You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/06/03 21:34:37 UTC
git commit: added authenticate server and token granting services and
various updates to the JWT code for HSSO POC
Updated Branches:
refs/heads/master 0511c11b2 -> f68377ecc
added authenticate server and token granting services and various updates to the JWT code for HSSO POC
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/f68377ec
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/f68377ec
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/f68377ec
Branch: refs/heads/master
Commit: f68377eccda731dbc9ad5cc246ca930d97f7ade7
Parents: 0511c11
Author: Larry McCay <lm...@hortonworks.com>
Authored: Mon Jun 3 15:34:19 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Mon Jun 3 15:34:19 2013 -0400
----------------------------------------------------------------------
.../provider/federation/jwt/JWTAuthority.java | 19 ++++-
.../gateway/provider/federation/jwt/JWTToken.java | 2 +-
.../jwt/filter/AccessTokenFederationFilter.java | 33 ++++++---
.../jwt/filter/JWTAccessTokenAssertionFilter.java | 28 ++++++-
.../federation/jwt/filter/JWTFederationFilter.java | 14 +++-
gateway-release/pom.xml | 10 ++-
gateway-service-as/pom.xml | 57 ++++++++++++++
.../hadoop/gateway/as/ASDeploymentContributor.java | 58 +++++++++++++++
...oop.gateway.deploy.ServiceDeploymentContributor | 19 +++++
gateway-service-tgs/pom.xml | 57 ++++++++++++++
.../gateway/tgs/TGSDeploymentContributor.java | 58 +++++++++++++++
...oop.gateway.deploy.ServiceDeploymentContributor | 19 +++++
pom.xml | 14 +++-
13 files changed, 364 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
index 34c3713..d8c86ae 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
@@ -33,11 +33,21 @@ public class JWTAuthority {
public JWTToken issueToken(Subject subject, String algorithm) {
Principal p = (Principal) subject.getPrincipals().toArray()[0];
+ return issueToken(p, algorithm);
+ }
+
+ public JWTToken issueToken(Principal p, String algorithm) {
+ return issueToken(p, null, algorithm);
+ }
+
+ public JWTToken issueToken(Principal p, String audience, String algorithm) {
String[] claimArray = new String[4];
- claimArray[0] = "gateway";
+ claimArray[0] = "HSSO";
claimArray[1] = p.getName();
- // TODO: what do we need here and how do we determine what it should be?
- claimArray[2] = "https://login.hadoop.example.org";
+ if (audience == null) {
+ audience = "HSSO";
+ }
+ claimArray[2] = audience;
// TODO: make the validity period configurable
claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
@@ -61,6 +71,9 @@ public class JWTAuthority {
public boolean verifyToken(JWTToken token) {
boolean rc = false;
+
+ // TODO: interrogate the token for issuer claim in order to determine the public key to use for verification
+ // consider jwk for specifying the key too
rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
return rc;
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
index 9adf46e..4ecf7bd 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
@@ -39,7 +39,7 @@ public class JWTToken {
byte[] payload = null;
- public JWTToken(byte[] header, byte[] claims, byte[] signature) {
+ private JWTToken(byte[] header, byte[] claims, byte[] signature) {
try {
this.header = new String(header, "UTF-8");
this.claims = new String(claims, "UTF-8");
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
index 179d2ee..e067afc 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
@@ -34,7 +34,8 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.hadoop.gateway.provider.federation.jwt.AccessToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.security.CryptoService;
@@ -42,11 +43,14 @@ public class AccessTokenFederationFilter implements Filter {
private static final String BEARER = "Bearer ";
private CryptoService crypto = null;
+
+ private JWTAuthority authority;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
+ authority = new JWTAuthority(crypto);
}
public void destroy() {
@@ -58,16 +62,20 @@ public class AccessTokenFederationFilter implements Filter {
if (header != null && header.startsWith(BEARER)) {
// what follows the bearer designator should be the JWT token being used to request or as an access token
String wireToken = header.substring(BEARER.length());
- AccessToken token = AccessToken.parseToken(crypto, wireToken);
-// LJM TODO: replace with actual verification - should we do it in the authority? Probably.
-// boolean verified = authority.verifyAccessToken(token);
- boolean verified = true;
+ JWTToken token = JWTToken.parseToken(wireToken);
+ boolean verified = authority.verifyToken(token);
if (verified) {
// TODO: validate expiration
// TODO: confirm that audience matches intended target
- // TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
- Subject subject = createSubjectFromToken(token);
- continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
+ if (token.getAudience().equals(getAudienceFromRequest(request))) {
+ // TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
+ Subject subject = createSubjectFromToken(token);
+ continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
+ }
+ else {
+ ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ return; //break filter chain
+ }
}
else {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
@@ -82,6 +90,11 @@ public class AccessTokenFederationFilter implements Filter {
}
}
+ private String getAudienceFromRequest(ServletRequest request) {
+ // TODO determine the audience value that would match the requested resource
+ return "HDFS";
+ }
+
private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
try {
Subject.doAs(
@@ -109,8 +122,8 @@ public class AccessTokenFederationFilter implements Filter {
}
}
- private Subject createSubjectFromToken(AccessToken token) {
- final String principal = token.getPrincipalName();
+ private Subject createSubjectFromToken(JWTToken token) {
+ final String principal = token.getPrincipal();
HashSet emptySet = new HashSet();
Set<Principal> principals = new HashSet<Principal>();
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
index f179932..db1fd2c 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.gateway.provider.federation.jwt.filter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
+import java.security.Principal;
import java.util.HashMap;
import javax.security.auth.Subject;
@@ -32,7 +33,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
-import org.apache.hadoop.gateway.provider.federation.jwt.AccessToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.security.CryptoService;
@@ -69,6 +70,14 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
// what follows the bearer designator should be the JWT token being used to request or as an access token
String wireToken = header.substring(BEARER.length());
JWTToken token = JWTToken.parseToken(wireToken);
+ // ensure that there is a valid jwt token available and that there isn't a misconfiguration of filters
+ if (token != null) {
+ JWTAuthority authority = new JWTAuthority(crypto);
+ authority.verifyToken(token);
+ }
+ else {
+ throw new ServletException("Expected JWT Token not provided as Bearer token");
+ }
// authorization of the user for the requested service (and resource?) should have been done by
// the JWTFederationFilter - once we get here we can assume that it is authorized and we just need
@@ -81,7 +90,8 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
// calculate expiration timestamp: validity * 1000 + currentTimeInMillis
long expires = System.currentTimeMillis() + validity * 1000;
- String accessToken = getAccessToken(principalName, expires);
+ String serviceName = request.getParameter("service-name");
+ String accessToken = getAccessToken(principalName, serviceName, expires);
HashMap<String, Object> map = new HashMap<String, Object>();
// TODO: populate map from JWT authorization code
@@ -104,10 +114,20 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
}
}
- private String getAccessToken(String principalName, long expires) {
+ private String getAccessToken(final String principalName, String serviceName, long expires) {
String accessToken = null;
- AccessToken token = new AccessToken(crypto, principalName, expires);
+ JWTAuthority authority = new JWTAuthority(crypto);
+ Principal p = new Principal() {
+
+ @Override
+ public String getName() {
+ // TODO Auto-generated method stub
+ return principalName;
+ }
+ };
+ JWTToken token = authority.issueToken(p, serviceName, "RS256");
+// AccessToken token = new AccessToken(crypto, principalName, expires);
accessToken = token.toString();
return accessToken;
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
index 26f1d7b..29dbe5b 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
@@ -67,10 +67,16 @@ public class JWTFederationFilter implements Filter {
boolean verified = authority.verifyToken(token);
if (verified) {
// TODO: validate expiration
- // TODO: confirm that audience matches intended target
- // TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
- Subject subject = createSubjectFromToken(token);
- continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
+ // confirm that audience matches intended target - which for this filter must be HSSO
+ if (token.getAudience().equals("HSSO")) {
+ // TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
+ Subject subject = createSubjectFromToken(token);
+ continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
+ }
+ else {
+ ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ return; //break filter chain
+ }
}
else {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index b106c42..6af3da3 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -111,15 +111,23 @@
</dependency>
<dependency>
<groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-as</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
<artifactId>gateway-service-hdfs</artifactId>
</dependency>
<dependency>
<groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-oozie</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
<artifactId>gateway-service-templeton</artifactId>
</dependency>
<dependency>
<groupId>${gateway-group}</groupId>
- <artifactId>gateway-service-oozie</artifactId>
+ <artifactId>gateway-service-tgs</artifactId>
</dependency>
<dependency>
<groupId>${gateway-group}</groupId>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-as/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-service-as/pom.xml b/gateway-service-as/pom.xml
new file mode 100644
index 0000000..72883f9
--- /dev/null
+++ b/gateway-service-as/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>gateway</artifactId>
+ <version>0.3.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>gateway-service-as</artifactId>
+
+ <name>gateway-service-as</name>
+ <description>The extension to the gateway for authentication service.</description>
+
+ <licenses>
+ <license>
+ <name>The Apache Software License, Version 2.0</name>
+ <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+ <distribution>repo</distribution>
+ </license>
+ </licenses>
+
+ <dependencies>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-spi</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-rewrite</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java b/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
new file mode 100644
index 0000000..de99866
--- /dev/null
+++ b/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.as;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ServiceDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRuleDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRulesDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteActionRewriteDescriptorExt;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.net.URISyntaxException;
+
+public class ASDeploymentContributor extends ServiceDeploymentContributorBase {
+
+ private static final String AS_EXTERNAL_PATH = "/authserver/api/v1";
+
+ @Override
+ public String getRole() {
+ return "AS";
+ }
+
+ @Override
+ public String getName() {
+ return "as";
+ }
+
+ @Override
+ public void contributeService( DeploymentContext context, Service service ) throws URISyntaxException {
+ ResourceDescriptor resource = context.getGatewayDescriptor().addResource();
+ resource.role( service.getRole() );
+ resource.pattern( AS_EXTERNAL_PATH + "/authenticate");
+ if (topologyContainsProviderType(context, "authentication")) {
+ context.contributeFilter( service, resource, "authentication", null, null );
+ }
+ if (topologyContainsProviderType(context, "federation")) {
+ context.contributeFilter( service, resource, "federation", null, null );
+ }
+ context.contributeFilter( service, resource, "identity-assertion", null, null );
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor b/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
new file mode 100644
index 0000000..5cca9ca
--- /dev/null
+++ b/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.as.ASDeploymentContributor
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-tgs/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-service-tgs/pom.xml b/gateway-service-tgs/pom.xml
new file mode 100644
index 0000000..706e510
--- /dev/null
+++ b/gateway-service-tgs/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>gateway</artifactId>
+ <version>0.3.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>gateway-service-tgs</artifactId>
+
+ <name>gateway-service-tgs</name>
+ <description>The extension to the gateway for authentication service.</description>
+
+ <licenses>
+ <license>
+ <name>The Apache Software License, Version 2.0</name>
+ <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+ <distribution>repo</distribution>
+ </license>
+ </licenses>
+
+ <dependencies>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-spi</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-rewrite</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java b/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
new file mode 100644
index 0000000..e2ac618
--- /dev/null
+++ b/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.tgs;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ServiceDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRuleDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRulesDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteActionRewriteDescriptorExt;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.net.URISyntaxException;
+
+public class TGSDeploymentContributor extends ServiceDeploymentContributorBase {
+
+ private static final String TGS_EXTERNAL_PATH = "/tgs/api/v1";
+
+ @Override
+ public String getRole() {
+ return "TGS";
+ }
+
+ @Override
+ public String getName() {
+ return "tgs";
+ }
+
+ @Override
+ public void contributeService( DeploymentContext context, Service service ) throws URISyntaxException {
+ ResourceDescriptor resource = context.getGatewayDescriptor().addResource();
+ resource.role( service.getRole() );
+ resource.pattern( TGS_EXTERNAL_PATH + "/accesstoken");
+ if (topologyContainsProviderType(context, "authentication")) {
+ context.contributeFilter( service, resource, "authentication", null, null );
+ }
+ if (topologyContainsProviderType(context, "federation")) {
+ context.contributeFilter( service, resource, "federation", null, null );
+ }
+ context.contributeFilter( service, resource, "identity-assertion", null, null );
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor b/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
new file mode 100644
index 0000000..91ba8fc
--- /dev/null
+++ b/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.tgs.TGSDeploymentContributor
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index eb8124a..0dcc310 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,9 +45,11 @@
<module>gateway-provider-security-jwt</module>
<module>gateway-provider-security-shiro</module>
<module>gateway-provider-identity-assertion-pseudo</module>
+ <module>gateway-service-as</module>
<module>gateway-service-hdfs</module>
- <module>gateway-service-templeton</module>
<module>gateway-service-oozie</module>
+ <module>gateway-service-templeton</module>
+ <module>gateway-service-tgs</module>
<module>gateway-server</module>
<module>gateway-server-launcher</module>
<module>gateway-shell</module>
@@ -326,6 +328,16 @@
</dependency>
<dependency>
<groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-tgs</artifactId>
+ <version>${gateway-version}</version>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-as</artifactId>
+ <version>${gateway-version}</version>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
<artifactId>gateway-service-hdfs</artifactId>
<version>${gateway-version}</version>
</dependency>