
046
047  /**
048   * This container is used only if authentication and
049   * impersonation is enabled. The remote request user is used
050   * as a proxy user for impersonation in invoking any REST service.
051   */
052  @Override
053  public void service(final HttpServletRequest request,
054      final HttpServletResponse response) throws ServletException, IOException {
055    final String doAsUserFromQuery = request.getParameter("doAs");
056    RESTServlet servlet = RESTServlet.getInstance();
057    if (doAsUserFromQuery != null) {
058      Configuration conf = servlet.getConfiguration();
059      if (!servlet.supportsProxyuser()) {
060        throw new ServletException("Support for proxyuser is not configured");
061      }
062      // Authenticated remote user is attempting to do 'doAs' proxy user.
063      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
064      // create and attempt to authorize a proxy user (the client is attempting
065      // to do proxy user)
066      ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
067      // validate the proxy user authorization
068      try {
069        ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
070      } catch(AuthorizationException e) {
071        throw new ServletException(e.getMessage());
072      }
073      servlet.setEffectiveUser(doAsUserFromQuery);
074    } else {
075      String effectiveUser = request.getRemoteUser();
076      servlet.setEffectiveUser(effectiveUser);
077    }
078    super.service(request, response);
079  }
080}