You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/10/09 15:58:36 UTC
[knox] branch master updated: KNOX-2026 - Accept Impala's
authentication cookies (#161)
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new f7acac9 KNOX-2026 - Accept Impala's authentication cookies (#161)
f7acac9 is described below
commit f7acac99b10064f6f992f3352d2446d6661fe373
Author: Thomas Tauber-Marshall <tm...@cloudera.com>
AuthorDate: Wed Oct 9 08:58:32 2019 -0700
KNOX-2026 - Accept Impala's authentication cookies (#161)
This patch modifies HadoopAuthCookieStore to accept cookies with
Impala's cookie name, "impala.auth".
It also updates a check that is used to ensure the cookie belongs to
Knox - previously, this check parsed the cookie according to the
specific format that Hadoop uses for its cookies and ensures that the
Knox principal appears in the expected location.
Impala uses a similar cookie format, but with a few changes such as
fields being in a different order. The check is made more permissive
such that it will accept any cookie that contains the Knox principal
anywhere in it.
Testing:
- Deployed in a cluster and verified that Knox accepts and returns
Impala's cookies as expected.
---
.../gateway/dispatch/HadoopAuthCookieStore.java | 24 ++++++++--------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
index bd85617..522019b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
@@ -38,6 +38,7 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
private static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth";
private static final String HIVE_SERVER2_AUTH_COOKIE_NAME = "hive.server2.auth";
+ private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth";
private static String knoxPrincipal;
@@ -73,28 +74,21 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
private boolean isAuthCookie(Cookie cookie) {
return HADOOP_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
- HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName());
+ HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
+ IMPALA_AUTH_COOKIE_NAME.equals(cookie.getName());
}
private boolean isKnoxCookie(Cookie cookie) {
boolean result = false;
+ // We expect cookies to be some delimited list of parameters, eg. username, principal,
+ // timestamp, random number, etc. along with an HMAC signature. To ensure we only
+ // store cookies that are relevant to Knox, we check that the Knox principal appears
+ // somewhere in the cookie value.
if (cookie != null) {
String value = cookie.getValue();
- if (value != null && !value.isEmpty()) {
- String principal = null;
-
- String[] cookieParts = value.split("&");
- if (cookieParts.length > 1) {
- String[] elementParts = cookieParts[1].split("=");
- if (elementParts.length == 2) {
- principal = elementParts[1];
- }
-
- if (principal != null) {
- result = principal.equals(knoxPrincipal);
- }
- }
+ if (value != null && value.contains(knoxPrincipal)) {
+ result = true;
}
}