accumulo git commit: ACCUMULO-3695 Fix incorrect system credentials assertion.

Tue, 24 Mar 2015 19:31:35 -0700 

Repository: accumulo
Updated Branches:
  refs/heads/master bbf5b7c3e -> 0228da0a7


ACCUMULO-3695 Fix incorrect system credentials assertion.

System credentials could only be authenticated from the same node
which didn't really work too well on a distributed system.


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/0228da0a
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/0228da0a
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/0228da0a

Branch: refs/heads/master
Commit: 0228da0a765c322ff04636d305ccc38b876152c0
Parents: bbf5b7c
Author: Josh Elser <els...@apache.org>
Authored: Tue Mar 24 21:48:14 2015 -0400
Committer: Josh Elser <els...@apache.org>
Committed: Tue Mar 24 21:48:14 2015 -0400

----------------------------------------------------------------------
 .../accumulo/server/security/SecurityOperation.java  | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/0228da0a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git 
a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
 
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index ba6a1fb..19f2219 100644
--- 
a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ 
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -165,9 +165,18 @@ public class SecurityOperation {
     Credentials creds = Credentials.fromThrift(credentials);
 
     if (isSystemUser(credentials)) {
-      if (!(context.getCredentials().equals(creds))) {
-        log.debug("Provided credentials did not match server's expected 
credentials. Expected " + context.getCredentials() + " but got " + creds);
-        throw new ThriftSecurityException(creds.getPrincipal(), 
SecurityErrorCode.BAD_CREDENTIALS);
+      if (isKerberos) {
+        // Don't need to re-check the principal as 
TCredentialsUpdatingInvocationHandler will check the provided against
+        // the credentials provided on the wire.
+        if (!context.getCredentials().getToken().equals(creds.getToken())) {
+          log.debug("With SASL enabled, System AuthenticationTokens did not 
match.");
+          throw new ThriftSecurityException(creds.getPrincipal(), 
SecurityErrorCode.BAD_CREDENTIALS);
+        }
+      } else {
+        if (!(context.getCredentials().equals(creds))) {
+          log.debug("Provided credentials did not match server's expected 
credentials. Expected " + context.getCredentials() + " but got " + creds);
+          throw new ThriftSecurityException(creds.getPrincipal(), 
SecurityErrorCode.BAD_CREDENTIALS);
+        }
       }
     } else {
       // Not the system user

Reply via email to