You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Csaba Ringhofer (Code Review)" <ge...@cloudera.org> on 2021/02/05 00:50:56 UTC
[Impala-ASF-CR] [WiP] SAML implementation in Impala
Hello Thomas Tauber-Marshall, Vihang Karajgaonkar, Joe McDonnell, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/16833
to look at the new patch set (#16).
Change subject: [WiP] SAML implementation in Impala
......................................................................
[WiP] SAML implementation in Impala
The bulk of the SAML2 related code is done on Java side because:
- There is already a POC in Hive that could be reused.
- The only SAML lib for c++ seems to be OpenSaml, which is seemed
quite hard to use and a heavy dependency.
Doing authentication in Java needed some plumbing, as the hs2-http
port is listened to in c++ and http related processing happens in
THttpServer/THttpTransport, which is not a "real" web server, just
a simple http implementation that processes the headers and passes
content to the thrift service.
- Http headers (and in one case body) are inspected and if it is
SAML related, the http request is wrapped in TWrappedHttpRequest
and sent to the Frontend. The Frontend processes it and returns
a TWrappedHttpResponse with the info to return to the client.
- After the last SAML message (with the bearer token) we generate
an auth cookie in c++ (which can be validated in c++), so later
requests in the session don't need to call to Java.
State of implementation:
- The java side is more or less ok, will be updated when the Hive
implementation changes. I would do a proper cleanup / documentation
once the Hive code is more final.
- Compatibility with other auth mechanisms should be decided:
- Whether other clients should be able to auth with ldap/kerberos
is not clear yet.
- Only the first step of the auth workflow have automatic tests.
Change-Id: Ia0c026cba1b90e7ff6ec5ae49be78b0d1edd8dfa
---
M be/src/common/global-flags.cc
M be/src/kudu/rpc/CMakeLists.txt
M be/src/rpc/auth-provider.h
M be/src/rpc/authentication-test.cc
M be/src/rpc/authentication.cc
M be/src/rpc/authentication.h
M be/src/rpc/hs2-http-test.cc
M be/src/rpc/thrift-server.h
M be/src/service/frontend.cc
M be/src/service/frontend.h
M be/src/service/impala-server.cc
M be/src/transport/THttpServer.cpp
M be/src/transport/THttpServer.h
M be/src/transport/THttpTransport.cpp
M be/src/transport/THttpTransport.h
M be/src/util/backend-gflag-util.cc
M bin/rat_exclude_files.txt
M common/thrift/BackendGflags.thrift
M common/thrift/Frontend.thrift
M common/thrift/metrics.json
M fe/pom.xml
A fe/src/main/java/org/apache/impala/authentication/saml/AuthTokenGenerator.java
A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlAuthTokenGenerator.java
A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlGroupNameFilter.java
A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlHttpServlet.java
A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfo.java
A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStore.java
A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlUtils.java
A fe/src/main/java/org/apache/impala/authentication/saml/HttpSamlAuthenticationException.java
A fe/src/main/java/org/apache/impala/authentication/saml/HttpSamlNoGroupsMatchedException.java
A fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClient.java
A fe/src/main/java/org/apache/impala/authentication/saml/NullSessionStore.java
A fe/src/main/java/org/apache/impala/authentication/saml/WrappedWebContext.java
M fe/src/main/java/org/apache/impala/service/BackendConfig.java
M fe/src/main/java/org/apache/impala/service/Frontend.java
M fe/src/main/java/org/apache/impala/service/JniFrontend.java
M java/pom.xml
A testdata/authentication/saml2_sso.jks
A testdata/authentication/saml2_sso_metadata.xml
A tests/custom_cluster/test_saml2_sso.py
40 files changed, 1,980 insertions(+), 51 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/33/16833/16
--
To view, visit http://gerrit.cloudera.org:8080/16833
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ia0c026cba1b90e7ff6ec5ae49be78b0d1edd8dfa
Gerrit-Change-Number: 16833
Gerrit-PatchSet: 16
Gerrit-Owner: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Vihang Karajgaonkar <vi...@cloudera.com>