You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@falcon.apache.org by aj...@apache.org on 2015/04/24 17:46:39 UTC
falcon git commit: FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate auth token. Contributed by Balu Vellanki

Repository: falcon
Updated Branches:
  refs/heads/master 0232f1b6b -> a6298f8a7


FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate auth token. Contributed by Balu Vellanki


Project: http://git-wip-us.apache.org/repos/asf/falcon/repo
Commit: http://git-wip-us.apache.org/repos/asf/falcon/commit/a6298f8a
Tree: http://git-wip-us.apache.org/repos/asf/falcon/tree/a6298f8a
Diff: http://git-wip-us.apache.org/repos/asf/falcon/diff/a6298f8a

Branch: refs/heads/master
Commit: a6298f8a7fdccf05a5aece2289df36431558affd
Parents: 0232f1b
Author: Ajay Yadava <aj...@gmail.com>
Authored: Fri Apr 24 21:13:46 2015 +0530
Committer: Ajay Yadava <aj...@gmail.com>
Committed: Fri Apr 24 21:13:46 2015 +0530

----------------------------------------------------------------------
 CHANGES.txt                                     |  3 ++
 .../AuthenticationInitializationService.java    | 47 ++++++++++++++++++--
 docs/src/site/twiki/Security.twiki              |  3 ++
 .../org/apache/falcon/aspect/GenericAlert.java  |  7 +++
 src/conf/startup.properties                     |  3 ++
 5 files changed, 60 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 267b01e..bbe3dd7 100755
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -18,6 +18,9 @@ Trunk (Unreleased)
   OPTIMIZATIONS
 
   BUG FIXES
+    FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate 
+    auth token (Balu Vellanki via Ajay Yadava)
+
     FALCON-1146 feed retention policy deleted everything all the way up
     to the root (Peeyush Bishnoi via Suhas Vasu)
 

http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
----------------------------------------------------------------------
diff --git a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
index fbed283..cf27408 100644
--- a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
+++ b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java
@@ -18,8 +18,10 @@
 
 package org.apache.falcon.security;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang.Validate;
 import org.apache.falcon.FalconException;
+import org.apache.falcon.aspect.GenericAlert;
 import org.apache.falcon.service.FalconService;
 import org.apache.falcon.util.StartupProperties;
 import org.apache.hadoop.conf.Configuration;
@@ -29,7 +31,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.File;
+import java.util.Date;
 import java.util.Properties;
+import java.util.Timer;
+import java.util.TimerTask;
 
 
 /**
@@ -49,15 +54,23 @@ public class AuthenticationInitializationService implements FalconService {
      * Constant for the configuration property that indicates the keytab file path.
      */
     protected static final String KERBEROS_KEYTAB = CONFIG_PREFIX + KerberosAuthenticationHandler.KEYTAB;
+
     /**
      * Constant for the configuration property that indicates the kerberos principal.
      */
     protected static final String KERBEROS_PRINCIPAL = CONFIG_PREFIX + KerberosAuthenticationHandler.PRINCIPAL;
 
+    /**
+     * Constant for the configuration property that indicates the authentication token validity time in seconds.
+     */
+    protected static final String AUTH_TOKEN_VALIDITY_SECONDS = CONFIG_PREFIX + "token.validity";
+
+    private Timer timer = new Timer();
+    private static final String SERVICE_NAME = "Authentication initialization service";
 
     @Override
     public String getName() {
-        return "Authentication initialization service";
+        return SERVICE_NAME;
     }
 
     @Override
@@ -66,6 +79,17 @@ public class AuthenticationInitializationService implements FalconService {
         if (SecurityUtil.isSecurityEnabled()) {
             LOG.info("Falcon Kerberos Authentication Enabled!");
             initializeKerberos();
+
+            String authTokenValidity = StartupProperties.get().getProperty(AUTH_TOKEN_VALIDITY_SECONDS);
+            long validateFrequency;
+            try {
+                validateFrequency = (StringUtils.isNotEmpty(authTokenValidity))
+                        ? Long.valueOf(authTokenValidity) : 86400;
+            } catch (NumberFormatException nfe) {
+                throw new FalconException("Invalid value provided for startup property \""
+                        + AUTH_TOKEN_VALIDITY_SECONDS + "\", please provide a valid long number", nfe);
+            }
+            timer.schedule(new TokenValidationThread(), 0, validateFrequency*1000);
         } else {
             LOG.info("Falcon Simple Authentication Enabled!");
             Configuration ugiConf = new Configuration();
@@ -74,7 +98,7 @@ public class AuthenticationInitializationService implements FalconService {
         }
     }
 
-    protected void initializeKerberos() throws FalconException {
+    protected static void initializeKerberos() throws FalconException {
         try {
             Properties configuration = StartupProperties.get();
             String principal = configuration.getProperty(KERBEROS_PRINCIPAL);
@@ -96,7 +120,7 @@ public class AuthenticationInitializationService implements FalconService {
 
             LOG.info("Got Kerberos ticket, keytab: {}, Falcon principal: {}", keytabFilePath, principal);
         } catch (Exception ex) {
-            throw new FalconException("Could not initialize " + getName()
+            throw new FalconException("Could not initialize " + SERVICE_NAME
                     + ": " + ex.getMessage(), ex);
         }
     }
@@ -118,5 +142,22 @@ public class AuthenticationInitializationService implements FalconService {
 
     @Override
     public void destroy() throws FalconException {
+        timer.cancel();
     }
+
+    private static class TokenValidationThread extends TimerTask {
+        @Override
+        public void run() {
+            try {
+                LOG.info("Validating Auth Token: {}", new Date());
+                initializeKerberos();
+            } catch (Throwable t) {
+                LOG.error("Error in Auth Token Validation task: ", t);
+                GenericAlert.initializeKerberosFailed(
+                        "Exception in Auth Token Validation : ", t);
+            }
+        }
+    }
+
+
 }

http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/docs/src/site/twiki/Security.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/Security.twiki b/docs/src/site/twiki/Security.twiki
index 7c4eb07..8955bdc 100644
--- a/docs/src/site/twiki/Security.twiki
+++ b/docs/src/site/twiki/Security.twiki
@@ -178,6 +178,9 @@ Following is the Server Side Configuration Setup for Authentication.
 # name node principal to talk to config store
 *.dfs.namenode.kerberos.principal=nn/_HOST@EXAMPLE.COM
 
+# Indicates how long (in seconds) falcon authentication token is valid before it has to be renewed.
+*.falcon.service.authentication.token.validity=86400
+
 ##### SPNEGO Configuration
 
 # Authentication type must be specified: simple|kerberos|<class>

http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
----------------------------------------------------------------------
diff --git a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java b/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
index 2973347..321c769 100644
--- a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
+++ b/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java
@@ -92,6 +92,13 @@ public final class GenericAlert {
     }
     //RESUME CHECKSTYLE CHECK ParameterNumberCheck
 
+    @Monitored(event = "init-kerberos-failed")
+    public static String initializeKerberosFailed(
+            @Dimension(value = "message") String message,
+            @Dimension(value = "exception") Throwable throwable) {
+        return "IGNORE";
+    }
+
     @Monitored(event = "rerun-queue-failed")
     public static String alertRerunConsumerFailed(
             @Dimension(value = "message") String message,

http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/src/conf/startup.properties
----------------------------------------------------------------------
diff --git a/src/conf/startup.properties b/src/conf/startup.properties
index 6bbd06e..64a7d27 100644
--- a/src/conf/startup.properties
+++ b/src/conf/startup.properties
@@ -153,6 +153,9 @@ prism.configstore.listeners=org.apache.falcon.entity.v0.EntityGraph,\
 # The kerberos names rules is to resolve kerberos principal names, refer to Hadoop's KerberosName for more details.
 *.falcon.http.authentication.kerberos.name.rules=DEFAULT
 
+# Indicates the validity time (in seconds) for kerberos token.
+*.falcon.service.authentication.token.validity=86400
+
 # Comma separated list of black listed users
 *.falcon.http.authentication.blacklisted.users=