[KYUUBI #6619][FOLLOWUP] Do not log auth audit log for thrift http cookie auth

# 🔍 Description ## Issue References 🔗 Follow up for #6619, I found that, there are many duplicate auth audit logs for thrift http. We shall only log when make authentication with auth handler, and skip it for cookie auth. ## Describe Your Solution 🔧 Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. ## Types of changes 🔖 - [ ] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 #### Behavior Without This Pull Request ⚰️ #### Behavior With This Pull Request 🎉 #### Related Unit Tests --- # Checklist 📝 - [ ] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #6632 from turboFei/need_to_auth. Closes #6619 3a25a3dd3 [Wang, Fei] do auth Authored-by: Wang, Fei <fwang12@ebay.com> Signed-off-by: Wang, Fei <fwang12@ebay.com>
2024-08-29 14:47:15 -07:00 · 2024-08-29 14:47:15 -07:00 · c9b4512668
commit c9b4512668
parent 4c71415f99
1 changed files with 7 additions and 3 deletions
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/ThriftHttpServlet.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/ThriftHttpServlet.scala
@ -80,6 +80,7 @@ class ThriftHttpServlet(
  override def doPost(request: HttpServletRequest, response: HttpServletResponse): Unit = {
    var clientUserName: String = null
    var requireNewCookie: Boolean = false
+    var doAuth: Boolean = false
    try {
      if (conf.get(KyuubiConf.FRONTEND_THRIFT_HTTP_XSRF_FILTER_ENABLED)) {
        val continueProcessing = doXsrfFilter(request, response)
@ -111,6 +112,7 @@ class ThriftHttpServlet(
      // If the cookie based authentication is not enabled or the request does not have a valid
      // cookie, use authentication depending on the server setup.
      if (clientUserName == null) {
+        doAuth = true
        clientUserName = authenticate(request, response)
      }

@ -143,7 +145,7 @@ class ThriftHttpServlet(
        error("Error: ", e)
        throw e
    } finally {
-      AuthenticationAuditLogger.audit(request, response)
+      if (doAuth) AuthenticationAuditLogger.audit(request, response)
      AuthenticationFilter.HTTP_CLIENT_USER_NAME.remove()
      AuthenticationFilter.HTTP_CLIENT_IP_ADDRESS.remove()
      AuthenticationFilter.HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.remove()
@ -275,8 +277,10 @@ class ThriftHttpServlet(

  private def authenticate(request: HttpServletRequest, response: HttpServletResponse): String = {
    val authorization = request.getHeader(AUTHORIZATION_HEADER)
-    authenticationFilter.getMatchedHandler(authorization).map(
-      _.authenticate(request, response)).orNull
+    authenticationFilter.getMatchedHandler(authorization).map { authHandler =>
+      AuthenticationFilter.HTTP_AUTH_TYPE.set(authHandler.authScheme.toString)
+      authHandler.authenticate(request, response)
+    }.orNull
  }

  private def getDoAsQueryParam(queryString: String): String = {