RANGER-4371: Ranger authn - add doAs support for JWT authentication

Signed-off-by: Dineshkumar Yadav <dineshkumar.yadav@outlook.com>

ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java

@@ -40,6 +40,7 @@
 public class RangerDefaultJwtAuthHandler extends RangerJwtAuthHandler {
 
     protected static final String AUTHORIZATION_HEADER = "Authorization";
+    protected static final String DO_AS_PARAMETER      = "doAs";
 
     @Override
     public ConfigurableJWTProcessor<SecurityContext> getJwtProcessor(JWSKeySelector<SecurityContext> keySelector) {
@@ -57,8 +58,9 @@ public RangerAuth authenticate(HttpServletRequest httpServletRequest) {
         RangerAuth rangerAuth       = null;
         String     jwtAuthHeaderStr = getJwtAuthHeader(httpServletRequest);
         String     jwtCookieStr     = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(httpServletRequest) : null;
+        String     doAsUser         = httpServletRequest.getParameter(DO_AS_PARAMETER);
 
-        AuthenticationToken authenticationToken = authenticate(jwtAuthHeaderStr, jwtCookieStr);
+        AuthenticationToken authenticationToken = authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser);
 
         if (authenticationToken != null) {
             rangerAuth = new RangerAuth(authenticationToken, RangerAuth.AUTH_TYPE.JWT_JWKS);

ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java

@@ -101,7 +101,7 @@ public void initialize(final Properties config) throws Exception {
         }
     }
 
-    protected AuthenticationToken authenticate(final String jwtAuthHeader, final String jwtCookie) {
+    protected AuthenticationToken authenticate(final String jwtAuthHeader, final String jwtCookie, final String doAsUser) {
         if (LOG.isDebugEnabled()) {
             LOG.debug("===>>> RangerJwtAuthHandler.authenticate()");
         }
@@ -115,17 +115,27 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str
                     final SignedJWT jwtToken = SignedJWT.parse(serializedJWT);
                     boolean         valid    = validateToken(jwtToken);
                     if (valid) {
-                        final String userName = jwtToken.getJWTClaimsSet().getSubject();
-                        LOG.info("Issuing AuthenticationToken for user: [{}]", userName);
+                        String userName;
+
+                        if (StringUtils.isNotBlank(doAsUser)) {
+                            userName = doAsUser.trim();
+                        } else {
+                            userName = jwtToken.getJWTClaimsSet().getSubject();
+                        }
+
+                        if (LOG.isDebugEnabled()) {
+                            LOG.debug("RangerJwtAuthHandler.authenticate(): Issuing AuthenticationToken for user: [{}]", userName);
+                            LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", jwtToken.getJWTClaimsSet().getSubject(), doAsUser);
+                        }
                         token = new AuthenticationToken(userName, userName, TYPE);
                     } else {
-                        LOG.warn("Validation failed for JWT token: [{}] ", jwtToken.serialize());
+                        LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [{}] ", jwtToken.serialize());
                     }
                 } catch (ParseException pe) {
-                    LOG.warn("Unable to parse the JWT token", pe);
+                    LOG.warn("RangerJwtAuthHandler.authenticate(): Unable to parse the JWT token", pe);
                 }
             } else {
-                LOG.warn("JWT token not found.");
+                LOG.warn("RangerJwtAuthHandler.authenticate(): JWT token not found.");
             }
         }