You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by mo...@apache.org on 2017/09/01 13:17:11 UTC
[13/64] [partial] knox git commit: KNOX-998 - Refactoring save 1
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java b/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java
new file mode 100644
index 0000000..c1d8fcb
--- /dev/null
+++ b/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy;
+
+import org.junit.Test;
+
+import java.util.Iterator;
+import java.util.ServiceLoader;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.fail;
+
+public class AnonymousAuthDeploymentContributorTest {
+
+ @Test
+ public void testServiceLoader() throws Exception {
+ ServiceLoader loader = ServiceLoader.load( ProviderDeploymentContributor.class );
+ Iterator iterator = loader.iterator();
+ assertThat( "Service iterator empty.", iterator.hasNext() );
+ while( iterator.hasNext() ) {
+ Object object = iterator.next();
+ if( object instanceof AnonymousAuthDeploymentContributor ) {
+ return;
+ }
+ }
+ fail( "Failed to find " + AnonymousAuthDeploymentContributor.class.getName() + " via service loader." );
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
deleted file mode 100644
index 2c150e3..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.deploy.impl;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.services.security.KeystoreService;
-import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-public class AclsAuthzDeploymentContributor extends ProviderDeploymentContributorBase {
-
- private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.AclsAuthorizationFilter";
-
- @Override
- public String getRole() {
- return "authorization";
- }
-
- @Override
- public String getName() {
- return "AclsAuthz";
- }
-
- @Override
- public void initializeContribution(DeploymentContext context) {
- super.initializeContribution(context);
- }
-
- @Override
- public void contributeProvider( DeploymentContext context, Provider provider ) {
- }
-
- @Override
- public void contributeFilter( DeploymentContext context, Provider provider, Service service,
- ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
- if (params == null) {
- params = new ArrayList<FilterParamDescriptor>();
- }
- // add resource role to params so that we can determine the acls to enforce at runtime
- params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
-
- // blindly add all the provider params as filter init params
- // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
- Map<String, String> providerParams = provider.getParams();
- for(Entry<String, String> entry : providerParams.entrySet()) {
- params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
- }
-
- resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
deleted file mode 100644
index 13499c3..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import java.util.ArrayList;
-import java.util.Collections;
-
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.util.IpAddressValidator;
-
-/**
- */
-public class AclParser {
- private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
-
- public String resourceRole;
- public ArrayList<String> users;
- public ArrayList<String> groups;
- public boolean anyUser = true;
- public boolean anyGroup = true;
- public IpAddressValidator ipv;
-
-
- public AclParser() {
- }
-
- public void parseAcls(String resourceRole, String acls) throws InvalidACLException {
- if (acls != null) {
- String[] parts = acls.split(";");
- if (parts.length != 3) {
- log.invalidAclsFoundForResource(resourceRole);
- throw new InvalidACLException("Invalid ACLs specified for requested resource: " + resourceRole);
- }
- else {
- log.aclsFoundForResource(resourceRole);
- }
- parseUserAcls(parts);
-
- parseGroupAcls(parts);
-
- parseIpAddressAcls(parts);
- }
- else {
- log.noAclsFoundForResource(resourceRole);
- users = new ArrayList<String>();
- groups = new ArrayList<String>();
- ipv = new IpAddressValidator(null);
- }
- }
-
- private void parseUserAcls(String[] parts) {
- users = new ArrayList<String>();
- Collections.addAll(users, parts[0].split(","));
- if (!users.contains("*")) {
- anyUser = false;
- }
- }
-
- private void parseGroupAcls(String[] parts) {
- groups = new ArrayList<String>();
- Collections.addAll(groups, parts[1].split(","));
- if (!groups.contains("*")) {
- anyGroup = false;
- }
- }
-
- private void parseIpAddressAcls(String[] parts) {
- ipv = new IpAddressValidator(parts[2]);
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
deleted file mode 100644
index 343d87f..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ /dev/null
@@ -1,216 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.gateway.audit.api.Action;
-import org.apache.hadoop.gateway.audit.api.ActionOutcome;
-import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
-import org.apache.hadoop.gateway.audit.api.Auditor;
-import org.apache.hadoop.gateway.audit.api.ResourceType;
-import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.security.GroupPrincipal;
-import org.apache.hadoop.gateway.security.ImpersonatedPrincipal;
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-import org.apache.hadoop.gateway.util.IpAddressValidator;
-import org.apache.hadoop.gateway.util.urltemplate.Template;
-
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-
-public class AclsAuthorizationFilter implements Filter {
- private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
- private static Auditor auditor = AuditServiceFactory.getAuditService().getAuditor( AuditConstants.DEFAULT_AUDITOR_NAME,
- AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME );
-
- private String resourceRole = null;
- private String aclProcessingMode = null;
- private AclParser parser = new AclParser();
-
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- resourceRole = getInitParameter(filterConfig, "resource.role");
- log.initializingForResourceRole(resourceRole);
- aclProcessingMode = getInitParameter(filterConfig, resourceRole + ".acl.mode");
- if (aclProcessingMode == null) {
- aclProcessingMode = getInitParameter(filterConfig, "acl.mode");
- if (aclProcessingMode == null) {
- aclProcessingMode = "AND";
- }
- }
- log.aclProcessingMode(aclProcessingMode);
- String acls = getInitParameter(filterConfig, resourceRole + ".acl");
- parser.parseAcls(resourceRole, acls);
- }
-
- private String getInitParameter(FilterConfig filterConfig, String paramName) {
- return filterConfig.getInitParameter(paramName.toLowerCase());
- }
-
- public void destroy() {
- }
-
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- boolean accessGranted = enforceAclAuthorizationPolicy(request, response, chain);
- log.accessGranted(accessGranted);
- String sourceUrl = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
- if (accessGranted) {
- auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.SUCCESS );
- chain.doFilter(request, response);
- }
- else {
- auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.FAILURE );
- sendForbidden((HttpServletResponse) response);
- }
- }
-
- private boolean enforceAclAuthorizationPolicy(ServletRequest request,
- ServletResponse response, FilterChain chain) {
- HttpServletRequest req = (HttpServletRequest) request;
-
- // before enforcing acls check whether there are no acls defined
- // which would mean that there are no restrictions
- if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
- return true;
- }
-
- boolean userAccess = false;
- boolean groupAccess = false;
- boolean ipAddrAccess = false;
-
- Subject subject = Subject.getSubject(AccessController.getContext());
- Principal primaryPrincipal = (Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
- log.primaryPrincipal(primaryPrincipal.getName());
- Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
- if (impersonations.length > 0) {
- log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
- userAccess = checkUserAcls((Principal)impersonations[0]);
- log.impersonatedPrincipalHasAccess(userAccess);
- }
- else {
- userAccess = checkUserAcls(primaryPrincipal);
- log.primaryPrincipalHasAccess(userAccess);
- }
- Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
- if (groups.length > 0) {
-// System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
- groupAccess = checkGroupAcls(groups);
- log.groupPrincipalHasAccess(groupAccess);
- }
- else {
- // if we have no groups in the subject then make
- // it true if there is an anyGroup acl
- // for AND mode and acls like *;*;127.0.0.* we need to
- // make it pass
- if (parser.anyGroup && aclProcessingMode.equals("AND")) {
- groupAccess = true;
- }
- }
- log.remoteIPAddress(req.getRemoteAddr());
- ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
- log.remoteIPAddressHasAccess(ipAddrAccess);
-
- if (aclProcessingMode.equals("OR")) {
- // need to interpret '*' as excluded for OR semantics
- // to make sense and not grant access to everyone by mistake.
- // exclusion in OR is equivalent to denied
- // so, let's set each one that contains '*' to false.
- if (parser.anyUser) userAccess = false;
- if (parser.anyGroup) groupAccess = false;
- if (parser.ipv.allowsAnyIP()) ipAddrAccess = false;
-
- return (userAccess || groupAccess || ipAddrAccess);
- }
- else if (aclProcessingMode.equals("AND")) {
- return (userAccess && groupAccess && ipAddrAccess);
- }
- return false;
- }
-
- private boolean checkRemoteIpAcls(String remoteAddr) {
- boolean allowed = false;
- if (remoteAddr == null) {
- return false;
- }
- allowed = parser.ipv.validateIpAddress(remoteAddr);
- return allowed;
- }
-
- private boolean checkUserAcls(Principal user) {
- boolean allowed = false;
- if (user == null) {
- return false;
- }
- if (parser.anyUser) {
- allowed = true;
- }
- else {
- if (parser.users.contains(user.getName())) {
- allowed = true;
- }
- }
- return allowed;
- }
-
- private boolean checkGroupAcls(Object[] userGroups) {
- boolean allowed = false;
- if (userGroups == null) {
- return false;
- }
- if (parser.anyGroup) {
- allowed = true;
- }
- else {
- for (int i = 0; i < userGroups.length; i++) {
- if (parser.groups.contains(((Principal)userGroups[i]).getName())) {
- allowed = true;
- break;
- }
- }
- }
- return allowed;
- }
-
- private void sendForbidden(HttpServletResponse res) {
- sendErrorCode(res, 403);
- }
-
- private void sendErrorCode(HttpServletResponse res, int code) {
- try {
- res.sendError(code);
- } catch (IOException e) {
- // TODO: log appropriately
- e.printStackTrace();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java
deleted file mode 100644
index 071375d..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-import org.apache.hadoop.gateway.i18n.messages.StackTrace;
-
-@Messages(logger="org.apache.hadoop.gateway")
-public interface AclsAuthorizationMessages {
-
- @Message( level = MessageLevel.INFO, text = "Initializing AclsAuthz Provider for: {0}" )
- void initializingForResourceRole(String resourceRole);
-
- @Message( level = MessageLevel.DEBUG, text = "ACL Processing Mode is: {0}" )
- void aclProcessingMode(String aclProcessingMode);
-
- @Message( level = MessageLevel.WARN, text = "Invalid ACLs found for: {0}" )
- void invalidAclsFoundForResource(String resourceRole);
-
- @Message( level = MessageLevel.INFO, text = "ACLs found for: {0}" )
- void aclsFoundForResource(String resourceRole);
-
- @Message( level = MessageLevel.DEBUG, text = "No ACLs found for: {0}" )
- void noAclsFoundForResource(String resourceRole);
-
- @Message( level = MessageLevel.INFO, text = "Access Granted: {0}" )
- void accessGranted(boolean accessGranted);
-
- @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal: {0}" )
- void primaryPrincipal(String name);
-
- @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal: {0}" )
- void impersonatedPrincipal(String name);
-
- @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal has access: {0}" )
- void impersonatedPrincipalHasAccess(boolean userAccess);
-
- @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal has access: {0}" )
- void primaryPrincipalHasAccess(boolean userAccess);
-
- @Message( level = MessageLevel.DEBUG, text = "GroupPrincipal has access: {0}" )
- void groupPrincipalHasAccess(boolean groupAccess);
-
- @Message( level = MessageLevel.DEBUG, text = "Remote IP Address: {0}" )
- void remoteIPAddress(String remoteAddr);
-
- @Message( level = MessageLevel.DEBUG, text = "Remote IP Address has access: {0}" )
- void remoteIPAddressHasAccess(boolean remoteIpAccess);
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java
deleted file mode 100644
index 370336b..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import org.apache.hadoop.gateway.i18n.resources.Resource;
-import org.apache.hadoop.gateway.i18n.resources.Resources;
-
-@Resources
-public interface AclsAuthorizationResources {
- @Resource( text = "Response status: {0}" )
- String responseStatus( int status );
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java
deleted file mode 100644
index 34a4ba1..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-/**
- * invalid ACL configuration item
- */
-public class InvalidACLException extends RuntimeException {
-
- private static final long serialVersionUID = -4284269372393774095L;
-
- public InvalidACLException(String message) {
- super(message);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
new file mode 100644
index 0000000..fc5e549
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class AclsAuthzDeploymentContributor extends ProviderDeploymentContributorBase {
+
+ private static final String FILTER_CLASSNAME = "AclsAuthorizationFilter";
+
+ @Override
+ public String getRole() {
+ return "authorization";
+ }
+
+ @Override
+ public String getName() {
+ return "AclsAuthz";
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ super.initializeContribution(context);
+ }
+
+ @Override
+ public void contributeProvider( DeploymentContext context, Provider provider ) {
+ }
+
+ @Override
+ public void contributeFilter( DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+ if (params == null) {
+ params = new ArrayList<FilterParamDescriptor>();
+ }
+ // add resource role to params so that we can determine the acls to enforce at runtime
+ params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
+
+ // blindly add all the provider params as filter init params
+ // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
+ Map<String, String> providerParams = provider.getParams();
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+ }
+
+ resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java
new file mode 100644
index 0000000..ceac18e
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import java.util.ArrayList;
+import java.util.Collections;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.IpAddressValidator;
+
+/**
+ */
+public class AclParser {
+ private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
+
+ public String resourceRole;
+ public ArrayList<String> users;
+ public ArrayList<String> groups;
+ public boolean anyUser = true;
+ public boolean anyGroup = true;
+ public IpAddressValidator ipv;
+
+
+ public AclParser() {
+ }
+
+ public void parseAcls(String resourceRole, String acls) throws InvalidACLException {
+ if (acls != null) {
+ String[] parts = acls.split(";");
+ if (parts.length != 3) {
+ log.invalidAclsFoundForResource(resourceRole);
+ throw new InvalidACLException("Invalid ACLs specified for requested resource: " + resourceRole);
+ }
+ else {
+ log.aclsFoundForResource(resourceRole);
+ }
+ parseUserAcls(parts);
+
+ parseGroupAcls(parts);
+
+ parseIpAddressAcls(parts);
+ }
+ else {
+ log.noAclsFoundForResource(resourceRole);
+ users = new ArrayList<String>();
+ groups = new ArrayList<String>();
+ ipv = new IpAddressValidator(null);
+ }
+ }
+
+ private void parseUserAcls(String[] parts) {
+ users = new ArrayList<String>();
+ Collections.addAll(users, parts[0].split(","));
+ if (!users.contains("*")) {
+ anyUser = false;
+ }
+ }
+
+ private void parseGroupAcls(String[] parts) {
+ groups = new ArrayList<String>();
+ Collections.addAll(groups, parts[1].split(","));
+ if (!groups.contains("*")) {
+ anyGroup = false;
+ }
+ }
+
+ private void parseIpAddressAcls(String[] parts) {
+ ipv = new IpAddressValidator(parts[2]);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java
new file mode 100644
index 0000000..0002974
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java
@@ -0,0 +1,212 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.security.GroupPrincipal;
+import org.apache.knox.gateway.security.ImpersonatedPrincipal;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.Principal;
+
+public class AclsAuthorizationFilter implements Filter {
+ private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
+ private static Auditor auditor = AuditServiceFactory.getAuditService().getAuditor( AuditConstants.DEFAULT_AUDITOR_NAME,
+ AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME );
+
+ private String resourceRole = null;
+ private String aclProcessingMode = null;
+ private AclParser parser = new AclParser();
+
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ resourceRole = getInitParameter(filterConfig, "resource.role");
+ log.initializingForResourceRole(resourceRole);
+ aclProcessingMode = getInitParameter(filterConfig, resourceRole + ".acl.mode");
+ if (aclProcessingMode == null) {
+ aclProcessingMode = getInitParameter(filterConfig, "acl.mode");
+ if (aclProcessingMode == null) {
+ aclProcessingMode = "AND";
+ }
+ }
+ log.aclProcessingMode(aclProcessingMode);
+ String acls = getInitParameter(filterConfig, resourceRole + ".acl");
+ parser.parseAcls(resourceRole, acls);
+ }
+
+ private String getInitParameter(FilterConfig filterConfig, String paramName) {
+ return filterConfig.getInitParameter(paramName.toLowerCase());
+ }
+
+ public void destroy() {
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+ boolean accessGranted = enforceAclAuthorizationPolicy(request, response, chain);
+ log.accessGranted(accessGranted);
+ String sourceUrl = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
+ if (accessGranted) {
+ auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.SUCCESS );
+ chain.doFilter(request, response);
+ }
+ else {
+ auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.FAILURE );
+ sendForbidden((HttpServletResponse) response);
+ }
+ }
+
+ private boolean enforceAclAuthorizationPolicy(ServletRequest request,
+ ServletResponse response, FilterChain chain) {
+ HttpServletRequest req = (HttpServletRequest) request;
+
+ // before enforcing acls check whether there are no acls defined
+ // which would mean that there are no restrictions
+ if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
+ return true;
+ }
+
+ boolean userAccess = false;
+ boolean groupAccess = false;
+ boolean ipAddrAccess = false;
+
+ Subject subject = Subject.getSubject(AccessController.getContext());
+ Principal primaryPrincipal = (Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
+ log.primaryPrincipal(primaryPrincipal.getName());
+ Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
+ if (impersonations.length > 0) {
+ log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
+ userAccess = checkUserAcls((Principal)impersonations[0]);
+ log.impersonatedPrincipalHasAccess(userAccess);
+ }
+ else {
+ userAccess = checkUserAcls(primaryPrincipal);
+ log.primaryPrincipalHasAccess(userAccess);
+ }
+ Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
+ if (groups.length > 0) {
+// System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
+ groupAccess = checkGroupAcls(groups);
+ log.groupPrincipalHasAccess(groupAccess);
+ }
+ else {
+ // if we have no groups in the subject then make
+ // it true if there is an anyGroup acl
+ // for AND mode and acls like *;*;127.0.0.* we need to
+ // make it pass
+ if (parser.anyGroup && aclProcessingMode.equals("AND")) {
+ groupAccess = true;
+ }
+ }
+ log.remoteIPAddress(req.getRemoteAddr());
+ ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
+ log.remoteIPAddressHasAccess(ipAddrAccess);
+
+ if (aclProcessingMode.equals("OR")) {
+ // need to interpret '*' as excluded for OR semantics
+ // to make sense and not grant access to everyone by mistake.
+ // exclusion in OR is equivalent to denied
+ // so, let's set each one that contains '*' to false.
+ if (parser.anyUser) userAccess = false;
+ if (parser.anyGroup) groupAccess = false;
+ if (parser.ipv.allowsAnyIP()) ipAddrAccess = false;
+
+ return (userAccess || groupAccess || ipAddrAccess);
+ }
+ else if (aclProcessingMode.equals("AND")) {
+ return (userAccess && groupAccess && ipAddrAccess);
+ }
+ return false;
+ }
+
+ private boolean checkRemoteIpAcls(String remoteAddr) {
+ boolean allowed = false;
+ if (remoteAddr == null) {
+ return false;
+ }
+ allowed = parser.ipv.validateIpAddress(remoteAddr);
+ return allowed;
+ }
+
+ private boolean checkUserAcls(Principal user) {
+ boolean allowed = false;
+ if (user == null) {
+ return false;
+ }
+ if (parser.anyUser) {
+ allowed = true;
+ }
+ else {
+ if (parser.users.contains(user.getName())) {
+ allowed = true;
+ }
+ }
+ return allowed;
+ }
+
+ private boolean checkGroupAcls(Object[] userGroups) {
+ boolean allowed = false;
+ if (userGroups == null) {
+ return false;
+ }
+ if (parser.anyGroup) {
+ allowed = true;
+ }
+ else {
+ for (int i = 0; i < userGroups.length; i++) {
+ if (parser.groups.contains(((Principal)userGroups[i]).getName())) {
+ allowed = true;
+ break;
+ }
+ }
+ }
+ return allowed;
+ }
+
+ private void sendForbidden(HttpServletResponse res) {
+ sendErrorCode(res, 403);
+ }
+
+ private void sendErrorCode(HttpServletResponse res, int code) {
+ try {
+ res.sendError(code);
+ } catch (IOException e) {
+ // TODO: log appropriately
+ e.printStackTrace();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java
new file mode 100644
index 0000000..206348d
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import org.apache.knox.gateway.i18n.messages.Message;
+import org.apache.knox.gateway.i18n.messages.MessageLevel;
+import org.apache.knox.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway")
+public interface AclsAuthorizationMessages {
+
+ @Message( level = MessageLevel.INFO, text = "Initializing AclsAuthz Provider for: {0}" )
+ void initializingForResourceRole(String resourceRole);
+
+ @Message( level = MessageLevel.DEBUG, text = "ACL Processing Mode is: {0}" )
+ void aclProcessingMode(String aclProcessingMode);
+
+ @Message( level = MessageLevel.WARN, text = "Invalid ACLs found for: {0}" )
+ void invalidAclsFoundForResource(String resourceRole);
+
+ @Message( level = MessageLevel.INFO, text = "ACLs found for: {0}" )
+ void aclsFoundForResource(String resourceRole);
+
+ @Message( level = MessageLevel.DEBUG, text = "No ACLs found for: {0}" )
+ void noAclsFoundForResource(String resourceRole);
+
+ @Message( level = MessageLevel.INFO, text = "Access Granted: {0}" )
+ void accessGranted(boolean accessGranted);
+
+ @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal: {0}" )
+ void primaryPrincipal(String name);
+
+ @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal: {0}" )
+ void impersonatedPrincipal(String name);
+
+ @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal has access: {0}" )
+ void impersonatedPrincipalHasAccess(boolean userAccess);
+
+ @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal has access: {0}" )
+ void primaryPrincipalHasAccess(boolean userAccess);
+
+ @Message( level = MessageLevel.DEBUG, text = "GroupPrincipal has access: {0}" )
+ void groupPrincipalHasAccess(boolean groupAccess);
+
+ @Message( level = MessageLevel.DEBUG, text = "Remote IP Address: {0}" )
+ void remoteIPAddress(String remoteAddr);
+
+ @Message( level = MessageLevel.DEBUG, text = "Remote IP Address has access: {0}" )
+ void remoteIPAddressHasAccess(boolean remoteIpAccess);
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java
new file mode 100644
index 0000000..fcacd11
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import org.apache.knox.gateway.i18n.resources.Resource;
+import org.apache.knox.gateway.i18n.resources.Resources;
+
+@Resources
+public interface AclsAuthorizationResources {
+ @Resource( text = "Response status: {0}" )
+ String responseStatus( int status );
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java
new file mode 100644
index 0000000..d9d38dc
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+/**
+ * invalid ACL configuration item
+ */
+public class InvalidACLException extends RuntimeException {
+
+ private static final long serialVersionUID = -4284269372393774095L;
+
+ public InvalidACLException(String message) {
+ super(message);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
deleted file mode 100644
index 11e2f6f..0000000
--- a/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ /dev/null
@@ -1,18 +0,0 @@
-##########################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-##########################################################################
-org.apache.hadoop.gateway.deploy.impl.AclsAuthzDeploymentContributor
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..5bb3f5f
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,18 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+org.apache.knox.gateway.deploy.impl.AclsAuthzDeploymentContributor
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java b/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
deleted file mode 100644
index 3a2e746..0000000
--- a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
+++ /dev/null
@@ -1,212 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import static org.junit.Assert.*;
-
-import org.junit.Test;
-
-/**
- * @author larry
- *
- */
-public class AclParserTest {
- @Test
- public void testValidAcls() throws Exception {
- AclParser p = new AclParser();
- p.parseAcls("test", "guest;*;*");
- assertTrue(p.users.contains("guest"));
- assertTrue(p.anyGroup);
- assertTrue(p.ipv.allowsAnyIP());
-
- p = new AclParser();
- p.parseAcls("test", "*;admins;*");
- assertFalse(p.users.contains("guest"));
- assertTrue(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertTrue(p.ipv.allowsAnyIP());
-
- p = new AclParser();
- p.parseAcls("test", "*;*;127.0.0.1");
- assertFalse(p.users.contains("guest"));
- assertTrue(p.anyUser);
- assertTrue(p.anyGroup);
- assertFalse(p.groups.contains("admins"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
- p = new AclParser();
- p.parseAcls("test", "*;admins;127.0.0.1");
- assertFalse(p.users.contains("guest"));
- assertTrue(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
- p = new AclParser();
- p.parseAcls("test", "guest;admins;127.0.0.1");
- assertTrue(p.users.contains("guest"));
- assertFalse(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
- p = new AclParser();
- p.parseAcls("test", "guest;*;127.0.0.1");
- assertTrue(p.users.contains("guest"));
- assertFalse(p.anyUser);
- assertTrue(p.anyGroup);
- assertFalse(p.groups.contains("admins"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
- p = new AclParser();
- p.parseAcls("test", "*;admins;127.0.0.1");
- assertFalse(p.users.contains("guest"));
- assertTrue(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
- }
-
-
- @Test
- public void testValidMultiValuedAcls() throws Exception {
- AclParser p = new AclParser();
- p.parseAcls("test", "*;admins;127.0.0.1,127.0.0.2");
- assertFalse(p.users.contains("guest"));
- assertTrue(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
- assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
-
- p = new AclParser();
- p.parseAcls("test", "*;admins,users;127.0.0.1,127.0.0.2");
- assertFalse(p.users.contains("guest"));
- assertTrue(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertTrue(p.groups.contains("users"));
- assertFalse(p.groups.contains("hackers"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
- assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
-
- p = new AclParser();
- p.parseAcls("test", "guest,visitor;admins,users;127.0.0.1,127.0.0.2");
- assertTrue(p.users.contains("guest"));
- assertTrue(p.users.contains("visitor"));
- assertFalse(p.users.contains("missing-guy"));
- assertFalse(p.anyUser);
- assertFalse(p.anyGroup);
- assertTrue(p.groups.contains("admins"));
- assertTrue(p.groups.contains("users"));
- assertFalse(p.groups.contains("hackers"));
- assertFalse(p.ipv.allowsAnyIP());
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
- assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
- assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
- }
-
- @Test
- public void testNullACL() throws Exception {
- AclParser p = new AclParser();
- try {
- p.parseAcls("test", null);
- }
- catch (InvalidACLException sle) {
- // expected
- fail("NULL acl should NOT have thrown InvalidACLException.");
- }
- }
-
- @Test
- public void testInvalidAcls() throws Exception {
- AclParser p = new AclParser();
- try {
- p.parseAcls("test", "guest");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
-
- p = new AclParser();
- try {
- p.parseAcls("test", "guest;;");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
-
- p = new AclParser();
- try {
- p.parseAcls("test", ";;");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
-
- p = new AclParser();
- try {
- p.parseAcls("test", ";");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
-
- p = new AclParser();
- try {
- p.parseAcls("test", "guest;");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
-
- p = new AclParser();
- try {
- p.parseAcls("test", ";admins");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
-
- p = new AclParser();
- try {
- p.parseAcls("test", "");
- fail("Invalid acl should have thrown InvalidACLException.");
- }
- catch (InvalidACLException sle) {
- // expected
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java b/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java
new file mode 100644
index 0000000..c377a89
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java
@@ -0,0 +1,212 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+/**
+ * @author larry
+ *
+ */
+public class AclParserTest {
+ @Test
+ public void testValidAcls() throws Exception {
+ AclParser p = new AclParser();
+ p.parseAcls("test", "guest;*;*");
+ assertTrue(p.users.contains("guest"));
+ assertTrue(p.anyGroup);
+ assertTrue(p.ipv.allowsAnyIP());
+
+ p = new AclParser();
+ p.parseAcls("test", "*;admins;*");
+ assertFalse(p.users.contains("guest"));
+ assertTrue(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertTrue(p.ipv.allowsAnyIP());
+
+ p = new AclParser();
+ p.parseAcls("test", "*;*;127.0.0.1");
+ assertFalse(p.users.contains("guest"));
+ assertTrue(p.anyUser);
+ assertTrue(p.anyGroup);
+ assertFalse(p.groups.contains("admins"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+ p = new AclParser();
+ p.parseAcls("test", "*;admins;127.0.0.1");
+ assertFalse(p.users.contains("guest"));
+ assertTrue(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+ p = new AclParser();
+ p.parseAcls("test", "guest;admins;127.0.0.1");
+ assertTrue(p.users.contains("guest"));
+ assertFalse(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+ p = new AclParser();
+ p.parseAcls("test", "guest;*;127.0.0.1");
+ assertTrue(p.users.contains("guest"));
+ assertFalse(p.anyUser);
+ assertTrue(p.anyGroup);
+ assertFalse(p.groups.contains("admins"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+ p = new AclParser();
+ p.parseAcls("test", "*;admins;127.0.0.1");
+ assertFalse(p.users.contains("guest"));
+ assertTrue(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+ }
+
+
+ @Test
+ public void testValidMultiValuedAcls() throws Exception {
+ AclParser p = new AclParser();
+ p.parseAcls("test", "*;admins;127.0.0.1,127.0.0.2");
+ assertFalse(p.users.contains("guest"));
+ assertTrue(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
+ assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
+
+ p = new AclParser();
+ p.parseAcls("test", "*;admins,users;127.0.0.1,127.0.0.2");
+ assertFalse(p.users.contains("guest"));
+ assertTrue(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertTrue(p.groups.contains("users"));
+ assertFalse(p.groups.contains("hackers"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
+ assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
+
+ p = new AclParser();
+ p.parseAcls("test", "guest,visitor;admins,users;127.0.0.1,127.0.0.2");
+ assertTrue(p.users.contains("guest"));
+ assertTrue(p.users.contains("visitor"));
+ assertFalse(p.users.contains("missing-guy"));
+ assertFalse(p.anyUser);
+ assertFalse(p.anyGroup);
+ assertTrue(p.groups.contains("admins"));
+ assertTrue(p.groups.contains("users"));
+ assertFalse(p.groups.contains("hackers"));
+ assertFalse(p.ipv.allowsAnyIP());
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+ assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
+ assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
+ }
+
+ @Test
+ public void testNullACL() throws Exception {
+ AclParser p = new AclParser();
+ try {
+ p.parseAcls("test", null);
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ fail("NULL acl should NOT have thrown InvalidACLException.");
+ }
+ }
+
+ @Test
+ public void testInvalidAcls() throws Exception {
+ AclParser p = new AclParser();
+ try {
+ p.parseAcls("test", "guest");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+
+ p = new AclParser();
+ try {
+ p.parseAcls("test", "guest;;");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+
+ p = new AclParser();
+ try {
+ p.parseAcls("test", ";;");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+
+ p = new AclParser();
+ try {
+ p.parseAcls("test", ";");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+
+ p = new AclParser();
+ try {
+ p.parseAcls("test", "guest;");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+
+ p = new AclParser();
+ try {
+ p.parseAcls("test", ";admins");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+
+ p = new AclParser();
+ try {
+ p.parseAcls("test", "");
+ fail("Invalid acl should have thrown InvalidACLException.");
+ }
+ catch (InvalidACLException sle) {
+ // expected
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java
deleted file mode 100755
index b7609c8..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-
-@Messages(logger="org.apache.hadoop.gateway.provider.global.hadoopauth")
-public interface HadoopAuthMessages {
-
- @Message( level = MessageLevel.INFO, text = "Initializing Hadoop Auth Property, name: {0}, value: {1}" )
- void initializingHadoopAuthProperty(String name, String value);
-
- @Message( level = MessageLevel.DEBUG, text = "Hadoop Authentication Asserted Principal: {0}" )
- void hadoopAuthAssertedPrincipal(String name);
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
deleted file mode 100755
index 8404853..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth.deploy;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class HadoopAuthDeploymentContributor extends
- ProviderDeploymentContributorBase {
-
- private static final String ROLE = "authentication";
- private static final String NAME = "HadoopAuth";
-
- private static final String HADOOPAUTH_FILTER_CLASSNAME = "org.apache.hadoop.gateway.hadoopauth.filter.HadoopAuthFilter";
- private static final String HADOOPAUTH_POSTFILTER_CLASSNAME = "org.apache.hadoop.gateway.hadoopauth.filter.HadoopAuthPostFilter";
-
- @Override
- public String getRole() {
- return ROLE;
- }
-
- @Override
- public String getName() {
- return NAME;
- }
-
- @Override
- public void initializeContribution(DeploymentContext context) {
- super.initializeContribution(context);
- }
-
- @Override
- public void contributeFilter(DeploymentContext context, Provider provider, Service service,
- ResourceDescriptor resource, List<FilterParamDescriptor> params) {
- // blindly add all the provider params as filter init params
- if (params == null) {
- params = new ArrayList<FilterParamDescriptor>();
- }
- Map<String, String> providerParams = provider.getParams();
- for(Entry<String, String> entry : providerParams.entrySet()) {
- params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
- }
- resource.addFilter().name( getName() ).role( getRole() ).impl( HADOOPAUTH_FILTER_CLASSNAME ).params( params );
- resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( HADOOPAUTH_POSTFILTER_CLASSNAME ).params( params );
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java
deleted file mode 100755
index 649601f..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth.filter;
-
-import java.util.Enumeration;
-import java.util.Properties;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-
-import org.apache.hadoop.gateway.hadoopauth.HadoopAuthMessages;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-
-/*
- * see http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
- *
- * CONFIG_PREFIX = "config.prefix
- * AUTH_TYPE = "type", AUTH_TOKEN_VALIDITY = "token.validity"
- * COOKIE_DOMAIN = "cookie.domain", COOKIE_PATH = "cookie.path"
- * SIGNATURE_SECRET = "signature.secret
- * TYPE = "kerberos", PRINCIPAL = TYPE + ".principal", KEYTAB = TYPE + ".keytab"
-
- * config.prefix=hadoop.auth.config (default: null)
- * hadoop.auth.config.signature.secret=SECRET (default: a simple random number)
- * hadoop.auth.config.type=simple|kerberos|CLASS (default: none, would throw exception)
- * hadoop.auth.config.token.validity=SECONDS (default: 3600 seconds)
- * hadoop.auth.config.cookie.domain=DOMAIN(default: null)
- * hadoop.auth.config.cookie.path=PATH (default: null)
- * hadoop.auth.config.kerberos.principal=HTTP/localhost@LOCALHOST (default: null)
- * hadoop.auth.config.kerberos.keytab=/etc/knox/conf/knox.service.keytab (default: null)
- */
-
-public class HadoopAuthFilter extends
- org.apache.hadoop.security.authentication.server.AuthenticationFilter {
-
- private static HadoopAuthMessages log = MessagesFactory.get( HadoopAuthMessages.class );
-
- @Override
- protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException {
- Properties props = new Properties();
- Enumeration<?> names = filterConfig.getInitParameterNames();
- while (names.hasMoreElements()) {
- String name = (String) names.nextElement();
- if (name.startsWith(configPrefix)) {
- String value = filterConfig.getInitParameter(name);
- log.initializingHadoopAuthProperty(name, value);
- props.put(name.substring(configPrefix.length()), value);
- }
- }
- return props;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
deleted file mode 100755
index 70db96c..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth.filter;
-
-import java.io.IOException;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.audit.api.Action;
-import org.apache.hadoop.gateway.audit.api.ActionOutcome;
-import org.apache.hadoop.gateway.audit.api.AuditService;
-import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
-import org.apache.hadoop.gateway.audit.api.Auditor;
-import org.apache.hadoop.gateway.audit.api.ResourceType;
-import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
-import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
-import org.apache.hadoop.gateway.hadoopauth.HadoopAuthMessages;
-
-public class HadoopAuthPostFilter implements Filter {
-
- private static HadoopAuthMessages log = MessagesFactory.get( HadoopAuthMessages.class );
- private static AuditService auditService = AuditServiceFactory.getAuditService();
- private static Auditor auditor = auditService.getAuditor(
- AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
- AuditConstants.KNOX_COMPONENT_NAME );
-
- @Override
- public void init( FilterConfig filterConfig ) throws ServletException {
- }
-
- @Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
- HttpServletRequest httpRequest = (HttpServletRequest)request;
- String principal = httpRequest.getRemoteUser();
- if (principal != null) {
- Subject subject = new Subject();
- subject.getPrincipals().add(new PrimaryPrincipal(principal));
- log.hadoopAuthAssertedPrincipal(principal);
- auditService.getContext().setUsername( principal ); //KM: Audit Fix
- String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
- auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
- doAs(httpRequest, response, chain, subject);
- }
- else {
- ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "User not authenticated");
- }
- }
-
- private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
- throws IOException, ServletException {
- try {
- Subject.doAs(
- subject,
- new PrivilegedExceptionAction<Object>() {
- public Object run() throws Exception {
- chain.doFilter(request, response);
- return null;
- }
- }
- );
- }
- catch (PrivilegedActionException e) {
- Throwable t = e.getCause();
- if (t instanceof IOException) {
- throw (IOException) t;
- }
- else if (t instanceof ServletException) {
- throw (ServletException) t;
- }
- else {
- throw new ServletException(t);
- }
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
new file mode 100755
index 0000000..6141686
--- /dev/null
+++ b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.hadoopauth;
+
+import org.apache.knox.gateway.i18n.messages.Message;
+import org.apache.knox.gateway.i18n.messages.MessageLevel;
+import org.apache.knox.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.global.hadoopauth")
+public interface HadoopAuthMessages {
+
+ @Message( level = MessageLevel.INFO, text = "Initializing Hadoop Auth Property, name: {0}, value: {1}" )
+ void initializingHadoopAuthProperty(String name, String value);
+
+ @Message( level = MessageLevel.DEBUG, text = "Hadoop Authentication Asserted Principal: {0}" )
+ void hadoopAuthAssertedPrincipal(String name);
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
new file mode 100755
index 0000000..5dc1c0c
--- /dev/null
+++ b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.hadoopauth.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+public class HadoopAuthDeploymentContributor extends
+ ProviderDeploymentContributorBase {
+
+ private static final String ROLE = "authentication";
+ private static final String NAME = "HadoopAuth";
+
+ private static final String HADOOPAUTH_FILTER_CLASSNAME = "HadoopAuthFilter";
+ private static final String HADOOPAUTH_POSTFILTER_CLASSNAME = "HadoopAuthPostFilter";
+
+ @Override
+ public String getRole() {
+ return ROLE;
+ }
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ super.initializeContribution(context);
+ }
+
+ @Override
+ public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+ // blindly add all the provider params as filter init params
+ if (params == null) {
+ params = new ArrayList<FilterParamDescriptor>();
+ }
+ Map<String, String> providerParams = provider.getParams();
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+ }
+ resource.addFilter().name( getName() ).role( getRole() ).impl( HADOOPAUTH_FILTER_CLASSNAME ).params( params );
+ resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( HADOOPAUTH_POSTFILTER_CLASSNAME ).params( params );
+ }
+}