You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by mo...@apache.org on 2018/06/11 14:50:22 UTC
knox git commit: KNOX-1339 - (KIP-11 Federation) Add support for
header preauth dispatch
Repository: knox
Updated Branches:
refs/heads/master 7f8f97912 -> 138a99bed
KNOX-1339 - (KIP-11 Federation) Add support for header preauth dispatch
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/138a99be
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/138a99be
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/138a99be
Branch: refs/heads/master
Commit: 138a99bed99ba1920dc09dc92886d258a5cd0091
Parents: 7f8f979
Author: Sandeep More <mo...@apache.org>
Authored: Mon Jun 11 10:50:15 2018 -0400
Committer: Sandeep More <mo...@apache.org>
Committed: Mon Jun 11 10:50:15 2018 -0400
----------------------------------------------------------------------
.../gateway/config/impl/GatewayConfigImpl.java | 17 +++++
.../knox/gateway/config/GatewayConfig.java | 9 +++
.../HeaderPreAuthFederationDispatch.java | 74 ++++++++++++++++++++
.../apache/knox/gateway/GatewayTestConfig.java | 12 ++++
4 files changed, 112 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index a6325b6..e0898a2 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -246,6 +246,11 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
static final String KNOX_ADMIN_GROUPS = GATEWAY_CONFIG_FILE_PREFIX + ".knox.admin.groups";
static final String KNOX_ADMIN_USERS = GATEWAY_CONFIG_FILE_PREFIX + ".knox.admin.users";
+ /* property that specifies custom header name to be added to outgoing federated request */
+ static final String CUSTOM_FEDERATION_HEADER_NAME = GATEWAY_CONFIG_FILE_PREFIX + ".custom.federation.header.name";
+ /* Default federated header name, see HeaderPreAuthFederationFilter.headerName */
+ static final String DEFAULT_FEDERATION_HEADER_NAME = "SM_USER";
+
private static List<String> DEFAULT_GLOBAL_RULES_SERVICES;
@@ -1057,4 +1062,16 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
return result;
}
+ /**
+ * Custom header name to be used to pass the authenticated principal via
+ * dispatch
+ *
+ * @return
+ * @since 1.1.0
+ */
+ @Override
+ public String getFederationHeaderName() {
+ return get(CUSTOM_FEDERATION_HEADER_NAME, DEFAULT_FEDERATION_HEADER_NAME);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index 3423220..78ae227 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -400,4 +400,13 @@ public interface GatewayConfig {
* @return
*/
String getKnoxAdminUsers();
+
+ /**
+ * Custom header name to be used to pass the authenticated principal
+ * via dispatch
+ * @since 1.1.0
+ * @return
+ */
+ String getFederationHeaderName();
+
}
http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java
new file mode 100644
index 0000000..8625cd0
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.dispatch;
+
+import org.apache.http.HttpResponse;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.knox.gateway.config.GatewayConfig;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.Principal;
+
+/**
+ * This dispatch should be used for federating multiple
+ * Knox instances. This dispatch will add the authentication header,
+ * which can be set using the property
+ * gateway.custom.federation.header.name
+ * in gateway-site.xml. The value of the header will be
+ * authenticated principal.
+ * Authentication provider configured in topology will be used to authenticate.
+ * The receiving Knox instance will need to have Header PreAuth
+ * provider configured to accept the requests.
+ *
+ * @since 1.1.0
+ */
+public class HeaderPreAuthFederationDispatch extends DefaultDispatch {
+
+ String headerName = "SM_USER";
+
+ /* Create an instance */
+ public HeaderPreAuthFederationDispatch() {
+ super();
+ }
+
+ @Override
+ protected void executeRequest(
+ final HttpUriRequest outboundRequest,
+ final HttpServletRequest inboundRequest,
+ final HttpServletResponse outboundResponse)
+ throws IOException {
+
+ final GatewayConfig config =
+ (GatewayConfig)inboundRequest.getServletContext().getAttribute( GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE );
+
+ if(config != null && config.getFederationHeaderName() != null) {
+ headerName = config.getFederationHeaderName();
+ }
+
+ final Principal principal = inboundRequest.getUserPrincipal();
+ if(principal != null) {
+ outboundRequest.addHeader(headerName, principal.getName());
+ }
+
+ final HttpResponse inboundResponse = executeOutboundRequest(outboundRequest);
+ writeOutboundResponse(outboundRequest, inboundRequest, outboundResponse, inboundResponse);
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index cca0081..f9afa32 100644
--- a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++ b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -703,4 +703,16 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig {
return null;
}
+ /**
+ * Custom header name to be used to pass the authenticated principal via
+ * dispatch
+ *
+ * @return
+ * @since 1.1.0
+ */
+ @Override
+ public String getFederationHeaderName() {
+ return "SM_USER";
+ }
+
}