You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2020/07/30 21:07:45 UTC
[GitHub] [knox] smolnar82 opened a new pull request #367: KNOX-2413 - Added JWT support in HadoopAuth provider
smolnar82 opened a new pull request #367:
URL: https://github.com/apache/knox/pull/367
## What changes were proposed in this pull request?
Added a new provider configuration parameter in the `HadoopAuth` security provider to enable end-users to use JWT tokens instead of the usual Hadoop Authentication mechanism if there is a Bearer token defined in the request's `Authorization` header. The new parameter name is `support.jwt`. If that is set to `true` (defaults to `false`) and there is a _valid_ (parsable, non-expired) JWT token in the authorization header Knox will use that token in the HadoopAuth security provider.
## How was this patch tested?
Updated and ran JUnit tests:
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 20:01 min (Wall Clock)
[INFO] Finished at: 2020-07-30T22:42:31+02:00
[INFO] Final Memory: 448M/2323M
[INFO] ------------------------------------------------------------------------
```
Additionally, the following E2E test steps were executed:
1. Deployed the Knox Gateway with my changes
2. Added the KNOXTOKEN service into `sandbox` (to be able to get a Knox delegation token)
3. Had the following the `authentication` provider in the `metadata` topology:
```
{
"role": "authentication",
"name": "HadoopAuth",
"enabled": "true",
"params": {
"config.prefix": "hadoop.auth.config",
"hadoop.auth.config.type": "kerberos",
"hadoop.auth.config.signature.secret": "password",
"hadoop.auth.config.simple.anonymous.allowed": "false",
"hadoop.auth.config.token.validity": "1800",
"hadoop.auth.config.cookie.path": "/",
"hadoop.auth.config.kerberos.principal": "HTTP/$GATEWAY_HOST@$REALM",
"hadoop.auth.config.kerberos.keytab": "/$KEYTAB_PATH/knox.keytab",
"hadoop.auth.config.kerberos.name.rules": "DEFAULT",
"support.jwt": "true"
}
```
4. Logged into Kerberos as `knox` and tried to get metadata about the `sandbox` topology using Kerberos:
```
$ curl -s --negotiate -u: -k "http://$GATEWAY_HOST:8444/gateway/metadata/api/v1/metadata/topologies/sandbox"
<?xml version="1.0" encoding="UTF-8"?>
<topologyInformations>
<topologyInformation>
<topology>sandbox</topology>
<pinned>false</pinned>
...
</topologyInformation>
</topologyInformations>
```
5. Obtained a Knox delegation token (using the `KNOXTOKEN` service in sandbox)
6. Tried to get metadata about the `sandbox` topology using the acquired JWT token:
```
$ curl -v -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJrbm94IiwiYXVkIjoiaWRicm9rZXIiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNTk2MTQzNzg4LCJrbm94LmlkIjoiMGM2NTUwZGItNzM4ZS00NjYwLWI1YWMtNGJlN2ZjNTllNzc2In0.KwRWOaye-7lgUN5pG-AV11HvRGwQKT6BSZWSWKOapn8DHaKce5hTaO4eTkHlyIx8kg7zaI65Cq950pC6lQf3Ocznh8DQaqbm_OxgBZQCI6wFl3UTHe1m1BbK7G3HxrOUHLnGUk4g5_z-gv_CN4vQDpgvPCNjC34knOUIeoc7uUHl_IABsQGDa4i57K5Gb9-iBJlhEWwFYEiIA24vE0fL1MnOvmUzypAth6l8x8m3FUpLYLMJOFOT9dXBTXKTklfy7S4pPRW5TFI9kwArhBr5-_KtT-ZZhiPu_LJPjVZHu1LwBgtYE_uJjVzE8RR1T20iYSPub15sPiX4ntUerto1Rg" "http://$GATEWAY_HOST:8444/gateway/metadata/api/v1/metadata/topologies/sandbox"
* About to connect() to $GATEWAY_HOST port 8444 (#0)
* Trying xxx...
* Connected to $GATEWAY_HOST (xxx...) port 8444 (#0)
> GET /gateway/metadata/api/v1/metadata/topologies/sandbox HTTP/1.1
> User-Agent: curl/7.29.0
> Host: $GATEWAY_HOST:8444
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJrbm94IiwiYXVkIjoiaWRicm9rZXIiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNTk2MTQzNzg4LCJrbm94LmlkIjoiMGM2NTUwZGItNzM4ZS00NjYwLWI1YWMtNGJlN2ZjNTllNzc2In0.KwRWOaye-7lgUN5pG-AV11HvRGwQKT6BSZWSWKOapn8DHaKce5hTaO4eTkHlyIx8kg7zaI65Cq950pC6lQf3Ocznh8DQaqbm_OxgBZQCI6wFl3UTHe1m1BbK7G3HxrOUHLnGUk4g5_z-gv_CN4vQDpgvPCNjC34knOUIeoc7uUHl_IABsQGDa4i57K5Gb9-iBJlhEWwFYEiIA24vE0fL1MnOvmUzypAth6l8x8m3FUpLYLMJOFOT9dXBTXKTklfy7S4pPRW5TFI9kwArhBr5-_KtT-ZZhiPu_LJPjVZHu1LwBgtYE_uJjVzE8RR1T20iYSPub15sPiX4ntUerto1Rg
>
< HTTP/1.1 200 OK
< Date: Thu, 30 Jul 2020 20:18:31 GMT
< Content-Type: application/xml
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8"?>
<topologyInformations>
<topologyInformation>
<topology>sandbox</topology>
<pinned>false</pinned>
...
</topologyInformation>
</topologyInformations>
* Connection #0 to host $GATEWAY_HOST left intact
```
7. Checked the `gateway.log` (set the logging level to `DEBUG` before I started the gateway) and found that everything worked as expected
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [knox] smolnar82 merged pull request #367: KNOX-2413 - Added JWT support in HadoopAuth provider
Posted by GitBox <gi...@apache.org>.
smolnar82 merged pull request #367:
URL: https://github.com/apache/knox/pull/367
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [knox] smolnar82 commented on a change in pull request #367: KNOX-2413 - Added JWT support in HadoopAuth provider
Posted by GitBox <gi...@apache.org>.
smolnar82 commented on a change in pull request #367:
URL: https://github.com/apache/knox/pull/367#discussion_r468344521
##########
File path: gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
##########
@@ -116,11 +125,34 @@ public void init(FilterConfig filterConfig) throws ServletException {
}
super.init(filterConfig);
+
+ final String supportJwt = filterConfig.getInitParameter(SUPPORT_JWT);
+ final boolean jwtSupported = Boolean.parseBoolean(supportJwt == null ? "false" : supportJwt);
+ if (jwtSupported) {
+ jwtFilter = new JWTFederationFilter();
+ ((GatewayFilter.Holder)filterConfig).removeParamPrefix(JWT_PREFIX);
+ jwtFilter.init(filterConfig);
+ LOG.initializedJwtFilter();
+ }
}
@Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException, ServletException {
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+ if (shouldUseJwtFilter(jwtFilter, filterChain, (HttpServletRequest) request, (HttpServletResponse) response)) {
Review comment:
Makes sense; I fixed it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [knox] lmccay commented on a change in pull request #367: KNOX-2413 - Added JWT support in HadoopAuth provider
Posted by GitBox <gi...@apache.org>.
lmccay commented on a change in pull request #367:
URL: https://github.com/apache/knox/pull/367#discussion_r463320044
##########
File path: gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
##########
@@ -116,11 +125,34 @@ public void init(FilterConfig filterConfig) throws ServletException {
}
super.init(filterConfig);
+
+ final String supportJwt = filterConfig.getInitParameter(SUPPORT_JWT);
+ final boolean jwtSupported = Boolean.parseBoolean(supportJwt == null ? "false" : supportJwt);
+ if (jwtSupported) {
+ jwtFilter = new JWTFederationFilter();
+ ((GatewayFilter.Holder)filterConfig).removeParamPrefix(JWT_PREFIX);
+ jwtFilter.init(filterConfig);
+ LOG.initializedJwtFilter();
+ }
}
@Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException, ServletException {
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+ if (shouldUseJwtFilter(jwtFilter, filterChain, (HttpServletRequest) request, (HttpServletResponse) response)) {
Review comment:
It seems like a client with the intent to use JWT that sends an expired token will end up with a kerberos challenge here. I can imagine argument for both sides of this but I think that we probably want to allow the JWT validation failure be reflected in the response rather than falling back to kerberos.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org