[ranger] branch master updated: RANGER-4371: Ranger authn - add doAs support for JWT authentication

[dineshkumar]

This is an automated email from the ASF dual-hosted git repository.

dineshkumar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 5bc3cb303 RANGER-4371: Ranger authn - add doAs support for JWT 
authentication
5bc3cb303 is described below

commit 5bc3cb303e1100e25e7b45df1407b250e662bc77
Author: Kishor Gollapalliwar <kishor.gollapalli...@gmail.com>
AuthorDate: Mon Aug 21 18:56:11 2023 +0530

    RANGER-4371: Ranger authn - add doAs support for JWT authentication
    
    Signed-off-by: Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
---
 .../handler/jwt/RangerDefaultJwtAuthHandler.java   |  4 +++-
 .../authz/handler/jwt/RangerJwtAuthHandler.java    | 22 ++++++++++++++++------
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git 
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
 
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
index c0d5b8d9a..85339fb16 100644
--- 
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
+++ 
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
@@ -40,6 +40,7 @@ import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
 public class RangerDefaultJwtAuthHandler extends RangerJwtAuthHandler {
 
     protected static final String AUTHORIZATION_HEADER = "Authorization";
+    protected static final String DO_AS_PARAMETER      = "doAs";
 
     @Override
     public ConfigurableJWTProcessor<SecurityContext> 
getJwtProcessor(JWSKeySelector<SecurityContext> keySelector) {
@@ -57,8 +58,9 @@ public class RangerDefaultJwtAuthHandler extends 
RangerJwtAuthHandler {
         RangerAuth rangerAuth       = null;
         String     jwtAuthHeaderStr = getJwtAuthHeader(httpServletRequest);
         String     jwtCookieStr     = StringUtils.isBlank(jwtAuthHeaderStr) ? 
getJwtCookie(httpServletRequest) : null;
+        String     doAsUser         = 
httpServletRequest.getParameter(DO_AS_PARAMETER);
 
-        AuthenticationToken authenticationToken = 
authenticate(jwtAuthHeaderStr, jwtCookieStr);
+        AuthenticationToken authenticationToken = 
authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser);
 
         if (authenticationToken != null) {
             rangerAuth = new RangerAuth(authenticationToken, 
RangerAuth.AUTH_TYPE.JWT_JWKS);
diff --git 
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
 
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
index 0973b42de..17063cedf 100644
--- 
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
+++ 
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
@@ -101,7 +101,7 @@ public abstract class RangerJwtAuthHandler implements 
RangerAuthHandler {
         }
     }
 
-    protected AuthenticationToken authenticate(final String jwtAuthHeader, 
final String jwtCookie) {
+    protected AuthenticationToken authenticate(final String jwtAuthHeader, 
final String jwtCookie, final String doAsUser) {
         if (LOG.isDebugEnabled()) {
             LOG.debug("===>>> RangerJwtAuthHandler.authenticate()");
         }
@@ -115,17 +115,27 @@ public abstract class RangerJwtAuthHandler implements 
RangerAuthHandler {
                     final SignedJWT jwtToken = SignedJWT.parse(serializedJWT);
                     boolean         valid    = validateToken(jwtToken);
                     if (valid) {
-                        final String userName = 
jwtToken.getJWTClaimsSet().getSubject();
-                        LOG.info("Issuing AuthenticationToken for user: [{}]", 
userName);
+                        String userName;
+
+                        if (StringUtils.isNotBlank(doAsUser)) {
+                            userName = doAsUser.trim();
+                        } else {
+                            userName = jwtToken.getJWTClaimsSet().getSubject();
+                        }
+
+                        if (LOG.isDebugEnabled()) {
+                            LOG.debug("RangerJwtAuthHandler.authenticate(): 
Issuing AuthenticationToken for user: [{}]", userName);
+                            LOG.debug("RangerJwtAuthHandler.authenticate(): 
Authentication successful for user [{}] and doAs user is [{}]", 
jwtToken.getJWTClaimsSet().getSubject(), doAsUser);
+                        }
                         token = new AuthenticationToken(userName, userName, 
TYPE);
                     } else {
-                        LOG.warn("Validation failed for JWT token: [{}] ", 
jwtToken.serialize());
+                        LOG.warn("RangerJwtAuthHandler.authenticate(): 
Validation failed for JWT token: [{}] ", jwtToken.serialize());
                     }
                 } catch (ParseException pe) {
-                    LOG.warn("Unable to parse the JWT token", pe);
+                    LOG.warn("RangerJwtAuthHandler.authenticate(): Unable to 
parse the JWT token", pe);
                 }
             } else {
-                LOG.warn("JWT token not found.");
+                LOG.warn("RangerJwtAuthHandler.authenticate(): JWT token not 
found.");
             }
         }