Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
avatica-1.8.0
-
None
Description
When setting up the Jetty security Constraint class, Jetty treats Kerberos realms as "roles". When configuring allowed users to Jetty with some constraint, you have to set what roles (realms) are allowed.
Presently, Avatica just sets the realm of the server's principal as allowed, which means that in some multi-realm KDC (or cross-domain MIT KRB+Active Directory) setup, users from the other realm which should be allowed are denied.
Even better, Jetty's syntax for * for allowing any role (realm) doesn't actually work. Their logic in 9.2.15 for ConstraintSecurityHandler appears broken:
//handle * role constraint if (roleInfo.isAnyRole() && request.getUserPrincipal() != null && isUserInRole) { return true; }
The above check should let users through with any role when isAnyRole() returns true, but the final isUserInRole check requires that the role is explicitly listed in the list of allowedRoles.
As such, we're going to need to expose an API which allows users to set a list of allowed realms since Jetty is busted to make Kerberos authentication actually work correctly.
Thanks to kliew for bringing this one to my attention.
Attachments
Issue Links
- relates to
-
PHOENIX-3004 Allow users to configure allowed Kerberos realms for PQS
- Resolved