You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@aurora.apache.org by wf...@apache.org on 2015/04/30 00:08:44 UTC

aurora git commit: Add support for shorthand names of security realm modules.

Repository: aurora
Updated Branches:
  refs/heads/master e34bf7c69 -> 970c2a519


Add support for shorthand names of security realm modules.

Bugs closed: AURORA-1290

Reviewed at https://reviews.apache.org/r/33659/


Project: http://git-wip-us.apache.org/repos/asf/aurora/repo
Commit: http://git-wip-us.apache.org/repos/asf/aurora/commit/970c2a51
Tree: http://git-wip-us.apache.org/repos/asf/aurora/tree/970c2a51
Diff: http://git-wip-us.apache.org/repos/asf/aurora/diff/970c2a51

Branch: refs/heads/master
Commit: 970c2a519e4202b0cd28ff4d2e879b3fc9292f0b
Parents: e34bf7c
Author: Bill Farner <wf...@apache.org>
Authored: Wed Apr 29 15:08:31 2015 -0700
Committer: Bill Farner <wf...@apache.org>
Committed: Wed Apr 29 15:08:31 2015 -0700

----------------------------------------------------------------------
 docs/security.md                                    | 16 +++++++++++-----
 .../vagrant/upstart/aurora-scheduler-kerberos.conf  |  2 +-
 .../scheduler/http/api/security/ModuleParser.java   | 16 ++++++++++++----
 3 files changed, 24 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/aurora/blob/970c2a51/docs/security.md
----------------------------------------------------------------------
diff --git a/docs/security.md b/docs/security.md
index 9b77781..8fcbadb 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -45,7 +45,7 @@ At a minimum you need to set 4 command-line flags on the scheduler:
 
 ```
 -http_authentication_mechanism=BASIC
--shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule
+-shiro_realm_modules=INI_AUTHNZ
 -shiro_ini_path=path/to/security.ini
 ```
 
@@ -86,7 +86,7 @@ At a minimum you need to set 6 command-line flags on the scheduler:
 
 ```
 -http_authentication_mechanism=NEGOTIATE
--shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule
+-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ
 -kerberos_server_principal=HTTP/aurora.example.com@EXAMPLE.COM
 -kerberos_server_keytab=path/to/aurora.example.com.keytab
 -shiro_ini_path=path/to/security.ini
@@ -114,7 +114,7 @@ Next, a Realm module must be configured to **authenticate** the current request
 credentials that were requested. Aurora ships with a realm module that can do this
 
 ```
--shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule[,...]
+-shiro_realm_modules=KERBEROS5_AUTHN[,...]
 ```
 
 The Kerberos5Realm requires a keytab file and a server principal name. The principal name will usually
@@ -130,7 +130,7 @@ enable a realm module that provides an Authorizer implementation. For example, t
 IniShiroRealmModule:
 
 ```
--shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule
+-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ
 ```
 
 You can then configure authorization using a security.ini file as described below
@@ -250,6 +250,13 @@ public class MyRealmModule extends AbstractModule {
 }
 ```
 
+To use your module in the scheduler, include it as a realm module based on its fully-qualified
+class name:
+
+```
+-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ,com.example.MyRealmModule
+```
+
 # Known Issues
 
 While the APIs and SPIs we ship with are stable as of 0.8.0, we are aware of several incremental
@@ -259,7 +266,6 @@ Relevant tickets:
 * [AURORA-343](https://issues.apache.org/jira/browse/AURORA-343): HTTPS support
 * [AURORA-1248](https://issues.apache.org/jira/browse/AURORA-1248): Client retries 4xx errors
 * [AURORA-1279](https://issues.apache.org/jira/browse/AURORA-1279): Remove kerberos-specific build targets
-* [AURORA-1290](https://issues.apache.org/jira/browse/AURORA-1290): Allow specifying a shorthand for "well-known" Module FQCNs
 * [AURORA-1293](https://issues.apache.org/jira/browse/AURORA-1291): Consider defining a JSON format in place of INI
 * [AURORA-1179](https://issues.apache.org/jira/browse/AURORA-1179): Supported hashed passwords in security.ini
 * [AURORA-1295](https://issues.apache.org/jira/browse/AURORA-1295): Support security for the ReadOnlyScheduler service

http://git-wip-us.apache.org/repos/asf/aurora/blob/970c2a51/examples/vagrant/upstart/aurora-scheduler-kerberos.conf
----------------------------------------------------------------------
diff --git a/examples/vagrant/upstart/aurora-scheduler-kerberos.conf b/examples/vagrant/upstart/aurora-scheduler-kerberos.conf
index 4fd2bf6..7333e81 100644
--- a/examples/vagrant/upstart/aurora-scheduler-kerberos.conf
+++ b/examples/vagrant/upstart/aurora-scheduler-kerberos.conf
@@ -48,7 +48,7 @@ exec bin/aurora-scheduler \
   -vlog=INFO \
   -logtostderr \
   -allowed_container_types=MESOS,DOCKER \
-  -shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule \
+  -shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ \
   -shiro_ini_path=/home/vagrant/aurora/src/test/resources/org/apache/aurora/scheduler/http/api/security/shiro-example.ini \
   -http_authentication_mechanism=NEGOTIATE \
   -kerberos_server_keytab=/home/vagrant/krb5-1.13.1/build/testdir/HTTP-192.168.33.7.keytab \

http://git-wip-us.apache.org/repos/asf/aurora/blob/970c2a51/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java b/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java
index c968216..9077827 100644
--- a/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java
+++ b/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java
@@ -13,6 +13,9 @@
  */
 package org.apache.aurora.scheduler.http.api.security;
 
+import java.util.Map;
+
+import com.google.common.collect.ImmutableMap;
 import com.google.inject.Module;
 import com.twitter.common.args.ArgParser;
 import com.twitter.common.args.parsers.NonParameterizedTypeParser;
@@ -20,23 +23,28 @@ import com.twitter.common.args.parsers.NonParameterizedTypeParser;
 import org.apache.aurora.scheduler.app.Modules;
 
 /**
- * ArgParser for Guice modules. Constructs an instance of a Module with a given FQCN if it has a
- * public no-args constructor.
+ * ArgParser for Guice modules. Constructs an instance of a Module with a given alias or FQCN if it
+ * has a public no-args constructor.
  */
 @ArgParser
 public class ModuleParser extends NonParameterizedTypeParser<Module> {
+  private static final Map<String, String> NAME_ALIASES = ImmutableMap.of(
+      "KERBEROS5_AUTHN", Kerberos5ShiroRealmModule.class.getCanonicalName(),
+      "INI_AUTHNZ", IniShiroRealmModule.class.getCanonicalName());
+
   @Override
   public Module doParse(String raw) throws IllegalArgumentException {
+    String fullyQualifiedName = NAME_ALIASES.containsKey(raw) ? NAME_ALIASES.get(raw) : raw;
     Class<?> rawClass;
     try {
-      rawClass = Class.forName(raw);
+      rawClass = Class.forName(fullyQualifiedName);
     } catch (ClassNotFoundException e) {
       throw new IllegalArgumentException(e);
     }
 
     if (!Module.class.isAssignableFrom(rawClass)) {
       throw new IllegalArgumentException(
-          "Class " + raw + " must implement " + Module.class.getName());
+          "Class " + fullyQualifiedName + " must implement " + Module.class.getName());
     }
     @SuppressWarnings("unchecked")
     Class<? extends Module> moduleClass = (Class<? extends Module>) rawClass;