You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by an...@apache.org on 2012/03/29 02:20:25 UTC
svn commit: r1306655 - in /incubator/oozie/trunk: ./
client/src/main/java/org/apache/oozie/cli/
client/src/main/java/org/apache/oozie/client/ core/ core/src/main/conf/
core/src/main/resources/ docs/src/site/twiki/
Author: angeloh
Date: Thu Mar 29 00:20:24 2012
New Revision: 1306655
URL: http://svn.apache.org/viewvc?rev=1306655&view=rev
Log:
OOZIE-624 client side improvement of authentication for user defined options
Added:
incubator/oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki
Modified:
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/XOozieClient.java
incubator/oozie/trunk/core/pom.xml
incubator/oozie/trunk/core/src/main/conf/oozie-site.xml
incubator/oozie/trunk/core/src/main/resources/oozie-default.xml
incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki
incubator/oozie/trunk/docs/src/site/twiki/ENG_MiniOozie.twiki
incubator/oozie/trunk/docs/src/site/twiki/index.twiki
incubator/oozie/trunk/release-log.txt
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java Thu Mar 29 00:20:24 2012
@@ -119,6 +119,8 @@ public class OozieCLI {
public static final String RERUN_REFRESH_OPTION = "refresh";
public static final String RERUN_NOCLEANUP_OPTION = "nocleanup";
+ public static final String AUTH_OPTION = "auth";
+
public static final String VERBOSE_OPTION = "verbose";
public static final String VERBOSE_DELIMITER = "\t";
@@ -171,6 +173,20 @@ public class OozieCLI {
return OOZIE_HELP;
}
+ /**
+ * Add authentication specific options to oozie cli
+ *
+ * @param options the collection of options to add auth options
+ */
+ protected void addAuthOptions(Options options) {
+ Option auth = new Option(AUTH_OPTION, true, "select authentication type [SIMPLE|KERBEROS]");
+ options.addOption(auth);
+ }
+
+ /**
+ * Create option for command line option 'admin'
+ * @return admin options
+ */
protected Options createAdminOptions() {
Option oozie = new Option(OOZIE_OPTION, true, "Oozie URL");
Option system_mode = new Option(SYSTEM_MODE_OPTION, true,
@@ -188,9 +204,14 @@ public class OozieCLI {
group.addOption(version);
group.addOption(queuedump);
adminOptions.addOptionGroup(group);
+ addAuthOptions(adminOptions);
return adminOptions;
}
+ /**
+ * Create option for command line option 'job'
+ * @return job options
+ */
protected Options createJobOptions() {
Option oozie = new Option(OOZIE_OPTION, true, "Oozie URL");
Option config = new Option(CONFIG_OPTION, true, "job configuration file '.xml' or '.properties'");
@@ -263,9 +284,14 @@ public class OozieCLI {
jobOptions.addOption(rerun_refresh);
jobOptions.addOption(rerun_nocleanup);
jobOptions.addOptionGroup(actions);
+ addAuthOptions(jobOptions);
return jobOptions;
}
+ /**
+ * Create option for command line option 'jobs'
+ * @return jobs options
+ */
protected Options createJobsOptions() {
Option oozie = new Option(OOZIE_OPTION, true, "Oozie URL");
Option start = new Option(OFFSET_OPTION, true, "jobs offset (default '1')");
@@ -289,9 +315,14 @@ public class OozieCLI {
jobsOptions.addOption(filter);
jobsOptions.addOption(jobtype);
jobsOptions.addOption(verbose);
+ addAuthOptions(jobsOptions);
return jobsOptions;
}
+ /**
+ * Create option for command line option 'sla'
+ * @return sla options
+ */
protected Options createSlaOptions() {
Option oozie = new Option(OOZIE_OPTION, true, "Oozie URL");
Option start = new Option(OFFSET_OPTION, true, "start offset (default '0')");
@@ -302,9 +333,15 @@ public class OozieCLI {
slaOptions.addOption(start);
slaOptions.addOption(len);
slaOptions.addOption(oozie);
+ addAuthOptions(slaOptions);
return slaOptions;
}
+ /**
+ * Create option for command line option 'pig'
+ * @return pig options
+ */
+ @SuppressWarnings("static-access")
protected Options createPigOptions() {
Option oozie = new Option(OOZIE_OPTION, true, "Oozie URL");
Option config = new Option(CONFIG_OPTION, true, "job configuration file '.properties'");
@@ -318,6 +355,7 @@ public class OozieCLI {
pigOptions.addOption(config);
pigOptions.addOption(property);
pigOptions.addOption(pigFile);
+ addAuthOptions(pigOptions);
return pigOptions;
}
@@ -540,6 +578,17 @@ public class OozieCLI {
}
/**
+ * Get auth option from command line
+ *
+ * @param commandLine the command line object
+ * @return auth option
+ */
+ protected String getAuthOption(CommandLine commandLine) {
+ String authOpt = commandLine.getOptionValue(AUTH_OPTION);
+ return authOpt;
+ }
+
+ /**
* Create a OozieClient.
* <p/>
* It injects any '-Dheader:' as header to the the {@link org.apache.oozie.client.OozieClient}.
@@ -562,7 +611,7 @@ public class OozieCLI {
* @throws OozieCLIException thrown if the XOozieClient could not be configured.
*/
protected XOozieClient createXOozieClient(CommandLine commandLine) throws OozieCLIException {
- XOozieClient wc = new AuthOozieClient(getOozieUrl(commandLine));
+ XOozieClient wc = new AuthOozieClient(getOozieUrl(commandLine), getAuthOption(commandLine));
addHeader(wc);
setDebugMode(wc);
return wc;
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java Thu Mar 29 00:20:24 2012
@@ -17,11 +17,6 @@
*/
package org.apache.oozie.client;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.client.Authenticator;
-import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
-
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
@@ -30,6 +25,14 @@ import java.io.IOException;
import java.io.Writer;
import java.net.HttpURLConnection;
import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.Authenticator;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
/**
* This subclass of {@link XOozieClient} supports Kerberos HTTP SPNEGO and simple authentication.
@@ -54,13 +57,30 @@ public class AuthOozieClient extends XOo
*/
public static final File AUTH_TOKEN_CACHE_FILE = new File(System.getProperty("user.home"), ".oozie-auth-token");
+ public static enum AuthType {
+ KERBEROS, SIMPLE
+ }
+
+ private String authOption = null;
+
/**
* Create an instance of the AuthOozieClient.
*
* @param oozieUrl the Oozie URL
*/
public AuthOozieClient(String oozieUrl) {
+ this(oozieUrl, null);
+ }
+
+ /**
+ * Create an instance of the AuthOozieClient.
+ *
+ * @param oozieUrl the Oozie URL
+ * @param authOption the auth option
+ */
+ public AuthOozieClient(String oozieUrl, String authOption) {
super(oozieUrl);
+ this.authOption = authOption;
}
/**
@@ -117,8 +137,8 @@ public class AuthOozieClient extends XOo
writeAuthToken(currentToken);
}
HttpURLConnection conn = super.createConnection(url, method);
-
AuthenticatedURL.injectToken(conn, currentToken);
+
return conn;
}
@@ -148,7 +168,7 @@ public class AuthOozieClient extends XOo
}
/**
- * Write the current authenthication token to the user home directory.
+ * Write the current authentication token to the user home directory.authOption
* <p/>
* The file is written with user only read/write permissions.
* <p/>
@@ -166,7 +186,7 @@ public class AuthOozieClient extends XOo
AUTH_TOKEN_CACHE_FILE.setReadable(true, true);
AUTH_TOKEN_CACHE_FILE.setWritable(true, true);
}
- catch (Exception ex) {
+ catch (IOException ioe) {
// if case of any error we just delete the cache, if user-only
// write permissions are not properly set a security exception
// is thrown and the file will be deleted.
@@ -177,20 +197,54 @@ public class AuthOozieClient extends XOo
/**
* Return the Hadoop-auth Authenticator to use.
* <p/>
- * It looks for value of the {@link #AUTHENTICATOR_CLASS_SYS_PROP} Java system property, if not set it uses
+ * It first looks for value of command line option 'auth', if not set it continues to check
+ * {@link #AUTHENTICATOR_CLASS_SYS_PROP} Java system property for Authenticator.
+ * <p/>
+ * It the value of the {@link #AUTHENTICATOR_CLASS_SYS_PROP} is not set it uses
* Hadoop-auth <code>KerberosAuthenticator</code> which supports both Kerberos HTTP SPNEGO and Pseudo/simple
* authentication.
*
* @return the Authenticator to use, <code>NULL</code> if none.
*
- * @throws OozieClientException thrown if the authenticator could not be instatiated.
+ * @throws OozieClientException thrown if the authenticator could not be instantiated.
*/
protected Authenticator getAuthenticator() throws OozieClientException {
+ if (authOption != null) {
+ try {
+ Class<? extends Authenticator> authClass = getAuthenticators().get(authOption.toUpperCase());
+ if (authClass == null) {
+ throw new OozieClientException(OozieClientException.AUTHENTICATION,
+ "Authenticator class not found [" + authClass + "]");
+ }
+ return authClass.newInstance();
+ }
+ catch (IllegalArgumentException iae) {
+ throw new OozieClientException(OozieClientException.AUTHENTICATION, "Invalid options provided for auth: " + authOption
+ + ", (" + AuthType.KERBEROS + " or " + AuthType.SIMPLE + " expected.)");
+ }
+ catch (InstantiationException ex) {
+ throw new OozieClientException(OozieClientException.AUTHENTICATION,
+ "Could not instantiate Authenticator for option [" + authOption + "], " +
+ ex.getMessage(), ex);
+ }
+ catch (IllegalAccessException ex) {
+ throw new OozieClientException(OozieClientException.AUTHENTICATION,
+ "Could not instantiate Authenticator for option [" + authOption + "], " +
+ ex.getMessage(), ex);
+ }
+
+ }
+
String className = System.getProperty(AUTHENTICATOR_CLASS_SYS_PROP, KerberosAuthenticator.class.getName());
if (className != null) {
try {
ClassLoader cl = Thread.currentThread().getContextClassLoader();
- Class klass = (cl != null) ? cl.loadClass(className) : getClass().getClassLoader().loadClass(className);
+ Class<? extends Object> klass = (cl != null) ? cl.loadClass(className) :
+ getClass().getClassLoader().loadClass(className);
+ if (klass == null) {
+ throw new OozieClientException(OozieClientException.AUTHENTICATION,
+ "Authenticator class not found [" + className + "]");
+ }
return (Authenticator) klass.newInstance();
}
catch (Exception ex) {
@@ -205,4 +259,31 @@ public class AuthOozieClient extends XOo
}
}
+ /**
+ * Get the map for classes of Authenticator.
+ * Default values are:
+ * null -> KerberosAuthenticator
+ * SIMPLE -> PseudoAuthenticator
+ * KERBEROS -> KerberosAuthenticator
+ *
+ * @return the map for classes of Authenticator
+ * @throws OozieClientException
+ */
+ protected Map<String, Class<? extends Authenticator>> getAuthenticators() {
+ Map<String, Class<? extends Authenticator>> authClasses = new HashMap<String, Class<? extends Authenticator>>();
+ authClasses.put(AuthType.KERBEROS.toString(), KerberosAuthenticator.class);
+ authClasses.put(AuthType.SIMPLE.toString(), PseudoAuthenticator.class);
+ authClasses.put(null, KerberosAuthenticator.class);
+ return authClasses;
+ }
+
+ /**
+ * Get authOption
+ *
+ * @return the authOption
+ */
+ public String getAuthOption() {
+ return authOption;
+ }
+
}
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/OozieClient.java Thu Mar 29 00:20:24 2012
@@ -1181,7 +1181,6 @@ public class OozieClient {
*
* @param start starting offset
* @param len number of results
- * @return
* @throws OozieClientException
*/
public void getSlaInfo(int start, int len) throws OozieClientException {
Modified: incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/XOozieClient.java
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/XOozieClient.java?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/XOozieClient.java (original)
+++ incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/XOozieClient.java Thu Mar 29 00:20:24 2012
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -47,7 +47,7 @@ public class XOozieClient extends OozieC
public static final String FILES = "oozie.files";
public static final String ARCHIVES = "oozie.archives";
-
+
public static final String IS_PROXY_SUBMISSION = "oozie.proxysubmission";
protected XOozieClient() {
@@ -115,7 +115,7 @@ public class XOozieClient extends OozieC
String newLibPath = NN + libPath;
conf.setProperty(LIBPATH, newLibPath);
}
-
+
conf.setProperty(IS_PROXY_SUBMISSION, "true");
}
@@ -188,7 +188,7 @@ public class XOozieClient extends OozieC
* set LIBPATH for HTTP submission job.
*
* @param conf Configuration object.
- * @param path lib HDFS path.
+ * @param pathStr lib HDFS path.
*/
public void setLib(Properties conf, String pathStr) {
conf.setProperty(LIBPATH, pathStr);
Modified: incubator/oozie/trunk/core/pom.xml
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/pom.xml?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/core/pom.xml (original)
+++ incubator/oozie/trunk/core/pom.xml Thu Mar 29 00:20:24 2012
@@ -49,6 +49,12 @@
<groupId>org.apache.oozie</groupId>
<artifactId>oozie-client</artifactId>
<scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-auth</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
@@ -179,12 +185,6 @@
</dependency>
<dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-auth</artifactId>
- <scope>compile</scope>
- </dependency>
-
- <dependency>
<groupId>com.icegreen</groupId>
<artifactId>greenmail</artifactId>
<scope>test</scope>
@@ -244,6 +244,12 @@
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-auth</artifactId>
+ <scope>compile</scope>
+ </dependency>
+
</dependencies>
<build>
Modified: incubator/oozie/trunk/core/src/main/conf/oozie-site.xml
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/conf/oozie-site.xml?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/conf/oozie-site.xml (original)
+++ incubator/oozie/trunk/core/src/main/conf/oozie-site.xml Thu Mar 29 00:20:24 2012
@@ -321,6 +321,15 @@
</description>
</property>
+ <property>
+ <name>oozie.authentication.kerberos.name.rules</name>
+ <value>DEFAULT</value>
+ <description>
+ The kerberos names rules is to resolve kerberos principal names, refer to Hadoop's
+ KerberosName for more details.
+ </description>
+ </property>
+
<!-- Proxyuser Configuration -->
<!--
Modified: incubator/oozie/trunk/core/src/main/resources/oozie-default.xml
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/resources/oozie-default.xml?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/resources/oozie-default.xml (original)
+++ incubator/oozie/trunk/core/src/main/resources/oozie-default.xml Thu Mar 29 00:20:24 2012
@@ -1545,6 +1545,16 @@
Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop.
</description>
</property>
+
+ <property>
+ <name>oozie.authentication.kerberos.name.rules</name>
+ <value>DEFAULT</value>
+ <description>
+ The kerberos names rules is to resolve kerberos principal names, refer to Hadoop's
+ KerberosName for more details.
+ </description>
+ </property>
+
<!-- Coordinator Actions default length -->
<property>
<name>oozie.coord.actions.default.length</name>
Modified: incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki Thu Mar 29 00:20:24 2012
@@ -26,6 +26,7 @@ usage:
.
oozie job <OPTIONS> : job operations
-action <arg> coordinator rerun on action ids (requires -rerun); coordinator log retrieval on action ids (requires -log)
+ -auth <arg> select authentication type [SIMPLE|KERBEROS]
-change <arg> change a coordinator/bundle job
-config <arg> job configuration file '.xml' or '.properties'
-D <property=value> set/override value for given property
@@ -55,6 +56,7 @@ usage:
-verbose verbose mode
.
oozie jobs <OPTIONS> : jobs status
+ -auth <arg> select authentication type [SIMPLE|KERBEROS]
-doas <arg> doAs user, impersonates as the specified user.
-filter <arg> user=<U>;name=<N>;group=<G>;status=<S>;...
-jobtype <arg> job type ('Supported in Oozie-2.0 or later versions ONLY -
@@ -66,7 +68,8 @@ usage:
-verbose verbose mode
.
oozie admin <OPTIONS> : admin operations
- -doas <arg> doAs user, impersonates as the specified user.
+ -auth <arg> select authentication type [SIMPLE|KERBEROS]
+ -doas <arg> doAs user, impersonates as the specified user.
-oozie <arg> Oozie URL
-queuedump show Oozie server queue elements
-status show the current system status
@@ -77,11 +80,13 @@ usage:
oozie validate <ARGS> : validate a workflow XML file
.
oozie sla <OPTIONS> : sla operations (Supported in Oozie-2.0 or later)
- -len <arg> number of results (default '100')
- -offset <arg> start offset (default '0')
- -oozie <arg> Oozie URL
+ -auth <arg> select authentication type [SIMPLE|KERBEROS]
+ -len <arg> number of results (default '100')
+ -offset <arg> start offset (default '0')
+ -oozie <arg> Oozie URL
.
oozie pig <OPTIONS> -X <ARGS> : submit a pig job, everything after '-X' are pass-through parameters to pig
+ -auth <arg> select authentication type [SIMPLE|KERBEROS]
-doas <arg> doAs user, impersonates as the specified user.
-config <arg> job configuration file '.properties'
-D <property=value> set/override value for given property
@@ -96,6 +101,9 @@ usage:
The =oozie= CLI automatically perform authentication if the Oozie server requests it. By default it supports both
pseudo/simple authentication and Kerberos HTTP SPNEGO authentication.
+To perform a specific authentication, the =auth= option with authentication type requests Oozie client to run the
+specified authentication mechanism only. Oozie client provides two types =simple= and =kerberos= which supports =pseudo/simple= and =Kerberos=.
+
For pseudo/simple authentication the =oozie= CLI uses the user name of the current OS user.
For Kerberos HTTP SPNEGO authentication the =oozie= CLI uses the default principal for the OS Kerberos cache
Added: incubator/oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki?rev=1306655&view=auto
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki (added)
+++ incubator/oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki Thu Mar 29 00:20:24 2012
@@ -0,0 +1,145 @@
+<noautolink>
+
+[[index][::Go back to Oozie Documentation Index::]]
+
+---+!! Creating Custom Authentication
+
+%TOC%
+
+---++ Hadoop-Auth Authentication Interfaces and classes
+
+1. =org.apache.hadoop.security.authentication.client.Authenticator:= Interface for client authentication mechanisms.
+
+The following authenticators are provided in hadoop-auth:
+
+ * KerberosAuthenticator : the authenticator implements the Kerberos SPNEGO authentication sequence.
+ * PseudoAuthenticator : the authenticator implementation provides an authentication equivalent to Hadoop's Simple authentication, it trusts the value of the 'user.name' Java System property.
+
+2. =org.apache.hadoop.security.authentication.server.AuthenticationHandler:= Interface for server authentication mechanisms.
+
+ * KerberosAuthenticationHandler : the authenticator handler implements the Kerberos SPNEGO authentication mechanism for HTTP.
+ * PseudoAuthenticationHandler : the authenticator handler provides a pseudo authentication mechanism that accepts the user name specified as a query string parameter.
+
+3. =org.apache.hadoop.security.authentication.server.AuthenticationFilter:= A servlet filter enables protecting web application resources with different authentication mechanisms provided by AuthenticationHandler. To enable the filter, web application resources file (ex. web.xml) needs to include the a filter class derived from =AuthenticationFilter=.
+
+---++ Provide Custom Client Authenticator
+
+In client side, a custom authentication requires a extended =Authenticator= to retrieve authentication token or certificate and set it to 'token' instance in method 'authenticate()'.
+
+The following methods should be overriden by derived Authenticator.
+<verbatim>
+
+ public void authenticate(URL url, AuthenticatedURL.Token token)
+ throws IOException, AuthenticationException {
+
+ TheAuthenticatorConf conf = TheAuthenticatorConf();
+
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ conn.setRequestMethod("OPTIONS");
+
+ //Depending on actual authenticationovide Custom Authentication to Oozie Server
+
+Eclipse and IntelliJ can use directly MiniOozie Maven project files. MiniOozie project can be imported to
+Eclipse and IntelliJ as independent project.
+
+overriden methods
+<verbatim>
+ mechanism, retrieve the cert string or token.
+ String encodedStr = URLEncoder.encode(aCertString, "UTF-8");
+ // set to cookie with a key that can be recognized later in the server side.
+ conn.addRequestProperty("Cookie", "NEWAUTH=" + encodedStr);
+
+ // extract token from connection and set to token
+ AuthenticatedURL.extractToken(conn, token);
+
+ }
+</verbatim>
+
+The following shows an example of a singleton class which can be used at a class of Authenticator to set and get configuration which is required for authentication purpose.
+
+<verbatim>
+ public static class TheAuthenticatorConf {
+ private static final TheAuthenticatorConf instance = new TheAuthenticatorConf();
+ private final Map<String, String> map = new HashMap<String, String>();
+
+ private TheAuthenticatorConf() {
+ }
+
+ public static TheAuthenticatorConf getInstance() {
+ return instance;
+ }
+
+ public void put(String key, String value) {
+ map.put(key, value);
+ }
+
+ public String get(String key) {
+ return map.get(key);
+ }
+
+ public void clear() {
+ map.clear();
+ }
+ }
+</verbatim>
+
+---++ Provide Custom Authentication to Oozie Client
+
+Apache Oozie contains a default class =org.apache.oozie.client.AuthOozieClient= to support Kerberos HTTP SPNEGO authentication, pseudo/simple authentication and anonymous access for client connections.
+
+To provide other authentication mechanisms, a Oozie client should extend from =AuthOozieClient= and provide the following methods should be overriden by derived classes to provide custom authentication:
+
+ * getAuthenticator() : return corresponding Authenticator based on value specified by user at =auth= command option.
+ * createConnection() : create a singleton class at Authenticator to allow client set and get key-value configuration for authentication.
+
+---++ Provide Custom Server AuthenticationHandler
+
+In server side, a custom authentication requires a extended AuthenticationHandler to retrieve authentication token or certificate from http request and verify it. After successful verification, an =AuthenticationToken= is created with user name and current authentication type. With this token, this request can be proceeded for response.
+
+The following methods should be overriden by derived AuthenticationHandler.
+<verbatim>
+
+ public AuthenticationToken authenticate(HttpServletRequest request, HttpServletResponse response)
+ throws IOException, AuthenticationException {
+
+ // the certificate or token can be retrieved from request and verified.
+
+ // use the information from the legal certificate or token to create AuthenticationToken
+ AuthenticationToken token = new AuthenticationToken(userName, principal, type);
+
+ return token;
+ }
+</verbatim>
+
+---++ Provide Custom Authentication to Oozie Server
+
+To accept custom authentication in Oozie server, a filter extends from AuthenticationFilter must be provided. This filter delegates to the configured authentication handler for authentication and once it obtains an =AuthenticationToken= from it, sets a signed HTTP cookie with the token. If HTTP cookie is provided with different key name, its cookie value can be retrieved by overriding =getToken()= method. Please note, only when =getToken()= return NULL, a custom authentication can be invoked and processed in =AuthenticationFilter.doFilter()=.
+
+The following method explains how to read it and return NULL token.
+<verbatim>
+protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
+ String tokenStr = null;
+ Cookie[] cookies = request.getCookies();
+
+ if (cookies != null) {
+ for (Cookie cookie : cookies) {
+ if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
+ tokenStr = cookie.getValue();
+ LOG.info("Got 'hadoop.auth' cookie from request = " + tokenStr);
+ if (tokenStr != null && !tokenStr.trim().isEmpty()) {
+ AuthenticationToken retToken = super.getToken(request);
+ return retToken;
+ }
+ } else if (cookie.getName().equals("NEWAUTH")) {
+ tokenStr = cookie.getValue();
+ // DO NOT return the token string so request can authenticated.
+ }
+ }
+ }
+ return null;
+ }
+</verbatim>
+
+[[index][::Go back to Oozie Documentation Index::]]
+
+</noautolink>
\ No newline at end of file
Modified: incubator/oozie/trunk/docs/src/site/twiki/ENG_MiniOozie.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/ENG_MiniOozie.twiki?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/ENG_MiniOozie.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/ENG_MiniOozie.twiki Thu Mar 29 00:20:24 2012
@@ -1,3 +1,5 @@
+<noautolink>
+
[[index][::Go back to Oozie Documentation Index::]]
---+!! Running MiniOozie Tests
Modified: incubator/oozie/trunk/docs/src/site/twiki/index.twiki
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/index.twiki?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/index.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/index.twiki Thu Mar 29 00:20:24 2012
@@ -92,4 +92,8 @@ Oozie uses a modified version of the Apa
* [[ENG_MiniOozie][Testing User Oozie Applications Using MiniOozie]]
+---++ Oozie User Authentication Documentation
+
+ * [[ENG_Custom_Authentication][Create Custom Oozie Authentication]]
+
</noautolink>
Modified: incubator/oozie/trunk/release-log.txt
URL: http://svn.apache.org/viewvc/incubator/oozie/trunk/release-log.txt?rev=1306655&r1=1306654&r2=1306655&view=diff
==============================================================================
--- incubator/oozie/trunk/release-log.txt (original)
+++ incubator/oozie/trunk/release-log.txt Thu Mar 29 00:20:24 2012
@@ -1,5 +1,6 @@
-- Oozie 3.2.0 release
+OOZIE-624 client side improvement of authentication for user defined options
OOZIE-789 a few testcases using waitFor are timing out with YARN MiniCluster (tucu)
OOZIE-781 Xerces validator used by Java gets stuck during pattern matching (Virag via Mohammad)
OOZIE-788 JavaActionExecutor should not set yarn.resourcemanager.address (tucu)