001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.rest;
019
020import static org.apache.hadoop.hbase.http.ProxyUserAuthenticationFilter.toLowerCase;
021
022import java.io.IOException;
023import javax.servlet.ServletException;
024import javax.servlet.http.HttpServletRequest;
025import javax.servlet.http.HttpServletResponse;
026import org.apache.hadoop.conf.Configuration;
027import org.apache.hadoop.security.UserGroupInformation;
028import org.apache.hadoop.security.authorize.AuthorizationException;
029import org.apache.hadoop.security.authorize.ProxyUsers;
030import org.apache.yetus.audience.InterfaceAudience;
031
032import org.apache.hbase.thirdparty.org.glassfish.jersey.server.ResourceConfig;
033import org.apache.hbase.thirdparty.org.glassfish.jersey.servlet.ServletContainer;
034
035/**
036 * REST servlet container. It is used to get the remote request user without going
037 * through @HttpContext, so that we can minimize code changes.
038 */
039@InterfaceAudience.Private
040public class RESTServletContainer extends ServletContainer {
041  private static final long serialVersionUID = -2474255003443394314L;
042
043  public RESTServletContainer(ResourceConfig config) {
044    super(config);
045  }
046
047  /**
048   * This container is used only if authentication and impersonation is enabled. The remote request
049   * user is used as a proxy user for impersonation in invoking any REST service.
050   */
051  @Override
052  public void service(final HttpServletRequest request, final HttpServletResponse response)
053    throws ServletException, IOException {
054    final HttpServletRequest lowerCaseRequest = toLowerCase(request);
055    final String doAsUserFromQuery = lowerCaseRequest.getParameter("doas");
056    RESTServlet servlet = RESTServlet.getInstance();
057    if (doAsUserFromQuery != null) {
058      Configuration conf = servlet.getConfiguration();
059      if (!servlet.supportsProxyuser()) {
060        throw new ServletException("Support for proxyuser is not configured");
061      }
062      // Authenticated remote user is attempting to do 'doAs' proxy user.
063      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
064      // create and attempt to authorize a proxy user (the client is attempting
065      // to do proxy user)
066      ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
067      // validate the proxy user authorization
068      try {
069        ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
070      } catch (AuthorizationException e) {
071        throw new ServletException(e.getMessage());
072      }
073      servlet.setEffectiveUser(doAsUserFromQuery);
074    } else {
075      String effectiveUser = request.getRemoteUser();
076      servlet.setEffectiveUser(effectiveUser);
077    }
078    super.service(request, response);
079  }
080}