Search in sources :

Example 1 with ImpersonatedPrincipal

use of org.apache.knox.gateway.security.ImpersonatedPrincipal in project knox by apache.

the class AbstractIdentityAssertionFilter method continueChainAsPrincipal.

/**
 * Recreate the current Subject based upon the provided mappedPrincipal
 * and look for the groups that should be associated with the new Subject.
 * Upon finding groups mapped to the principal - add them to the new Subject.
 * @param mappedPrincipalName
 * @throws ServletException
 * @throws IOException
 */
protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse response, final FilterChain chain, String mappedPrincipalName) throws IOException, ServletException {
    Subject subject = null;
    Principal impersonationPrincipal = null;
    Principal primaryPrincipal = null;
    // get the current subject and determine whether we need another doAs with
    // an impersonatedPrincipal and/or mapped group principals
    boolean impersonationNeeded = false;
    boolean groupsMapped = false;
    // look up the current Java Subject and assosciated group principals
    Subject currentSubject = Subject.getSubject(AccessController.getContext());
    Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
    primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    if (primaryPrincipal != null) {
        if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
            impersonationNeeded = true;
            auditService.getContext().setProxyUsername(mappedPrincipalName);
            auditor.audit(Action.IDENTITY_MAPPING, primaryPrincipal.getName(), ResourceType.PRINCIPAL, ActionOutcome.SUCCESS);
        }
    } else {
        // something is amiss - authentication/federation providers should have run
        // before identity assertion and should have ensured that the appropriate
        // principals were added to the current subject
        // TODO: log as appropriate
        primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
    }
    groupsMapped = areGroupsMappedForPrincipal(mappedPrincipalName) || !currentGroups.isEmpty();
    if (impersonationNeeded || groupsMapped) {
        // gonna need a new subject and doAs
        subject = new Subject();
        Set<Principal> principals = subject.getPrincipals();
        principals.add(primaryPrincipal);
        // map group principals from current Subject into newly created Subject
        for (Object obj : currentGroups) {
            principals.add((Principal) obj);
        }
        if (impersonationNeeded) {
            impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
            subject.getPrincipals().add(impersonationPrincipal);
        }
        if (groupsMapped) {
            addMappedGroupsToSubject(mappedPrincipalName, subject);
            addMappedGroupsToSubject("*", subject);
        }
        doAs(request, response, chain, subject);
    } else {
        doFilterInternal(request, response, chain);
    }
}
Also used : PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Subject(javax.security.auth.Subject) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Principal(java.security.Principal)

Example 2 with ImpersonatedPrincipal

use of org.apache.knox.gateway.security.ImpersonatedPrincipal in project knox by apache.

the class AbstractIdentityAssertionFilter method continueChainAsPrincipal.

/**
 * @param wrapper
 * @param response
 * @param chain
 * @param mappedPrincipalName
 * @param groups
 */
protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response, FilterChain chain, String mappedPrincipalName, String[] groups) throws IOException, ServletException {
    Subject subject = null;
    Principal impersonationPrincipal = null;
    Principal primaryPrincipal = null;
    // get the current subject and determine whether we need another doAs with
    // an impersonatedPrincipal and/or mapped group principals
    boolean impersonationNeeded = false;
    boolean groupsMapped = false;
    // look up the current Java Subject and assosciated group principals
    Subject currentSubject = Subject.getSubject(AccessController.getContext());
    Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
    primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    if (primaryPrincipal != null) {
        if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
            impersonationNeeded = true;
            auditService.getContext().setProxyUsername(mappedPrincipalName);
            auditor.audit(Action.IDENTITY_MAPPING, primaryPrincipal.getName(), ResourceType.PRINCIPAL, ActionOutcome.SUCCESS, RES.effectiveUser(mappedPrincipalName));
        }
    } else {
        // something is amiss - authentication/federation providers should have run
        // before identity assertion and should have ensured that the appropriate
        // principals were added to the current subject
        // TODO: log as appropriate
        primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
    }
    groupsMapped = groups != null || !currentGroups.isEmpty();
    if (impersonationNeeded || groupsMapped) {
        // gonna need a new subject and doAs
        subject = new Subject();
        Set<Principal> principals = subject.getPrincipals();
        principals.add(primaryPrincipal);
        // map group principals from current Subject into newly created Subject
        for (Object obj : currentGroups) {
            principals.add((Principal) obj);
        }
        if (impersonationNeeded) {
            impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
            subject.getPrincipals().add(impersonationPrincipal);
        }
        if (groupsMapped) {
            addMappedGroupsToSubject(mappedPrincipalName, groups, subject);
        }
        doAs(request, response, chain, subject);
    } else {
        doFilterInternal(request, response, chain);
    }
}
Also used : PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Subject(javax.security.auth.Subject) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Principal(java.security.Principal)

Aggregations

Principal (java.security.Principal)2 Subject (javax.security.auth.Subject)2 GroupPrincipal (org.apache.knox.gateway.security.GroupPrincipal)2 ImpersonatedPrincipal (org.apache.knox.gateway.security.ImpersonatedPrincipal)2 PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)2