You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@falcon.apache.org by aj...@apache.org on 2015/04/24 17:46:39 UTC
falcon git commit: FALCON-954 Secure Kerberos setup : Falcon should
periodically revalidate auth token. Contributed by Balu Vellanki
Repository: falcon
Updated Branches:
refs/heads/master 0232f1b6b -> a6298f8a7
FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate auth token. Contributed by Balu Vellanki
Project: http://git-wip-us.apache.org/repos/asf/falcon/repo
Commit: http://git-wip-us.apache.org/repos/asf/falcon/commit/a6298f8a
Tree: http://git-wip-us.apache.org/repos/asf/falcon/tree/a6298f8a
Diff: http://git-wip-us.apache.org/repos/asf/falcon/diff/a6298f8a
Branch: refs/heads/master
Commit: a6298f8a7fdccf05a5aece2289df36431558affd
Parents: 0232f1b
Author: Ajay Yadava <aj...@gmail.com>
Authored: Fri Apr 24 21:13:46 2015 +0530
Committer: Ajay Yadava <aj...@gmail.com>
Committed: Fri Apr 24 21:13:46 2015 +0530
----------------------------------------------------------------------
CHANGES.txt | 3 ++
.../AuthenticationInitializationService.java | 47 ++++++++++++++++++--
docs/src/site/twiki/Security.twiki | 3 ++
.../org/apache/falcon/aspect/GenericAlert.java | 7 +++
src/conf/startup.properties | 3 ++
5 files changed, 60 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 267b01e..bbe3dd7 100755
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -18,6 +18,9 @@ Trunk (Unreleased)
OPTIMIZATIONS
BUG FIXES
+ FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate
+ auth token (Balu Vellanki via Ajay Yadava)
+
FALCON-1146 feed retention policy deleted everything all the way up
to the root (Peeyush Bishnoi via Suhas Vasu)
http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
----------------------------------------------------------------------
diff --git a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
index fbed283..cf27408 100644
--- a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
+++ b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
@@ -18,8 +18,10 @@
package org.apache.falcon.security;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang.Validate;
import org.apache.falcon.FalconException;
+import org.apache.falcon.aspect.GenericAlert;
import org.apache.falcon.service.FalconService;
import org.apache.falcon.util.StartupProperties;
import org.apache.hadoop.conf.Configuration;
@@ -29,7 +31,10 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
+import java.util.Date;
import java.util.Properties;
+import java.util.Timer;
+import java.util.TimerTask;
/**
@@ -49,15 +54,23 @@ public class AuthenticationInitializationService implements FalconService {
* Constant for the configuration property that indicates the keytab file path.
*/
protected static final String KERBEROS_KEYTAB = CONFIG_PREFIX + KerberosAuthenticationHandler.KEYTAB;
+
/**
* Constant for the configuration property that indicates the kerberos principal.
*/
protected static final String KERBEROS_PRINCIPAL = CONFIG_PREFIX + KerberosAuthenticationHandler.PRINCIPAL;
+ /**
+ * Constant for the configuration property that indicates the authentication token validity time in seconds.
+ */
+ protected static final String AUTH_TOKEN_VALIDITY_SECONDS = CONFIG_PREFIX + "token.validity";
+
+ private Timer timer = new Timer();
+ private static final String SERVICE_NAME = "Authentication initialization service";
@Override
public String getName() {
- return "Authentication initialization service";
+ return SERVICE_NAME;
}
@Override
@@ -66,6 +79,17 @@ public class AuthenticationInitializationService implements FalconService {
if (SecurityUtil.isSecurityEnabled()) {
LOG.info("Falcon Kerberos Authentication Enabled!");
initializeKerberos();
+
+ String authTokenValidity = StartupProperties.get().getProperty(AUTH_TOKEN_VALIDITY_SECONDS);
+ long validateFrequency;
+ try {
+ validateFrequency = (StringUtils.isNotEmpty(authTokenValidity))
+ ? Long.valueOf(authTokenValidity) : 86400;
+ } catch (NumberFormatException nfe) {
+ throw new FalconException("Invalid value provided for startup property \""
+ + AUTH_TOKEN_VALIDITY_SECONDS + "\", please provide a valid long number", nfe);
+ }
+ timer.schedule(new TokenValidationThread(), 0, validateFrequency*1000);
} else {
LOG.info("Falcon Simple Authentication Enabled!");
Configuration ugiConf = new Configuration();
@@ -74,7 +98,7 @@ public class AuthenticationInitializationService implements FalconService {
}
}
- protected void initializeKerberos() throws FalconException {
+ protected static void initializeKerberos() throws FalconException {
try {
Properties configuration = StartupProperties.get();
String principal = configuration.getProperty(KERBEROS_PRINCIPAL);
@@ -96,7 +120,7 @@ public class AuthenticationInitializationService implements FalconService {
LOG.info("Got Kerberos ticket, keytab: {}, Falcon principal: {}", keytabFilePath, principal);
} catch (Exception ex) {
- throw new FalconException("Could not initialize " + getName()
+ throw new FalconException("Could not initialize " + SERVICE_NAME
+ ": " + ex.getMessage(), ex);
}
}
@@ -118,5 +142,22 @@ public class AuthenticationInitializationService implements FalconService {
@Override
public void destroy() throws FalconException {
+ timer.cancel();
}
+
+ private static class TokenValidationThread extends TimerTask {
+ @Override
+ public void run() {
+ try {
+ LOG.info("Validating Auth Token: {}", new Date());
+ initializeKerberos();
+ } catch (Throwable t) {
+ LOG.error("Error in Auth Token Validation task: ", t);
+ GenericAlert.initializeKerberosFailed(
+ "Exception in Auth Token Validation : ", t);
+ }
+ }
+ }
+
+
}
http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/docs/src/site/twiki/Security.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Security.twiki b/docs/src/site/twiki/Security.twiki
index 7c4eb07..8955bdc 100644
--- a/docs/src/site/twiki/Security.twiki
+++ b/docs/src/site/twiki/Security.twiki
@@ -178,6 +178,9 @@ Following is the Server Side Configuration Setup for Authentication.
# name node principal to talk to config store
*.dfs.namenode.kerberos.principal=nn/_HOST@EXAMPLE.COM
+# Indicates how long (in seconds) falcon authentication token is valid before it has to be renewed.
+*.falcon.service.authentication.token.validity=86400
+
##### SPNEGO Configuration
# Authentication type must be specified: simple|kerberos|<class>
http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
----------------------------------------------------------------------
diff --git a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java b/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
index 2973347..321c769 100644
--- a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
+++ b/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
@@ -92,6 +92,13 @@ public final class GenericAlert {
}
//RESUME CHECKSTYLE CHECK ParameterNumberCheck
+ @Monitored(event = "init-kerberos-failed")
+ public static String initializeKerberosFailed(
+ @Dimension(value = "message") String message,
+ @Dimension(value = "exception") Throwable throwable) {
+ return "IGNORE";
+ }
+
@Monitored(event = "rerun-queue-failed")
public static String alertRerunConsumerFailed(
@Dimension(value = "message") String message,
http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/src/conf/startup.properties
----------------------------------------------------------------------
diff --git a/src/conf/startup.properties b/src/conf/startup.properties
index 6bbd06e..64a7d27 100644
--- a/src/conf/startup.properties
+++ b/src/conf/startup.properties
@@ -153,6 +153,9 @@ prism.configstore.listeners=org.apache.falcon.entity.v0.EntityGraph,\
# The kerberos names rules is to resolve kerberos principal names, refer to Hadoop's KerberosName for more details.
*.falcon.http.authentication.kerberos.name.rules=DEFAULT
+# Indicates the validity time (in seconds) for kerberos token.
+*.falcon.service.authentication.token.validity=86400
+
# Comma separated list of black listed users
*.falcon.http.authentication.blacklisted.users=