You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by fj...@apache.org on 2019/05/23 23:00:11 UTC
[incubator-druid] branch master updated: Remove obsolete isExcluded
config from Kerberos authenticator (#7745)
This is an automated email from the ASF dual-hosted git repository.
fjy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-druid.git
The following commit(s) were added to refs/heads/master by this push:
new ec4d09a Remove obsolete isExcluded config from Kerberos authenticator (#7745)
ec4d09a is described below
commit ec4d09a02f81d312f677b0aa7c439a23891addef
Author: Jonathan Wei <jo...@users.noreply.github.com>
AuthorDate: Thu May 23 16:00:05 2019 -0700
Remove obsolete isExcluded config from Kerberos authenticator (#7745)
---
.../development/extensions-core/druid-kerberos.md | 5 +++-
.../security/kerberos/KerberosAuthenticator.java | 30 ++--------------------
2 files changed, 6 insertions(+), 29 deletions(-)
diff --git a/docs/content/development/extensions-core/druid-kerberos.md b/docs/content/development/extensions-core/druid-kerberos.md
index 46af7f4..99d6e45 100644
--- a/docs/content/development/extensions-core/druid-kerberos.md
+++ b/docs/content/development/extensions-core/druid-kerberos.md
@@ -54,13 +54,16 @@ The configuration examples in the rest of this document will use "kerberos" as t
|`druid.auth.authenticator.kerberos.serverPrincipal`|`HTTP/_HOST@EXAMPLE.COM`| SPNego service principal used by druid processes|empty|Yes|
|`druid.auth.authenticator.kerberos.serverKeytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego service keytab used by druid processes|empty|Yes|
|`druid.auth.authenticator.kerberos.authToLocal`|`RULE:[1:$1@$0](druid@EXAMPLE.COM)s/.*/druid DEFAULT`|It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT|No|
-|`druid.auth.authenticator.kerberos.excludedPaths`|`['/status','/health']`| Array of HTTP paths which which does NOT need to be authenticated.|None|No|
|`druid.auth.authenticator.kerberos.cookieSignatureSecret`|`secretString`| Secret used to sign authentication cookies. It is advisable to explicitly set it, if you have multiple druid ndoes running on same machine with different ports as the Cookie Specification does not guarantee isolation by port.|<Random value>|No|
|`druid.auth.authenticator.kerberos.authorizerName`|Depends on available authorizers|Authorizer that requests should be directed to|Empty|Yes|
As a note, it is required that the SPNego principal in use by the druid processes must start with HTTP (This specified by [RFC-4559](https://tools.ietf.org/html/rfc4559)) and must be of the form "HTTP/_HOST@REALM".
The special string _HOST will be replaced automatically with the value of config `druid.host`
+### `druid.auth.authenticator.kerberos.excludedPaths`
+
+In older releases, the Kerberos authenticator had an `excludedPaths` property that allowed the user to specify a list of paths where authentication checks should be skipped. This property has been removed from the Kerberos authenticator because the path exclusion functionality is now handled across all authenticators/authorizers by setting `druid.auth.unsecuredPaths`, as described in the [main auth documentation](../../design/auth.html).
+
### Auth to Local Syntax
`druid.auth.authenticator.kerberos.authToLocal` allows you to set a general rules for mapping principal names to local user names.
The syntax for mapping rules is `RULE:\[n:string](regexp)s/pattern/replacement/g`. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n‘th component of the principal for $n. e.g. if the principal was druid/admin then `\[2:$2$1suffix]` would result in the string `admindruidsuffix`.
diff --git a/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java b/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
index 801d394..a58c799 100644
--- a/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
+++ b/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
@@ -66,19 +66,16 @@ import java.io.IOException;
import java.net.HttpCookie;
import java.security.Principal;
import java.text.SimpleDateFormat;
-import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
-import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.TimeZone;
import java.util.concurrent.ThreadLocalRandom;
-import java.util.regex.Pattern;
import java.util.stream.Collectors;
@@ -86,15 +83,11 @@ import java.util.stream.Collectors;
public class KerberosAuthenticator implements Authenticator
{
private static final Logger log = new Logger(KerberosAuthenticator.class);
- private static final Pattern HADOOP_AUTH_COOKIE_REGEX = Pattern.compile(".*p=(\\S+)&t=.*");
- public static final List<String> DEFAULT_EXCLUDED_PATHS = Collections.emptyList();
public static final String SIGNED_TOKEN_ATTRIBUTE = "signedToken";
- private final DruidNode node;
private final String serverPrincipal;
private final String serverKeytab;
private final String authToLocal;
- private final List<String> excludedPaths;
private final String cookieSignatureSecret;
private final String authorizerName;
private final String name;
@@ -105,17 +98,14 @@ public class KerberosAuthenticator implements Authenticator
@JsonProperty("serverPrincipal") String serverPrincipal,
@JsonProperty("serverKeytab") String serverKeytab,
@JsonProperty("authToLocal") String authToLocal,
- @JsonProperty("excludedPaths") List<String> excludedPaths,
@JsonProperty("cookieSignatureSecret") String cookieSignatureSecret,
@JsonProperty("authorizerName") String authorizerName,
@JsonProperty("name") String name,
@JacksonInject @Self DruidNode node
)
{
- this.node = node;
this.serverKeytab = serverKeytab;
this.authToLocal = authToLocal == null ? "DEFAULT" : authToLocal;
- this.excludedPaths = excludedPaths == null ? DEFAULT_EXCLUDED_PATHS : excludedPaths;
this.cookieSignatureSecret = cookieSignatureSecret;
this.authorizerName = authorizerName;
this.name = Preconditions.checkNotNull(name);
@@ -232,14 +222,8 @@ public class KerberosAuthenticator implements Authenticator
initializeKerberosLogin();
}
- // Checking for excluded paths is Druid-specific, not from hadoop-auth
- String path = ((HttpServletRequest) request).getRequestURI();
- if (isExcluded(path)) {
- filterChain.doFilter(request, response);
- } else {
- // Run the original doFilter method, but with modifications to error handling
- doFilterSuper(request, response, filterChain);
- }
+ // Run the original doFilter method, but with modifications to error handling
+ doFilterSuper(request, response, filterChain);
}
@@ -427,16 +411,6 @@ public class KerberosAuthenticator implements Authenticator
throw new UnsupportedOperationException("JDBC Kerberos auth not supported yet");
}
- private boolean isExcluded(String path)
- {
- for (String excluded : excludedPaths) {
- if (path.startsWith(excluded)) {
- return true;
- }
- }
- return false;
- }
-
@Override
public void decorateProxyRequest(
HttpServletRequest clientRequest,
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org