diff --git a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java index c0d5b8d9a2..85339fb160 100644 --- a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java +++ b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java @@ -40,6 +40,7 @@ public class RangerDefaultJwtAuthHandler extends RangerJwtAuthHandler { protected static final String AUTHORIZATION_HEADER = "Authorization"; + protected static final String DO_AS_PARAMETER = "doAs"; @Override public ConfigurableJWTProcessor getJwtProcessor(JWSKeySelector keySelector) { @@ -57,8 +58,9 @@ public RangerAuth authenticate(HttpServletRequest httpServletRequest) { RangerAuth rangerAuth = null; String jwtAuthHeaderStr = getJwtAuthHeader(httpServletRequest); String jwtCookieStr = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(httpServletRequest) : null; + String doAsUser = httpServletRequest.getParameter(DO_AS_PARAMETER); - AuthenticationToken authenticationToken = authenticate(jwtAuthHeaderStr, jwtCookieStr); + AuthenticationToken authenticationToken = authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser); if (authenticationToken != null) { rangerAuth = new RangerAuth(authenticationToken, RangerAuth.AUTH_TYPE.JWT_JWKS); diff --git a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java index 0973b42de4..17063cedfb 100644 --- a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java +++ b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java @@ -101,7 +101,7 @@ public void initialize(final Properties config) throws Exception { } } - protected AuthenticationToken authenticate(final String jwtAuthHeader, final String jwtCookie) { + protected AuthenticationToken authenticate(final String jwtAuthHeader, final String jwtCookie, final String doAsUser) { if (LOG.isDebugEnabled()) { LOG.debug("===>>> RangerJwtAuthHandler.authenticate()"); } @@ -115,17 +115,27 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str final SignedJWT jwtToken = SignedJWT.parse(serializedJWT); boolean valid = validateToken(jwtToken); if (valid) { - final String userName = jwtToken.getJWTClaimsSet().getSubject(); - LOG.info("Issuing AuthenticationToken for user: [{}]", userName); + String userName; + + if (StringUtils.isNotBlank(doAsUser)) { + userName = doAsUser.trim(); + } else { + userName = jwtToken.getJWTClaimsSet().getSubject(); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerJwtAuthHandler.authenticate(): Issuing AuthenticationToken for user: [{}]", userName); + LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", jwtToken.getJWTClaimsSet().getSubject(), doAsUser); + } token = new AuthenticationToken(userName, userName, TYPE); } else { - LOG.warn("Validation failed for JWT token: [{}] ", jwtToken.serialize()); + LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [{}] ", jwtToken.serialize()); } } catch (ParseException pe) { - LOG.warn("Unable to parse the JWT token", pe); + LOG.warn("RangerJwtAuthHandler.authenticate(): Unable to parse the JWT token", pe); } } else { - LOG.warn("JWT token not found."); + LOG.warn("RangerJwtAuthHandler.authenticate(): JWT token not found."); } }