You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by iw...@apache.org on 2020/09/14 13:02:56 UTC
[hadoop] branch branch-2.10.1 updated (aeeb125 -> 1827467)
This is an automated email from the ASF dual-hosted git repository.
iwasakims pushed a change to branch branch-2.10.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git.
from aeeb125 Preparing for 2.10.1 release
new 9ae9890 Revert "HADOOP-13119. Add ability to secure log servlet using proxy users. Contribute by Yuanbo Liu."
new 1827467 Updated timeline reader to use AuthenticationFilter
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../security/AuthenticationFilterInitializer.java | 9 +-
.../AuthenticationWithProxyUserFilter.java | 119 -----
.../hadoop/http/TestHttpServerWithSpengo.java | 480 ---------------------
.../hadoop/security/TestAuthenticationFilter.java | 13 +-
.../TestAuthenticationWithProxyUserFilter.java | 78 ----
...elineReaderAuthenticationFilterInitializer.java | 10 +-
6 files changed, 18 insertions(+), 691 deletions(-)
delete mode 100644 hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
delete mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
delete mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org
[hadoop] 01/02: Revert "HADOOP-13119. Add ability to secure log
servlet using proxy users. Contribute by Yuanbo Liu."
Posted by iw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
iwasakims pushed a commit to branch branch-2.10.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git
commit 9ae98901e49e1cfb882eeaf38d85fb752ab34a7f
Author: Owen O'Malley <om...@apache.org>
AuthorDate: Thu Mar 1 10:15:22 2018 -0800
Revert "HADOOP-13119. Add ability to secure log servlet using proxy users. Contribute by Yuanbo Liu."
This reverts commit a847903b6e64c6edb11d852b91f2c816b1253eb3.
Change-Id: I3122a2142f5bdf8507dece930e447556a43cd9ae
(cherry picked from commit 8fad3ec76070ccfcd3ed80feaba4355077bc6f5c)
(cherry picked from commit fa6a8b78d481d3b4d355e1bf078f30dd5e09850d)
Conflicts:
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
(cherry picked from commit ca65409836d2949e9a9408d40bec0177b414cd5d)
---
.../security/AuthenticationFilterInitializer.java | 9 +-
.../AuthenticationWithProxyUserFilter.java | 119 -----
.../hadoop/http/TestHttpServerWithSpengo.java | 480 ---------------------
.../hadoop/security/TestAuthenticationFilter.java | 13 +-
.../TestAuthenticationWithProxyUserFilter.java | 78 ----
5 files changed, 13 insertions(+), 686 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
index 65d2211..ca221f5 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
@@ -29,9 +29,8 @@ import java.util.HashMap;
import java.util.Map;
/**
- * Initializes {@link AuthenticationWithProxyUserFilter}
- * which provides support for Kerberos HTTP SPNEGO authentication
- * and proxy user authentication.
+ * Initializes hadoop-auth AuthenticationFilter which provides support for
+ * Kerberos HTTP SPNEGO authentication.
* <p/>
* It enables anonymous access, simple/speudo and Kerberos HTTP SPNEGO
* authentication for Hadoop JobTracker, NameNode, DataNodes and
@@ -59,10 +58,8 @@ public class AuthenticationFilterInitializer extends FilterInitializer {
public void initFilter(FilterContainer container, Configuration conf) {
Map<String, String> filterConfig = getFilterConfigMap(conf, PREFIX);
- // extend AuthenticationFilter's feature to
- // support proxy user operation.
container.addFilter("authentication",
- AuthenticationWithProxyUserFilter.class.getName(),
+ AuthenticationFilter.class.getName(),
filterConfig);
}
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
deleted file mode 100644
index ea9b282..0000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.security;
-
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.authorize.AuthorizationException;
-import org.apache.hadoop.security.authorize.ProxyUsers;
-import org.apache.hadoop.util.HttpExceptionUtils;
-import org.apache.http.NameValuePair;
-import org.apache.http.client.utils.URLEncodedUtils;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.nio.charset.Charset;
-import java.util.List;
-
-/**
- * Extend the function of {@link AuthenticationFilter} to
- * support authorizing proxy user. If the query string
- * contains doAs parameter, then check the proxy user,
- * otherwise do the next filter.
- */
-public class AuthenticationWithProxyUserFilter extends AuthenticationFilter {
-
- /**
- * Constant used in URL's query string to perform a proxy user request, the
- * value of the <code>DO_AS</code> parameter is the user the request will be
- * done on behalf of.
- */
- private static final String DO_AS = "doAs";
-
- private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
-
-
- /**
- * This method provide the ability to do pre/post tasks
- * in filter chain. Override this method to authorize
- * proxy user between AuthenticationFilter and next filter.
- * @param filterChain the filter chain object.
- * @param request the request object.
- * @param response the response object.
- *
- * @throws IOException
- * @throws ServletException
- */
- @Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException, ServletException {
-
- // authorize proxy user before calling next filter.
- String proxyUser = getDoAs(request);
- if (proxyUser != null) {
- UserGroupInformation realUser =
- UserGroupInformation.createRemoteUser(request.getRemoteUser());
- UserGroupInformation proxyUserInfo =
- UserGroupInformation.createProxyUser(proxyUser, realUser);
-
- try {
- ProxyUsers.authorize(proxyUserInfo, request.getRemoteAddr());
- } catch (AuthorizationException ex) {
- HttpExceptionUtils.createServletExceptionResponse(response,
- HttpServletResponse.SC_FORBIDDEN, ex);
- // stop filter chain if there is an Authorization Exception.
- return;
- }
-
- final UserGroupInformation finalProxyUser = proxyUserInfo;
- // Change the remote user after proxy user is authorized.
- request = new HttpServletRequestWrapper(request) {
- @Override
- public String getRemoteUser() {
- return finalProxyUser.getUserName();
- }
- };
-
- }
- filterChain.doFilter(request, response);
- }
-
- /**
- * Get proxy user from query string.
- * @param request the request object
- * @return proxy user
- */
- public static String getDoAs(HttpServletRequest request) {
- String queryString = request.getQueryString();
- if (queryString == null) {
- return null;
- }
- List<NameValuePair> list = URLEncodedUtils.parse(queryString, UTF8_CHARSET);
- if (list != null) {
- for (NameValuePair nv : list) {
- if (DO_AS.equalsIgnoreCase(nv.getName())) {
- return nv.getValue();
- }
- }
- }
- return null;
- }
-}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
deleted file mode 100644
index 7ef53b6..0000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
+++ /dev/null
@@ -1,480 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.http;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.AuthenticationFilterInitializer;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
-import org.apache.hadoop.security.authentication.KerberosTestUtils;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-import org.apache.hadoop.security.authentication.util.Signer;
-import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
-import org.apache.hadoop.security.authentication.util.StringSignerSecretProviderCreator;
-import org.apache.hadoop.security.authorize.AccessControlList;
-import org.apache.hadoop.security.authorize.ProxyUsers;
-import org.ietf.jgss.GSSException;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.Assert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.File;
-import java.io.FileWriter;
-import java.io.Writer;
-import java.net.HttpURLConnection;
-import java.net.URI;
-import java.net.URL;
-import java.security.AccessController;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashSet;
-import java.util.Properties;
-import java.util.Set;
-import javax.security.auth.Subject;
-import javax.servlet.ServletContext;
-
-import static org.junit.Assert.assertTrue;
-
-/**
- * This class is tested for http server with SPENGO authentication.
- */
-public class TestHttpServerWithSpengo {
-
- static final Logger LOG =
- LoggerFactory.getLogger(TestHttpServerWithSpengo.class);
-
- private static final String SECRET_STR = "secret";
- private static final String HTTP_USER = "HTTP";
- private static final String PREFIX = "hadoop.http.authentication.";
- private static final long TIMEOUT = 20000;
-
- private static File httpSpnegoKeytabFile = new File(
- KerberosTestUtils.getKeytabFile());
- private static String httpSpnegoPrincipal =
- KerberosTestUtils.getServerPrincipal();
- private static String realm = KerberosTestUtils.getRealm();
-
- private static File testRootDir = new File("target",
- TestHttpServerWithSpengo.class.getName() + "-root");
- private static MiniKdc testMiniKDC;
- private static File secretFile = new File(testRootDir, SECRET_STR);
-
- private static UserGroupInformation authUgi;
-
- @BeforeClass
- public static void setUp() throws Exception {
- try {
- testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
- testMiniKDC.start();
- testMiniKDC.createPrincipal(
- httpSpnegoKeytabFile, HTTP_USER + "/localhost", "keytab-user");
- } catch (Exception e) {
- assertTrue("Couldn't setup MiniKDC", false);
- }
-
- System.setProperty("sun.security.krb5.debug", "true");
- Configuration conf = new Configuration();
- SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
- UserGroupInformation.setConfiguration(conf);
- authUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
- "keytab-user", httpSpnegoKeytabFile.toString());
- Writer w = new FileWriter(secretFile);
- w.write("secret");
- w.close();
- }
-
- @AfterClass
- public static void tearDown() {
- if (testMiniKDC != null) {
- testMiniKDC.stop();
- }
- }
-
- /**
- * groupA
- * - userA
- * groupB
- * - userA, userB
- * groupC
- * - userC
- * SPNEGO filter has been enabled.
- * userA has the privilege to impersonate users in groupB.
- * userA has admin access to all default servlets, but userB
- * and userC don't have. So "/logs" can only be accessed by userA.
- * @throws Exception
- */
- @Test
- public void testAuthenticationWithProxyUser() throws Exception {
-
- Configuration spengoConf = getSpengoConf(new Configuration());
-
- //setup logs dir
- System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
-
- // Setup user group
- UserGroupInformation.createUserForTesting("userA",
- new String[]{"groupA", "groupB"});
- UserGroupInformation.createUserForTesting("userB",
- new String[]{"groupB"});
- UserGroupInformation.createUserForTesting("userC",
- new String[]{"groupC"});
-
- // Make userA impersonate users in groupB
- spengoConf.set("hadoop.proxyuser.userA.hosts", "*");
- spengoConf.set("hadoop.proxyuser.userA.groups", "groupB");
- ProxyUsers.refreshSuperUserGroupsConfiguration(spengoConf);
-
- HttpServer2 httpServer = null;
- try {
- // Create http server to test.
- httpServer = getCommonBuilder()
- .setConf(spengoConf)
- .setACL(new AccessControlList("userA groupA"))
- .build();
- httpServer.start();
-
- // Get signer to encrypt token
- Signer signer = getSignerToEncrypt();
-
- // setup auth token for userA
- AuthenticatedURL.Token token = getEncryptedAuthToken(signer, "userA");
-
- String serverURL = "http://" +
- NetUtils.getHostPortString(httpServer.getConnectorAddress(0)) + "/";
-
- // The default authenticator is kerberos.
- AuthenticatedURL authUrl = new AuthenticatedURL();
-
- // userA impersonates userB, it's allowed.
- for (String servlet :
- new String[]{"stacks", "jmx", "conf"}) {
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet + "?doAs=userB"),
- token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- }
-
- // userA cannot impersonate userC, it fails.
- for (String servlet :
- new String[]{"stacks", "jmx", "conf"}){
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet + "?doAs=userC"),
- token);
- Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
- conn.getResponseCode());
- }
-
- // "/logs" and "/logLevel" require admin authorization,
- // only userA has the access.
- for (String servlet :
- new String[]{"logLevel", "logs"}) {
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet), token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- }
-
- // Setup token for userB
- token = getEncryptedAuthToken(signer, "userB");
-
- // userB cannot access these servlets.
- for (String servlet :
- new String[]{"logLevel", "logs"}) {
- HttpURLConnection conn = authUrl
- .openConnection(new URL(serverURL + servlet), token);
- Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
- conn.getResponseCode());
- }
-
- } finally {
- if (httpServer != null) {
- httpServer.stop();
- }
- }
- }
-
- @Test
- public void testSessionCookie() throws Exception {
- Configuration conf = new Configuration();
- conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
- AuthenticationFilterInitializer.class.getName());
- conf.set(PREFIX + "type", "kerberos");
- conf.setBoolean(PREFIX + "simple.anonymous.allowed", false);
- conf.set(PREFIX + "signer.secret.provider",
- TestSignerSecretProvider.class.getName());
-
- conf.set(PREFIX + "kerberos.keytab",
- httpSpnegoKeytabFile.getAbsolutePath());
- conf.set(PREFIX + "kerberos.principal", httpSpnegoPrincipal);
- conf.set(PREFIX + "cookie.domain", realm);
- conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
- true);
-
- //setup logs dir
- System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
-
- HttpServer2 httpServer = null;
- // Create http server to test.
- httpServer = getCommonBuilder()
- .setConf(conf)
- .build();
- httpServer.start();
-
- // Get signer to encrypt token
- final Signer signer = new Signer(new TestSignerSecretProvider());
- final AuthenticatedURL authUrl = new AuthenticatedURL();
-
- final URL url = new URL("http://" + NetUtils.getHostPortString(
- httpServer.getConnectorAddress(0)) + "/conf");
-
- // this illustrates an inconsistency with AuthenticatedURL. the
- // authenticator is only called when the token is not set. if the
- // authenticator fails then it must throw an AuthenticationException to
- // the caller, yet the caller may see 401 for subsequent requests
- // that require re-authentication like token expiration.
- final UserGroupInformation simpleUgi =
- UserGroupInformation.createRemoteUser("simple-user");
-
- authUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- TestSignerSecretProvider.rollSecret();
- HttpURLConnection conn = null;
- AuthenticatedURL.Token token = new AuthenticatedURL.Token();
-
- // initial request should trigger authentication and set the token.
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- String cookie = token.toString();
-
- // token should not change.
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
-
- // roll secret to invalidate token.
- TestSignerSecretProvider.rollSecret();
- conn = authUrl.openConnection(url, token);
- // this may or may not happen. under normal circumstances the
- // jdk will silently renegotiate and the client never sees a 401.
- // however in some cases the jdk will give up doing spnego. since
- // the token is already set, the authenticator isn't invoked (which
- // would do the spnego if the jdk doesn't), which causes the client
- // to see a 401.
- if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
- // if this happens, the token should be cleared which means the
- // next request should succeed and receive a new token.
- Assert.assertFalse(token.isSet());
- conn = authUrl.openConnection(url, token);
- }
-
- // token should change.
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertNotEquals(cookie, token.toString());
- cookie = token.toString();
-
- // token should not change.
- for (int i=0; i < 3; i++) {
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals("attempt"+i,
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
- }
-
- // blow out the kerberos creds test only auth token is used.
- Subject s = Subject.getSubject(AccessController.getContext());
- Set<Object> oldCreds = new HashSet<>(s.getPrivateCredentials());
- s.getPrivateCredentials().clear();
-
- // token should not change.
- for (int i=0; i < 3; i++) {
- try {
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals("attempt"+i,
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- } catch (AuthenticationException ae) {
- Assert.fail("attempt"+i+" "+ae);
- }
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
- }
-
- // invalidate token. connections should fail now and token should be
- // unset.
- TestSignerSecretProvider.rollSecret();
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(
- HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
- Assert.assertFalse(token.isSet());
- Assert.assertEquals("", token.toString());
-
- // restore the kerberos creds, should work again.
- s.getPrivateCredentials().addAll(oldCreds);
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- cookie = token.toString();
-
- // token should not change.
- for (int i=0; i < 3; i++) {
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals("attempt"+i,
- HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
- }
- return null;
- }
- });
-
- simpleUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- TestSignerSecretProvider.rollSecret();
- AuthenticatedURL authUrl = new AuthenticatedURL();
- AuthenticatedURL.Token token = new AuthenticatedURL.Token();
- HttpURLConnection conn = null;
-
- // initial connect with unset token will trigger authenticator which
- // should fail since we have no creds and leave token unset.
- try {
- authUrl.openConnection(url, token);
- Assert.fail("should fail with no credentials");
- } catch (AuthenticationException ae) {
- Assert.assertNotNull(ae.getCause());
- Assert.assertEquals(GSSException.class, ae.getCause().getClass());
- GSSException gsse = (GSSException)ae.getCause();
- Assert.assertEquals(GSSException.NO_CRED, gsse.getMajor());
- } catch (Throwable t) {
- Assert.fail("Unexpected exception" + t);
- }
- Assert.assertFalse(token.isSet());
-
- // create a valid token and save its value.
- token = getEncryptedAuthToken(signer, "valid");
- String cookie = token.toString();
-
- // server should accept token. after the request the token should
- // be set to the same value (ie. server didn't reissue cookie)
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
-
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- Assert.assertTrue(token.isSet());
- Assert.assertEquals(cookie, token.toString());
-
- // change the secret to effectively invalidate the cookie. see above
- // regarding inconsistency. the authenticator has no way to know the
- // token is bad, so the client will encounter a 401 instead of
- // AuthenticationException.
- TestSignerSecretProvider.rollSecret();
- conn = authUrl.openConnection(url, token);
- Assert.assertEquals(
- HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
- Assert.assertFalse(token.isSet());
- Assert.assertEquals("", token.toString());
- return null;
- }
- });
- }
-
- public static class TestSignerSecretProvider extends SignerSecretProvider {
- static int n = 0;
- static byte[] secret;
-
- static void rollSecret() {
- secret = ("secret[" + (n++) + "]").getBytes();
- }
-
- public TestSignerSecretProvider() {
- }
-
- @Override
- public void init(Properties config, ServletContext servletContext,
- long tokenValidity) throws Exception {
- rollSecret();
- }
-
- @Override
- public byte[] getCurrentSecret() {
- return secret;
- }
-
- @Override
- public byte[][] getAllSecrets() {
- return new byte[][]{secret};
- }
- }
-
- private AuthenticatedURL.Token getEncryptedAuthToken(Signer signer,
- String user) throws Exception {
- AuthenticationToken token =
- new AuthenticationToken(user, user, "kerberos");
- token.setExpires(System.currentTimeMillis() + TIMEOUT);
- return new AuthenticatedURL.Token(signer.sign(token.toString()));
- }
-
- private Signer getSignerToEncrypt() throws Exception {
- SignerSecretProvider secretProvider =
- StringSignerSecretProviderCreator.newStringSignerSecretProvider();
- Properties secretProviderProps = new Properties();
- secretProviderProps.setProperty(
- AuthenticationFilter.SIGNATURE_SECRET, SECRET_STR);
- secretProvider.init(secretProviderProps, null, TIMEOUT);
- return new Signer(secretProvider);
- }
-
- private Configuration getSpengoConf(Configuration conf) {
- conf = new Configuration();
- conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
- AuthenticationFilterInitializer.class.getName());
- conf.set(PREFIX + "type", "kerberos");
- conf.setBoolean(PREFIX + "simple.anonymous.allowed", false);
- conf.set(PREFIX + "signature.secret.file",
- secretFile.getAbsolutePath());
- conf.set(PREFIX + "kerberos.keytab",
- httpSpnegoKeytabFile.getAbsolutePath());
- conf.set(PREFIX + "kerberos.principal", httpSpnegoPrincipal);
- conf.set(PREFIX + "cookie.domain", realm);
- conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
- true);
- return conf;
- }
-
- private HttpServer2.Builder getCommonBuilder() throws Exception {
- return new HttpServer2.Builder().setName("test")
- .addEndpoint(new URI("http://localhost:0"))
- .setFindPort(true);
- }
-}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
index 64cd9b7..c8179e2 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
@@ -19,12 +19,16 @@ package org.apache.hadoop.security;
import junit.framework.TestCase;
import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.Writer;
import java.util.Map;
public class TestAuthenticationFilter extends TestCase {
@@ -38,7 +42,7 @@ public class TestAuthenticationFilter extends TestCase {
FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer(
- new Answer() {
+ new Answer() {
@Override
public Object answer(InvocationOnMock invocationOnMock)
throws Throwable {
@@ -46,6 +50,8 @@ public class TestAuthenticationFilter extends TestCase {
assertEquals("authentication", args[0]);
+ assertEquals(AuthenticationFilter.class.getName(), args[1]);
+
Map<String, String> conf = (Map<String, String>) args[2];
assertEquals("/", conf.get("cookie.path"));
@@ -60,8 +66,9 @@ public class TestAuthenticationFilter extends TestCase {
assertEquals("bar", conf.get("foo"));
return null;
- }}
- ).when(container).addFilter(Mockito.<String>anyObject(),
+ }
+ }
+ ).when(container).addFilter(Mockito.<String>anyObject(),
Mockito.<String>anyObject(),
Mockito.<Map<String, String>>anyObject());
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
deleted file mode 100644
index 504f5a1..0000000
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with this
- * work for additional information regarding copyright ownership. The ASF
- * licenses this file to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.hadoop.security;
-
-
-import junit.framework.TestCase;
-import org.apache.hadoop.http.HttpServer2;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.http.FilterContainer;
-import org.mockito.Mockito;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-import java.util.Map;
-
-/**
- * This class is tested for {@link AuthenticationWithProxyUserFilter}
- * to verify configurations of this filter.
- */
-public class TestAuthenticationWithProxyUserFilter extends TestCase {
-
- @SuppressWarnings("unchecked")
- public void testConfiguration() throws Exception {
- Configuration conf = new Configuration();
- conf.set("hadoop.http.authentication.foo", "bar");
-
- conf.set(HttpServer2.BIND_ADDRESS, "barhost");
-
- FilterContainer container = Mockito.mock(FilterContainer.class);
- Mockito.doAnswer(
- new Answer() {
- @Override
- public Object answer(InvocationOnMock invocationOnMock)
- throws Throwable {
- Object[] args = invocationOnMock.getArguments();
-
- assertEquals("authentication", args[0]);
-
- assertEquals(
- AuthenticationWithProxyUserFilter.class.getName(), args[1]);
-
- Map<String, String> conf = (Map<String, String>) args[2];
- assertEquals("/", conf.get("cookie.path"));
-
- assertEquals("simple", conf.get("type"));
- assertEquals("36000", conf.get("token.validity"));
- assertNull(conf.get("cookie.domain"));
- assertEquals("true", conf.get("simple.anonymous.allowed"));
- assertEquals("HTTP/barhost@LOCALHOST",
- conf.get("kerberos.principal"));
- assertEquals(System.getProperty("user.home") +
- "/hadoop.keytab", conf.get("kerberos.keytab"));
- assertEquals("bar", conf.get("foo"));
-
- return null;
- }
- }
- ).when(container).addFilter(Mockito.<String>anyObject(),
- Mockito.<String>anyObject(),
- Mockito.<Map<String, String>>anyObject());
-
- new AuthenticationFilterInitializer().initFilter(container, conf);
- }
-
-}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org
[hadoop] 02/02: Updated timeline reader to use AuthenticationFilter
Posted by iw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
iwasakims pushed a commit to branch branch-2.10.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git
commit 1827467c9a56f133025f28557bfc2c562d78e816
Author: Wangda Tan <wa...@apache.org>
AuthorDate: Thu Mar 8 09:23:45 2018 -0800
Updated timeline reader to use AuthenticationFilter
Change-Id: I961771589180c1eb377d36c37a79aa23754effbf
(cherry picked from commit 837338788eb903d0e8bbb1230694782a707891be)
(cherry picked from commit ea18e70a74e811ffa48c7e18e68510dd37dda63d)
(cherry picked from commit 4885ea61fee6e1da440a9b3cc98a42ffa443f75c)
---
.../TimelineReaderAuthenticationFilterInitializer.java | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/security/TimelineReaderAuthenticationFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/security/TimelineReaderAuthenticationFilterInitializer.java
index e1c93be..d81e5e8 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/security/TimelineReaderAuthenticationFilterInitializer.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/security/TimelineReaderAuthenticationFilterInitializer.java
@@ -20,11 +20,11 @@ package org.apache.hadoop.yarn.server.timelineservice.reader.security;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer;
-import org.apache.hadoop.security.AuthenticationWithProxyUserFilter;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.yarn.server.timeline.security.TimelineAuthenticationFilterInitializer;
/**
- * Filter initializer to initialize {@link AuthenticationWithProxyUserFilter}
+ * Filter initializer to initialize {@link AuthenticationFilter}
* for ATSv2 timeline reader server with timeline service specific
* configurations.
*/
@@ -32,9 +32,9 @@ public class TimelineReaderAuthenticationFilterInitializer extends
TimelineAuthenticationFilterInitializer{
/**
- * Initializes {@link AuthenticationWithProxyUserFilter}
+ * Initializes {@link AuthenticationFilter}
* <p>
- * Propagates to {@link AuthenticationWithProxyUserFilter} configuration all
+ * Propagates to {@link AuthenticationFilter} configuration all
* YARN configuration properties prefixed with
* {@link TimelineAuthenticationFilterInitializer#PREFIX}.
*
@@ -47,7 +47,7 @@ public class TimelineReaderAuthenticationFilterInitializer extends
public void initFilter(FilterContainer container, Configuration conf) {
setAuthFilterConfig(conf);
container.addGlobalFilter("Timeline Reader Authentication Filter",
- AuthenticationWithProxyUserFilter.class.getName(),
+ AuthenticationFilter.class.getName(),
getFilterConfig());
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org