hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java

   1 /**
   2  * Licensed to the Apache Software Foundation (ASF) under one
   3  * or more contributor license agreements.  See the NOTICE file
   4  * distributed with this work for additional information
   5  * regarding copyright ownership.  The ASF licenses this file
   6  * to you under the Apache License, Version 2.0 (the
   7  * "License"); you may not use this file except in compliance
   8  * with the License.  You may obtain a copy of the License at
   9  *
  10  *   http://www.apache.org/licenses/LICENSE-2.0
  11  *
  12  * Unless required by applicable law or agreed to in writing, software
  13  * distributed under the License is distributed on an "AS IS" BASIS,
  14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15  * See the License for the specific language governing permissions and
  16  * limitations under the License.
  17  */
  18
  19 package org.apache.hadoop.hbase.rest;
  20
  21 import java.io.IOException;
  22 import javax.servlet.ServletException;
  23 import javax.servlet.http.HttpServletRequest;
  24 import javax.servlet.http.HttpServletResponse;
  25
  26 import org.apache.hadoop.conf.Configuration;
  27 import org.apache.hadoop.security.UserGroupInformation;
  28 import org.apache.hadoop.security.authorize.AuthorizationException;
  29 import org.apache.hadoop.security.authorize.ProxyUsers;
  30 import org.apache.yetus.audience.InterfaceAudience;
  31
  32 import org.apache.hbase.thirdparty.org.glassfish.jersey.server.ResourceConfig;
  33 import org.apache.hbase.thirdparty.org.glassfish.jersey.servlet.ServletContainer;
  34 import static org.apache.hadoop.hbase.http.ProxyUserAuthenticationFilter.toLowerCase;
  35
  36 /**
  37  * REST servlet container. It is used to get the remote request user
  38  * without going through @HttpContext, so that we can minimize code changes.
  39  */
  40 @InterfaceAudience.Private
  41 public class RESTServletContainer extends ServletContainer {
  42   private static final long serialVersionUID = -2474255003443394314L;
  43
  44   public RESTServletContainer(ResourceConfig config) {
  45     super(config);
  46   }
  47
  48   /**
  49    * This container is used only if authentication and
  50    * impersonation is enabled. The remote request user is used
  51    * as a proxy user for impersonation in invoking any REST service.
  52    */
  53   @Override
  54   public void service(final HttpServletRequest request,
  55       final HttpServletResponse response) throws ServletException, IOException {
  56     final HttpServletRequest lowerCaseRequest = toLowerCase(request);
  57     final String doAsUserFromQuery = lowerCaseRequest.getParameter("doas");
  58     RESTServlet servlet = RESTServlet.getInstance();
  59     if (doAsUserFromQuery != null) {
  60       Configuration conf = servlet.getConfiguration();
  61       if (!servlet.supportsProxyuser()) {
  62         throw new ServletException("Support for proxyuser is not configured");
  63       }
  64       // Authenticated remote user is attempting to do 'doAs' proxy user.
  65       UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
  66       // create and attempt to authorize a proxy user (the client is attempting
  67       // to do proxy user)
  68       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
  69       // validate the proxy user authorization
  70       try {
  71         ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
  72       } catch(AuthorizationException e) {
  73         throw new ServletException(e.getMessage());
  74       }
  75       servlet.setEffectiveUser(doAsUserFromQuery);
  76     } else {
  77       String effectiveUser = request.getRemoteUser();
  78       servlet.setEffectiveUser(effectiveUser);
  79     }
  80     super.service(request, response);
  81   }
  82 }