View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.rest;
20  
21  import java.io.IOException;
22  
23  import javax.servlet.ServletException;
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpServletResponse;
26  
27  import org.apache.hadoop.classification.InterfaceAudience;
28  
29  import com.sun.jersey.spi.container.servlet.ServletContainer;
30  
31  import org.apache.hadoop.security.UserGroupInformation;
32  import org.apache.hadoop.security.authorize.AuthorizationException;
33  import org.apache.hadoop.security.authorize.ProxyUsers;
34  import org.apache.hadoop.conf.Configuration;
35  
36  /**
37   * REST servlet container. It is used to get the remote request user
38   * without going through @HttpContext, so that we can minimize code changes.
39   */
40  @InterfaceAudience.Private
41  public class RESTServletContainer extends ServletContainer {
42    private static final long serialVersionUID = -2474255003443394314L;
43  
44    /**
45     * This container is used only if authentication and
46     * impersonation is enabled. The remote request user is used
47     * as a proxy user for impersonation in invoking any REST service.
48     */
49    @Override
50    public void service(final HttpServletRequest request,
51        final HttpServletResponse response) throws ServletException, IOException {
52      final String doAsUserFromQuery = request.getParameter("doAs");
53      Configuration conf = RESTServlet.getInstance().getConfiguration();
54      final boolean proxyConfigured = conf.getBoolean("hbase.rest.support.proxyuser", false);
55      if (doAsUserFromQuery != null && !proxyConfigured) {
56        throw new ServletException("Support for proxyuser is not configured");
57      }
58      UserGroupInformation ugi = RESTServlet.getInstance().getRealUser();
59      if (doAsUserFromQuery != null) {
60        // create and attempt to authorize a proxy user (the client is attempting
61        // to do proxy user)
62        ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);    
63        // validate the proxy user authorization
64        try {
65          ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
66        } catch(AuthorizationException e) {
67          throw new ServletException(e.getMessage());
68        }
69      } else {
70        // the REST server would send the request without validating the proxy
71        // user authorization
72        ugi = UserGroupInformation.createProxyUser(request.getRemoteUser(), ugi);
73      }
74      RESTServlet.getInstance().setEffectiveUser(ugi);
75      super.service(request, response);
76    }
77  }