You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/07/10 16:25:20 UTC
[1/4] POC work and related changes to support a Knox SSO solution
Updated Branches:
refs/heads/master e98c6825a -> 21e6d1da3
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/conf/gateway-site.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/conf/gateway-site.xml b/hsso-release/home/conf/gateway-site.xml
new file mode 100644
index 0000000..76eaedc
--- /dev/null
+++ b/hsso-release/home/conf/gateway-site.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<configuration>
+
+ <property>
+ <name>gateway.port</name>
+ <value>8443</value>
+ <description>The HTTP port for the Gateway.</description>
+ </property>
+
+ <property>
+ <name>gateway.path</name>
+ <value>gateway</value>
+ <description>The default context path for the gateway.</description>
+ </property>
+
+ <property>
+ <name>gateway.gateway.conf.dir</name>
+ <value>deployments</value>
+ <description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description>
+ </property>
+
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/conf/log4j.properties
----------------------------------------------------------------------
diff --git a/hsso-release/home/conf/log4j.properties b/hsso-release/home/conf/log4j.properties
new file mode 100644
index 0000000..ccde8c4
--- /dev/null
+++ b/hsso-release/home/conf/log4j.properties
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+log4j.rootLogger=ERROR, stdout
+
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n
+
+log4j.logger.org.apache.hadoop.gateway=INFO
+
+#log4j.logger.org.eclipse.jetty=ERROR
+#log4j.logger.org.apache.shiro=DEBUG
+#log4j.logger.org.apache.http=DEBUG
+#log4j.logger.org.apache.http.client=DEBUG
+#log4j.logger.org.apache.http.wire=DEBUG
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/conf/users.ldif
----------------------------------------------------------------------
diff --git a/hsso-release/home/conf/users.ldif b/hsso-release/home/conf/users.ldif
new file mode 100644
index 0000000..458b6ef
--- /dev/null
+++ b/hsso-release/home/conf/users.ldif
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+
+# entry for a sample people container
+# please replace with site specific values
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# entry for a sample end user
+# please replace with site specific values
+dn: uid=bob,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Bob
+sn: Smith
+uid: bob
+userPassword:bob-password
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/deployments/BASIC.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/deployments/BASIC.xml b/hsso-release/home/deployments/BASIC.xml
new file mode 100644
index 0000000..133b337
--- /dev/null
+++ b/hsso-release/home/deployments/BASIC.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+ <provider>
+ <role>authentication</role>
+ <enabled>true</enabled>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>ldap://localhost:33389</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+ <provider>
+ <role>identity-assertion</role>
+ <enabled>true</enabled>
+ <name>JWTAuthCodeAsserter</name>
+ </provider>
+ </gateway>
+
+ <service>
+ <role>AS</role>
+ <url>https://127.0.0.1:8443/hadoop/BASIC/authserver/api/v1/authenticate</url>
+ </service>
+</topology>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/deployments/README
----------------------------------------------------------------------
diff --git a/hsso-release/home/deployments/README b/hsso-release/home/deployments/README
new file mode 100644
index 0000000..6588a11
--- /dev/null
+++ b/hsso-release/home/deployments/README
@@ -0,0 +1 @@
+THIS IS THE DIRECTORY WHERE YOU COPY OR SAVE CLUSTER TOPOLOGY DEPLOYMENT DESCRIPTOR FILES
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/deployments/sample.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/deployments/sample.xml b/hsso-release/home/deployments/sample.xml
new file mode 100644
index 0000000..fe0d038
--- /dev/null
+++ b/hsso-release/home/deployments/sample.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+ <provider>
+ <role>federation</role>
+ <enabled>true</enabled>
+ <name>AccessTokenProvider</name>
+ </provider>
+ <provider>
+ <role>identity-assertion</role>
+ <enabled>true</enabled>
+ <name>Pseudo</name>
+ </provider>
+ </gateway>
+
+ <service>
+ <role>NAMENODE</role>
+ <url>http://vm:50070/webhdfs/v1</url>
+ </service>
+ <service>
+ <role>TEMPLETON</role>
+ <url>http://vm:50111/templeton/v1</url>
+ </service>
+ <service>
+ <role>OOZIE</role>
+ <url>http://vm:11000/oozie</url>
+ </service>
+
+</topology>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/deployments/token.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/deployments/token.xml b/hsso-release/home/deployments/token.xml
new file mode 100644
index 0000000..5d972a5
--- /dev/null
+++ b/hsso-release/home/deployments/token.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+ <provider>
+ <role>federation</role>
+ <enabled>true</enabled>
+ <name>JWTProvider</name>
+ </provider>
+ <provider>
+ <role>identity-assertion</role>
+ <enabled>true</enabled>
+ <name>JWTAccessTokenAsserter</name>
+ </provider>
+ </gateway>
+
+ <service>
+ <role>TGS</role>
+ <url>https://127.0.0.1:8443/hadoop/token/tgs/api/v1/accesstoken?service-name=</url>
+ </service>
+</topology>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/ext/README
----------------------------------------------------------------------
diff --git a/hsso-release/home/ext/README b/hsso-release/home/ext/README
new file mode 100644
index 0000000..9eb0ca5
--- /dev/null
+++ b/hsso-release/home/ext/README
@@ -0,0 +1 @@
+THIS DIRECTORY IS WHERE JARS AND CLASSES CONTAINING CUSTOM EXTENSIONS CAN BE PLACED
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/lib/README
----------------------------------------------------------------------
diff --git a/hsso-release/home/lib/README b/hsso-release/home/lib/README
new file mode 100644
index 0000000..39cee63
--- /dev/null
+++ b/hsso-release/home/lib/README
@@ -0,0 +1 @@
+THIS DIRECTORY IS RESERVED FOR USE BY FUTURE SYSTEM JARS AND CLASSES
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/templates/topology.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/templates/topology.xml b/hsso-release/home/templates/topology.xml
new file mode 100644
index 0000000..1ef62a9
--- /dev/null
+++ b/hsso-release/home/templates/topology.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+ <provider>
+ <role>authentication</role>
+ <enabled>true</enabled>
+ <name>ShiroProvider</name>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>ldap://localhost:33389</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+ <provider>
+ <role>identity-assertion</role>
+ <enabled>true</enabled>
+ <name>Pseudo</name>
+ </provider>
+ </gateway>
+
+ <service>
+ <role>NAMENODE</role>
+ <url>http://vm:50070/webhdfs/v1</url>
+ </service>
+ <service>
+ <role>TEMPLETON</role>
+ <url>http://vm:50111/templeton/v1</url>
+ </service>
+
+</topology>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/templates/users.ldif
----------------------------------------------------------------------
diff --git a/hsso-release/home/templates/users.ldif b/hsso-release/home/templates/users.ldif
new file mode 100644
index 0000000..458b6ef
--- /dev/null
+++ b/hsso-release/home/templates/users.ldif
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+
+# entry for a sample people container
+# please replace with site specific values
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# entry for a sample end user
+# please replace with site specific values
+dn: uid=bob,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Bob
+sn: Smith
+uid: bob
+userPassword:bob-password
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/templates/workflow-configuration.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/templates/workflow-configuration.xml b/hsso-release/home/templates/workflow-configuration.xml
new file mode 100644
index 0000000..a35000d
--- /dev/null
+++ b/hsso-release/home/templates/workflow-configuration.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<configuration>
+ <property>
+ <name>jobTracker</name>
+ <value>REPLACE.JOBTRACKER.RPCHOSTPORT</value>
+ <!-- Example: <value>sandbox:50300</value> -->
+ </property>
+ <property>
+ <name>nameNode</name>
+ <value>hdfs://REPLACE.NAMENODE.RPCHOSTPORT</value>
+ <!-- Example: <value>hdfs://sandbox:8020</value> -->
+ </property>
+ <property>
+ <name>oozie.wf.application.path</name>
+ <value>hdfs://REPLACE.NAMENODE.RPCHOSTPORT/tmp/test</value>
+ <!-- Example: <value>hdfs://sandbox:8020/tmp/test</value> -->
+ </property>
+ <property>
+ <name>user.name</name>
+ <value>mapred</value>
+ </property>
+ <property>
+ <name>inputDir</name>
+ <value>/tmp/test/input</value>
+ </property>
+ <property>
+ <name>outputDir</name>
+ <value>/tmp/test/output</value>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/templates/workflow-definition.xml
----------------------------------------------------------------------
diff --git a/hsso-release/home/templates/workflow-definition.xml b/hsso-release/home/templates/workflow-definition.xml
new file mode 100644
index 0000000..a608d6b
--- /dev/null
+++ b/hsso-release/home/templates/workflow-definition.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<workflow-app xmlns="uri:oozie:workflow:0.2" name="wordcount-workflow">
+ <start to="root"/>
+ <action name="root">
+ <java>
+ <job-tracker>${jobTracker}</job-tracker>
+ <name-node>${nameNode}</name-node>
+ <main-class>org.apache.hadoop.examples.WordCount</main-class>
+ <arg>${inputDir}</arg>
+ <arg>${outputDir}</arg>
+ </java>
+ <ok to="end"/>
+ <error to="fail"/>
+ </action>
+ <kill name="fail">
+ <message>Java failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message>
+ </kill>
+ <end name="end"/>
+</workflow-app>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/pom.xml
----------------------------------------------------------------------
diff --git a/hsso-release/pom.xml b/hsso-release/pom.xml
new file mode 100644
index 0000000..2c1700f
--- /dev/null
+++ b/hsso-release/pom.xml
@@ -0,0 +1,177 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>gateway</artifactId>
+ <version>0.3.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>hsso-release</artifactId>
+
+ <name>hsso-release</name>
+ <description>The gateway binary release packaging.</description>
+
+ <licenses>
+ <license>
+ <name>The Apache Software License, Version 2.0</name>
+ <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+ <distribution>repo</distribution>
+ </license>
+ </licenses>
+
+ <profiles>
+ <profile>
+ <id>release</id>
+ <build>
+ <plugins>
+ <plugin>
+ <inherited>false</inherited>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.4</version>
+ <executions>
+ <execution>
+ <id>binary</id>
+ <phase>package</phase>
+ <goals><goal>single</goal></goals>
+ <configuration>
+ <finalName>hsso-${gateway-version}</finalName>
+ <outputDirectory>../target/${gateway-version}</outputDirectory>
+ <appendAssemblyId>false</appendAssemblyId>
+ <descriptors>
+ <descriptor>src/assembly.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals><goal>run</goal></goals>
+ <configuration>
+ <tasks>
+ <checksum algorithm="MD5" fileext=".md5">
+ <fileset dir="../target/${gateway-version}">
+ <include name="*.zip" />
+ <include name="*.tar.gz" />
+ </fileset>
+ </checksum>
+ <checksum algorithm="SHA1" fileext=".sha">
+ <fileset dir="../target/${gateway-version}">
+ <include name="*.zip" />
+ <include name="*.tar.gz" />
+ </fileset>
+ </checksum>
+ </tasks>
+ </configuration>
+ </execution>
+ </executions>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.ant</groupId>
+ <artifactId>ant-nodeps</artifactId>
+ <version>1.8.1</version>
+ </dependency>
+ </dependencies>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-server</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-server-launcher</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-as</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-hdfs</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-oozie</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-templeton</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-service-tgs</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-rewrite</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-secure-query</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-hostmap-static</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-security-shiro</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-security-jwt</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-provider-identity-assertion-pseudo</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-shell</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-shell-launcher</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-test-ldap</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-test-ldap-launcher</artifactId>
+ </dependency>
+
+ </dependencies>
+
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/src/assembly.xml
----------------------------------------------------------------------
diff --git a/hsso-release/src/assembly.xml b/hsso-release/src/assembly.xml
new file mode 100644
index 0000000..e3a5fb8
--- /dev/null
+++ b/hsso-release/src/assembly.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<assembly>
+ <id>bin</id>
+ <formats>
+ <format>zip</format>
+ <format>tar.gz</format>
+ </formats>
+ <fileSets>
+ <fileSet>
+ <directory>home</directory>
+ <outputDirectory></outputDirectory>
+ <includes>
+ <include>**</include>
+ </includes>
+ <excludes>
+ <exclude>**/.idea/**</exclude>
+ <exclude>**/*.iml</exclude>
+ <exclude>**/.project</exclude>
+ <exclude>**/.settings/**</exclude>
+ </excludes>
+ </fileSet>
+ </fileSets>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>dep</outputDirectory>
+ <!--
+ <useTransitiveFiltering>true</useTransitiveFiltering>
+ -->
+ <scope>runtime</scope>
+ <excludes>
+ <exclude>${gateway-group}:gateway-*</exclude>
+ <exclude>${gateway-group}:hsso-*</exclude>
+ </excludes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>lib</outputDirectory>
+ <includes>
+ <include>${gateway-group}:gateway-*</include>
+ <include>${gateway-group}:hsso-*</include>
+ </includes>
+ <excludes>
+ <exclude>${gateway-group}:gateway-util-launcher</exclude>
+ <exclude>${gateway-group}:gateway-server-launcher</exclude>
+ <exclude>${gateway-group}:gateway-shell-launcher</exclude>
+ <exclude>${gateway-group}:gateway-test-ldap-launcher</exclude>
+ </excludes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>bin</outputDirectory>
+ <outputFileNameMapping>server.jar</outputFileNameMapping>
+ <includes>
+ <include>${gateway-group}:gateway-server-launcher</include>
+ </includes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>bin</outputDirectory>
+ <outputFileNameMapping>shell.jar</outputFileNameMapping>
+ <includes>
+ <include>${gateway-group}:gateway-shell-launcher</include>
+ </includes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>bin</outputDirectory>
+ <outputFileNameMapping>ldap.jar</outputFileNameMapping>
+ <includes>
+ <include>${gateway-group}:gateway-test-ldap-launcher</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+</assembly>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices
----------------------------------------------------------------------
diff --git a/hsso-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices b/hsso-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices
new file mode 100644
index 0000000..0476c41
--- /dev/null
+++ b/hsso-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices
@@ -0,0 +1,20 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+
+org.apache.hadoop.gateway.services.HssoGatewayServices
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index f50f6f7..c2a799e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -57,6 +57,7 @@
<module>gateway-shell</module>
<module>gateway-shell-launcher</module>
<module>gateway-release</module>
+ <module>hsso-release</module>
<module>gateway-test</module>
<module>gateway-demo</module>
</modules>
@@ -389,6 +390,11 @@
<artifactId>gateway-release</artifactId>
<version>${gateway-version}</version>
</dependency>
+ <dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>hsso-release</artifactId>
+ <version>${gateway-version}</version>
+ </dependency>
<!--
<dependency>
[2/4] POC work and related changes to support a Knox SSO solution
Posted by lm...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/LICENSE
----------------------------------------------------------------------
diff --git a/hsso-release/home/LICENSE b/hsso-release/home/LICENSE
new file mode 100644
index 0000000..ee0daeb
--- /dev/null
+++ b/hsso-release/home/LICENSE
@@ -0,0 +1,1332 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+
+Apache Knox Subcomponents:
+
+Apache Knox includes a number of sub-components with separate copyright
+notices and license terms. Your use of these sub-components is subject
+to the terms and conditions of the following licenses.
+
+
+------------------------------------------------------------------------------
+From Jetty and Jerico
+------------------------------------------------------------------------------
+Eclipse Public License - v 1.0
+
+THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
+LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
+CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+1. DEFINITIONS
+
+"Contribution" means:
+
+a) in the case of the initial Contributor, the initial code and documentation
+distributed under this Agreement, and
+
+b) in the case of each subsequent Contributor:
+
+i) changes to the Program, and
+
+ii) additions to the Program;
+
+where such changes and/or additions to the Program originate from and are
+distributed by that particular Contributor. A Contribution 'originates' from a
+Contributor if it was added to the Program by such Contributor itself or anyone
+acting on such Contributor's behalf. Contributions do not include additions to
+the Program which: (i) are separate modules of software distributed in
+conjunction with the Program under their own license agreement, and (ii) are not
+derivative works of the Program.
+
+"Contributor" means any person or entity that distributes the Program.
+
+"Licensed Patents" mean patent claims licensable by a Contributor which are
+necessarily infringed by the use or sale of its Contribution alone or when
+combined with the Program.
+
+"Program" means the Contributions distributed in accordance with this Agreement.
+
+"Recipient" means anyone who receives the Program under this Agreement,
+including all Contributors.
+
+2. GRANT OF RIGHTS
+
+a) Subject to the terms of this Agreement, each Contributor hereby grants
+Recipient a non-exclusive, worldwide, royalty-free copyright license to
+reproduce, prepare derivative works of, publicly display, publicly perform,
+distribute and sublicense the Contribution of such Contributor, if any, and such
+derivative works, in source code and object code form.
+
+b) Subject to the terms of this Agreement, each Contributor hereby grants
+Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed
+Patents to make, use, sell, offer to sell, import and otherwise transfer the
+Contribution of such Contributor, if any, in source code and object code form.
+This patent license shall apply to the combination of the Contribution and the
+Program if, at the time the Contribution is added by the Contributor, such
+addition of the Contribution causes such combination to be covered by the
+Licensed Patents. The patent license shall not apply to any other combinations
+which include the Contribution. No hardware per se is licensed hereunder.
+
+c) Recipient understands that although each Contributor grants the licenses to
+its Contributions set forth herein, no assurances are provided by any
+Contributor that the Program does not infringe the patent or other intellectual
+property rights of any other entity. Each Contributor disclaims any liability to
+Recipient for claims brought by any other entity based on infringement of
+intellectual property rights or otherwise. As a condition to exercising the
+rights and licenses granted hereunder, each Recipient hereby assumes sole
+responsibility to secure any other intellectual property rights needed, if any.
+For example, if a third party patent license is required to allow Recipient to
+distribute the Program, it is Recipient's responsibility to acquire that license
+before distributing the Program.
+
+d) Each Contributor represents that to its knowledge it has sufficient copyright
+rights in its Contribution, if any, to grant the copyright license set forth in
+this Agreement.
+
+3. REQUIREMENTS
+
+A Contributor may choose to distribute the Program in object code form under its
+own license agreement, provided that:
+
+a) it complies with the terms and conditions of this Agreement; and
+
+b) its license agreement:
+
+i) effectively disclaims on behalf of all Contributors all warranties and
+conditions, express and implied, including warranties or conditions of title and
+non-infringement, and implied warranties or conditions of merchantability and
+fitness for a particular purpose;
+
+ii) effectively excludes on behalf of all Contributors all liability for
+damages, including direct, indirect, special, incidental and consequential
+damages, such as lost profits;
+
+iii) states that any provisions which differ from this Agreement are offered by
+that Contributor alone and not by any other party; and
+
+iv) states that source code for the Program is available from such Contributor,
+and informs licensees how to obtain it in a reasonable manner on or through a
+medium customarily used for software exchange.
+
+When the Program is made available in source code form:
+
+a) it must be made available under this Agreement; and
+
+b) a copy of this Agreement must be included with each copy of the Program.
+
+Contributors may not remove or alter any copyright notices contained within the
+Program.
+
+Each Contributor must identify itself as the originator of its Contribution, if
+any, in a manner that reasonably allows subsequent Recipients to identify the
+originator of the Contribution.
+
+4. COMMERCIAL DISTRIBUTION
+
+Commercial distributors of software may accept certain responsibilities with
+respect to end users, business partners and the like. While this license is
+intended to facilitate the commercial use of the Program, the Contributor who
+includes the Program in a commercial product offering should do so in a manner
+which does not create potential liability for other Contributors. Therefore, if
+a Contributor includes the Program in a commercial product offering, such
+Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
+every other Contributor ("Indemnified Contributor") against any losses, damages
+and costs (collectively "Losses") arising from claims, lawsuits and other legal
+actions brought by a third party against the Indemnified Contributor to the
+extent caused by the acts or omissions of such Commercial Contributor in
+connection with its distribution of the Program in a commercial product
+offering. The obligations in this section do not apply to any claims or Losses
+relating to any actual or alleged intellectual property infringement. In order
+to qualify, an Indemnified Contributor must: a) promptly notify the Commercial
+Contributor in writing of such claim, and b) allow the Commercial Contributor
+to control, and cooperate with the Commercial Contributor in, the defense and
+any related settlement negotiations. The Indemnified Contributor may
+participate in any such claim at its own expense.
+
+For example, a Contributor might include the Program in a commercial product
+offering, Product X. That Contributor is then a Commercial Contributor. If that
+Commercial Contributor then makes performance claims, or offers warranties
+related to Product X, those performance claims and warranties are such
+Commercial Contributor's responsibility alone. Under this section, the
+Commercial Contributor would have to defend claims against the other
+Contributors related to those performance claims and warranties, and if a court
+requires any other Contributor to pay any damages as a result, the Commercial
+Contributor must pay those damages.
+
+5. NO WARRANTY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each
+Recipient is solely responsible for determining the appropriateness of using and
+distributing the Program and assumes all risks associated with its exercise of
+rights under this Agreement , including but not limited to the risks and costs
+of program errors, compliance with applicable laws, damage to or loss of data,
+programs or equipment, and unavailability or interruption of operations.
+
+6. DISCLAIMER OF LIABILITY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
+CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
+PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS
+GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+7. GENERAL
+
+If any provision of this Agreement is invalid or unenforceable under applicable
+law, it shall not affect the validity or enforceability of the remainder of the
+terms of this Agreement, and without further action by the parties hereto, such
+provision shall be reformed to the minimum extent necessary to make such
+provision valid and enforceable.
+
+If Recipient institutes patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Program itself
+(excluding combinations of the Program with other software or hardware)
+infringes such Recipient's patent(s), then such Recipient's rights granted under
+Section 2(b) shall terminate as of the date such litigation is filed.
+
+All Recipient's rights under this Agreement shall terminate if it fails to
+comply with any of the material terms or conditions of this Agreement and does
+not cure such failure in a reasonable period of time after becoming aware of
+such noncompliance. If all Recipient's rights under this Agreement terminate,
+Recipient agrees to cease use and distribution of the Program as soon as
+reasonably practicable. However, Recipient's obligations under this Agreement
+and any licenses granted by Recipient relating to the Program shall continue and
+survive.
+
+Everyone is permitted to copy and distribute copies of this Agreement, but in
+order to avoid inconsistency the Agreement is copyrighted and may only be
+modified in the following manner. The Agreement Steward reserves the right to
+publish new versions (including revisions) of this Agreement from time to time.
+No one other than the Agreement Steward has the right to modify this Agreement.
+The Eclipse Foundation is the initial Agreement Steward. The Eclipse Foundation
+may assign the responsibility to serve as the Agreement Steward to a suitable
+separate entity. Each new version of the Agreement will be given a
+distinguishing version number. The Program (including Contributions) may always
+be distributed subject to the version of the Agreement under which it was
+received. In addition, after a new version of the Agreement is published,
+Contributor may elect to distribute the Program (including its Contributions)
+under the new version. Except as expressly stated in Sections 2(a) and 2(b)
+above, Recipient receives no rights or licenses to the intellectual property of
+any Contributor under this Agreement, whether expressly, by implication,
+estoppel or otherwise. All rights in the Program not expressly granted under
+this Agreement are reserved.
+
+This Agreement is governed by the laws of the State of New York and the
+intellectual property laws of the United States of America. No party to this
+Agreement will bring a legal action under this Agreement more than one year
+after the cause of action arose. Each party waives its rights to a jury trial in
+any resulting litigation.
+
+
+For TODO.jar (Jave EE Servlet API)
+
+COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0
+
+1. Definitions.
+
+ 1.1. Contributor. means each individual or entity that creates or contributes
+ to the creation of Modifications.
+
+ 1.2. Contributor Version. means the combination of the Original Software,
+ prior Modifications used by a Contributor (if any), and the
+ Modifications made by that particular Contributor.
+
+ 1.3. Covered Software. means (a) the Original Software, or (b) Modifications,
+ or (c) the combination of files containing Original Software with files
+ containing Modifications, in each case including portions thereof.
+
+ 1.4. Executable. means the Covered Software in any form other than Source
+ Code.
+
+ 1.5. Initial Developer. means the individual or entity that first makes
+ Original Software available under this License.
+
+ 1.6. Larger Work. means a work which combines Covered Software or portions
+ thereof with code not governed by the terms of this License.
+
+ 1.7. License. means this document.
+
+ 1.8. Licensable. means having the right to grant, to the maximum extent
+ possible, whether at the time of the initial grant or subsequently
+ acquired, any and all of the rights conveyed herein.
+
+ 1.9. Modifications. means the Source Code and Executable form of any of the
+ following:
+
+ A. Any file that results from an addition to, deletion from or
+ modification of the contents of a file containing Original Software
+ or previous Modifications;
+
+ B. Any new file that contains any part of the Original Software or
+ previous Modification; or
+
+ C. Any new file that is contributed or otherwise made available under
+ the terms of this License.
+
+ 1.10. Original Software. means the Source Code and Executable form of
+ computer software code that is originally released under this License.
+
+ 1.11. Patent Claims. means any patent claim(s), now owned or hereafter
+ acquired, including without limitation, method, process, and apparatus
+ claims, in any patent Licensable by grantor.
+
+ 1.12. Source Code. means (a) the common form of computer software code in
+ which modifications are made and (b) associated documentation included
+ in or with such code.
+
+ 1.13. You. (or .Your.) means an individual or a legal entity exercising
+ rights under, and complying with all of the terms of, this License. For
+ legal entities, .You. includes any entity which controls, is controlled
+ by, or is under common control with You. For purposes of this
+ definition, .control. means (a) the power, direct or indirect, to cause
+ the direction or management of such entity, whether by contract or
+ otherwise, or (b) ownership of more than fifty percent (50%) of the
+ outstanding shares or beneficial ownership of such entity.
+
+2. License Grants.
+
+ 2.1. The Initial Developer Grant.
+
+ Conditioned upon Your compliance with Section 3.1 below and subject to
+ third party intellectual property claims, the Initial Developer hereby
+ grants You a world-wide, royalty-free, non-exclusive license:
+
+ (a) under intellectual property rights (other than patent or trademark)
+ Licensable by Initial Developer, to use, reproduce, modify, display,
+ perform, sublicense and distribute the Original Software (or
+ portions thereof), with or without Modifications, and/or as part of
+ a Larger Work; and
+
+ (b) under Patent Claims infringed by the making, using or selling of
+ Original Software, to make, have made, use, practice, sell, and
+ offer for sale, and/or otherwise dispose of the Original Software
+ (or portions thereof).
+
+ (c) The licenses granted in Sections 2.1(a) and (b) are effective on the
+ date Initial Developer first distributes or otherwise makes the
+ Original Software available to a third party under the terms of this
+ License.
+
+ (d) Notwithstanding Section 2.1(b) above, no patent license is granted:
+ (1) for code that You delete from the Original Software, or (2) for
+ infringements caused by: (i) the modification of the Original
+ Software, or (ii) the combination of the Original Software with
+ other software or devices.
+
+ 2.2. Contributor Grant.
+
+ Conditioned upon Your compliance with Section 3.1 below and subject to third
+ party intellectual property claims, each Contributor hereby grants You a
+ world-wide, royalty-free, non-exclusive license:
+
+ (a) under intellectual property rights (other than patent or trademark)
+ Licensable by Contributor to use, reproduce, modify, display,
+ perform, sublicense and distribute the Modifications created by such
+ Contributor (or portions thereof), either on an unmodified basis,
+ with other Modifications, as Covered Software and/or as part of a
+ Larger Work; and
+
+ (b) under Patent Claims infringed by the making, using, or selling of
+ Modifications made by that Contributor either alone and/or in
+ combination with its Contributor Version (or portions of such
+ combination), to make, use, sell, offer for sale, have made, and/or
+ otherwise dispose of: (1) Modifications made by that Contributor (or
+ portions thereof); and (2) the combination of Modifications made by
+ that Contributor with its Contributor Version (or portions of such
+ combination).
+
+ (c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective on
+ the date Contributor first distributes or otherwise makes the
+ Modifications available to a third party.
+
+ (d) Notwithstanding Section 2.2(b) above, no patent license is granted:
+ (1) for any code that Contributor has deleted from the Contributor
+ Version; (2) for infringements caused by: (i) third party
+ modifications of Contributor Version, or (ii) the combination of
+ Modifications made by that Contributor with other software (except
+ as part of the Contributor Version) or other devices; or (3) under
+ Patent Claims infringed by Covered Software in the absence of
+ Modifications made by that Contributor.
+
+3. Distribution Obligations.
+
+ 3.1. Availability of Source Code.
+ Any Covered Software that You distribute or otherwise make available in
+ Executable form must also be made available in Source Code form and that
+ Source Code form must be distributed only under the terms of this License.
+ You must include a copy of this License with every copy of the Source Code
+ form of the Covered Software You distribute or otherwise make available.
+ You must inform recipients of any such Covered Software in Executable form
+ as to how they can obtain such Covered Software in Source Code form in a
+ reasonable manner on or through a medium customarily used for software
+ exchange.
+
+ 3.2. Modifications.
+ The Modifications that You create or to which You contribute are governed
+ by the terms of this License. You represent that You believe Your
+ Modifications are Your original creation(s) and/or You have sufficient
+ rights to grant the rights conveyed by this License.
+
+ 3.3. Required Notices.
+ You must include a notice in each of Your Modifications that identifies
+ You as the Contributor of the Modification. You may not remove or alter
+ any copyright, patent or trademark notices contained within the Covered
+ Software, or any notices of licensing or any descriptive text giving
+ attribution to any Contributor or the Initial Developer.
+
+ 3.4. Application of Additional Terms.
+ You may not offer or impose any terms on any Covered Software in Source
+ Code form that alters or restricts the applicable version of this License
+ or the recipients. rights hereunder. You may choose to offer, and to
+ charge a fee for, warranty, support, indemnity or liability obligations to
+ one or more recipients of Covered Software. However, you may do so only on
+ Your own behalf, and not on behalf of the Initial Developer or any
+ Contributor. You must make it absolutely clear that any such warranty,
+ support, indemnity or liability obligation is offered by You alone, and
+ You hereby agree to indemnify the Initial Developer and every Contributor
+ for any liability incurred by the Initial Developer or such Contributor as
+ a result of warranty, support, indemnity or liability terms You offer.
+
+ 3.5. Distribution of Executable Versions.
+ You may distribute the Executable form of the Covered Software under the
+ terms of this License or under the terms of a license of Your choice,
+ which may contain terms different from this License, provided that You are
+ in compliance with the terms of this License and that the license for the
+ Executable form does not attempt to limit or alter the recipient.s rights
+ in the Source Code form from the rights set forth in this License. If You
+ distribute the Covered Software in Executable form under a different
+ license, You must make it absolutely clear that any terms which differ
+ from this License are offered by You alone, not by the Initial Developer
+ or Contributor. You hereby agree to indemnify the Initial Developer and
+ every Contributor for any liability incurred by the Initial Developer or
+ such Contributor as a result of any such terms You offer.
+
+ 3.6. Larger Works.
+ You may create a Larger Work by combining Covered Software with other code
+ not governed by the terms of this License and distribute the Larger Work
+ as a single product. In such a case, You must make sure the requirements
+ of this License are fulfilled for the Covered Software.
+
+4. Versions of the License.
+
+ 4.1. New Versions.
+ Sun Microsystems, Inc. is the initial license steward and may publish
+ revised and/or new versions of this License from time to time. Each
+ version will be given a distinguishing version number. Except as provided
+ in Section 4.3, no one other than the license steward has the right to
+ modify this License.
+
+ 4.2. Effect of New Versions.
+ You may always continue to use, distribute or otherwise make the Covered
+ Software available under the terms of the version of the License under
+ which You originally received the Covered Software. If the Initial
+ Developer includes a notice in the Original Software prohibiting it from
+ being distributed or otherwise made available under any subsequent version
+ of the License, You must distribute and make the Covered Software
+ available under the terms of the version of the License under which You
+ originally received the Covered Software. Otherwise, You may also choose
+ to use, distribute or otherwise make the Covered Software available under
+ the terms of any subsequent version of the License published by the
+ license steward.
+
+ 4.3. Modified Versions.
+ When You are an Initial Developer and You want to create a new license for
+ Your Original Software, You may create and use a modified version of this
+ License if You: (a) rename the license and remove any references to the
+ name of the license steward (except to note that the license differs from
+ this License); and (b) otherwise make it clear that the license contains
+ terms which differ from this License.
+
+5. DISCLAIMER OF WARRANTY.
+
+ COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN .AS IS. BASIS, WITHOUT
+ WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
+ LIMITATION, WARRANTIES THAT THE COVERED SOFTWARE IS FREE OF DEFECTS,
+ MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK
+ AS TO THE QUALITY AND PERFORMANCE OF THE COVERED SOFTWARE IS WITH YOU. SHOULD
+ ANY COVERED SOFTWARE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL
+ DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY
+ SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN
+ ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS AUTHORIZED
+ HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
+
+6. TERMINATION.
+
+ 6.1. This License and the rights granted hereunder will terminate
+ automatically if You fail to comply with terms herein and fail to
+ cure such breach within 30 days of becoming aware of the breach.
+ Provisions which, by their nature, must remain in effect beyond the
+ termination of this License shall survive.
+
+ 6.2. If You assert a patent infringement claim (excluding declaratory
+ judgment actions) against Initial Developer or a Contributor (the
+ Initial Developer or Contributor against whom You assert such claim
+ is referred to as .Participant.) alleging that the Participant
+ Software (meaning the Contributor Version where the Participant is a
+ Contributor or the Original Software where the Participant is the
+ Initial Developer) directly or indirectly infringes any patent, then
+ any and all rights granted directly or indirectly to You by such
+ Participant, the Initial Developer (if the Initial Developer is not
+ the Participant) and all Contributors under Sections 2.1 and/or 2.2
+ of this License shall, upon 60 days notice from Participant terminate
+ prospectively and automatically at the expiration of such 60 day
+ notice period, unless if within such 60 day period You withdraw Your
+ claim with respect to the Participant Software against such
+ Participant either unilaterally or pursuant to a written agreement
+ with Participant.
+
+ 6.3. In the event of termination under Sections 6.1 or 6.2 above, all end
+ user licenses that have been validly granted by You or any
+ distributor hereunder prior to termination (excluding licenses
+ granted to You by any distributor) shall survive termination.
+
+7. LIMITATION OF LIABILITY.
+
+ UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING
+ NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY
+ OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED SOFTWARE, OR ANY SUPPLIER OF
+ ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL,
+ INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT
+ LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE,
+ COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR
+ LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF
+ SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR
+ DEATH OR PERSONAL INJURY RESULTING FROM SUCH PARTY.S NEGLIGENCE TO THE EXTENT
+ APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
+ EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS
+ EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
+
+8. U.S. GOVERNMENT END USERS.
+
+ The Covered Software is a .commercial item,. as that term is defined in 48
+ C.F.R. 2.101 (Oct. 1995), consisting of .commercial computer software. (as
+ that term is defined at 48 C.F.R. ? 252.227-7014(a)(1)) and commercial
+ computer software documentation. as such terms are used in 48 C.F.R. 12.212
+ (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1
+ through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered
+ Software with only those rights set forth herein. This U.S. Government Rights
+ clause is in lieu of, and supersedes, any other FAR, DFAR, or other clause or
+ provision that addresses Government rights in computer software under this
+ License.
+
+9. MISCELLANEOUS.
+
+ This License represents the complete agreement concerning subject matter
+ hereof. If any provision of this License is held to be unenforceable, such
+ provision shall be reformed only to the extent necessary to make it
+ enforceable. This License shall be governed by the law of the jurisdiction
+ specified in a notice contained within the Original Software (except to the
+ extent applicable law, if any, provides otherwise), excluding such
+ jurisdiction's conflict-of-law provisions. Any litigation relating to this
+ License shall be subject to the jurisdiction of the courts located in the
+ jurisdiction and venue specified in a notice contained within the Original
+ Software, with the losing party responsible for costs, including, without
+ limitation, court costs and reasonable attorneys. fees and expenses. The
+ application of the United Nations Convention on Contracts for the
+ International Sale of Goods is expressly excluded. Any law or regulation
+ which provides that the language of a contract shall be construed against
+ the drafter shall not apply to this License. You agree that You alone are
+ responsible for compliance with the United States export administration
+ regulations (and the export control laws and regulation of any other
+ countries) when You use, distribute or otherwise make available any Covered
+ Software.
+
+10. RESPONSIBILITY FOR CLAIMS.
+
+ As between Initial Developer and the Contributors, each party is responsible
+ for claims and damages arising, directly or indirectly, out of its
+ utilization of rights under this License and You agree to work with Initial
+ Developer and Contributors to distribute such responsibility on an equitable
+ basis. Nothing herein is intended or shall be deemed to constitute any
+ admission of liability.
+
+ NOTICE PURSUANT TO SECTION 9 OF THE COMMON DEVELOPMENT AND DISTRIBUTION
+ LICENSE (CDDL)
+
+ The code released under the CDDL shall be governed by the laws of the State
+ of California (excluding conflict-of-law provisions). Any litigation relating
+ to this License shall be subject to the jurisdiction of the Federal Courts of
+ the Northern District of California and the state courts of the State of
+ California, with venue lying in Santa Clara County, California.
+
+
+------------------------------------------------------------------------------
+ANTLR 2 License (from ApacheDS, Groovy)
+------------------------------------------------------------------------------
+We reserve no legal rights to the ANTLR--it is fully in the public domain.
+An individual or company may do whatever they wish with source code
+distributed with ANTLR or the code generated by ANTLR, including the
+incorporation of ANTLR, or its output, into commerical software.
+We encourage users to develop software with ANTLR. However, we do ask that
+credit is given to us for developing ANTLR. By "credit", we mean that if you
+use ANTLR or incorporate any source code into one of your programs
+(commercial product, research project, or otherwise) that you acknowledge
+this fact somewhere in the documentation, research report, etc... If you like
+ANTLR and have developed a nice tool with the output, please mention that you
+developed it using ANTLR. In addition, we ask that the headers remain intact
+in our source code. As long as these guidelines are kept, we expect to
+continue enhancing this system and expect to make other tools available as
+they are completed.
+
+------------------------------------------------------------------------------
+ASM Project License (from CGLib, Groovy)
+------------------------------------------------------------------------------
+Copyright (c) 2000-2011 INRIA, France Telecom
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holders nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+THE POSSIBILITY OF SUCH DAMAGE.
+
+
+------------------------------------------------------------------------------
+Bouncy Castle License (from ApacheDS)
+------------------------------------------------------------------------------
+Copyright (c) 2000 - 2012 The Legion Of The Bouncy Castle
+(http://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+------------------------------------------------------------------------------
+Eclipse Public License - v1.0 (from Jetty/Jerico)
+------------------------------------------------------------------------------
+THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
+LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
+CONSTITUTES RECIPIENT’S ACCEPTANCE OF THIS AGREEMENT.
+
+1. DEFINITIONS
+
+"Contribution" means:
+
+a) in the case of the initial Contributor, the initial code and documentation
+ distributed under this Agreement, and
+b) in the case of each subsequent Contributor:
+
+i)changes to the Program, and
+
+ii)additions to the Program;
+
+where such changes and/or additions to the Program originate from and are
+distributed by that particular Contributor. A Contribution 'originates' from
+a Contributor if it was added to the Program by such Contributor itself or
+anyone acting on such Contributor’s behalf. Contributions do not include
+additions to the Program which: (i) are separate modules of software
+distributed in conjunction with the Program under their own license agreement,
+and (ii) are not derivative works of the Program.
+
+"Contributor" means any person or entity that distributes the Program.
+
+"Licensed Patents " mean patent claims licensable by a Contributor which are
+necessarily infringed by the use or sale of its Contribution alone or when
+combined with the Program.
+
+"Program" means the Contributions distributed in accordance with this
+Agreement.
+
+"Recipient" means anyone who receives the Program under this Agreement,
+including all Contributors.
+
+2. GRANT OF RIGHTS
+
+a) Subject to the terms of this Agreement, each Contributor hereby grants
+ Recipient a non-exclusive, worldwide, royalty-free copyright license to
+ reproduce, prepare derivative works of, publicly display, publicly perform,
+ distribute and sublicense the Contribution of such Contributor, if any,
+ and such derivative works, in source code and object code form.
+
+b) Subject to the terms of this Agreement, each Contributor hereby grants
+ Recipient a non-exclusive, worldwide, royalty-free patent license under
+ Licensed Patents to make, use, sell, offer to sell, import and otherwise
+ transfer the Contribution of such Contributor, if any, in source code and
+ object code form. This patent license shall apply to the combination of the
+ Contribution and the Program if, at the time the Contribution is added by
+ the Contributor, such addition of the Contribution causes such combination
+ to be covered by the Licensed Patents. The patent license shall not apply
+ to any other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+c) Recipient understands that although each Contributor grants the licenses
+ to its Contributions set forth herein, no assurances are provided by any
+ Contributor that the Program does not infringe the patent or other
+ intellectual property rights of any other entity. Each Contributor
+ disclaims any liability to Recipient for claims brought by any other
+ entity based on infringement of intellectual property rights or otherwise.
+ As a condition to exercising the rights and licenses granted hereunder,
+ each Recipient hereby assumes sole responsibility to secure any other
+ intellectual property rights needed, if any. For example, if a third
+ party patent license is required to allow Recipient to distribute the
+ Program, it is Recipient’s responsibility to acquire that license before
+ distributing the Program.
+
+d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+3. REQUIREMENTS
+
+A Contributor may choose to distribute the Program in object code form under
+its own license agreement, provided that:
+
+a) it complies with the terms and conditions of this Agreement; and
+
+b) its license agreement:
+
+i) effectively disclaims on behalf of all Contributors all warranties and
+ conditions, express and implied, including warranties or conditions of
+ title and non-infringement, and implied warranties or conditions of
+ merchantability and fitness for a particular purpose;
+
+ii) effectively excludes on behalf of all Contributors all liability for
+ damages, including direct, indirect, special, incidental and consequential
+ damages, such as lost profits;
+
+iii) states that any provisions which differ from this Agreement are offered by
+ that Contributor alone and not by any other party; and
+
+iv) states that source code for the Program is available from such
+ Contributor, and informs licensees how to obtain it in a reasonable manner
+ on or through a medium customarily used for software exchange.
+
+When the Program is made available in source code form:
+
+a) it must be made available under this Agreement; and
+
+b) a copy of this Agreement must be included with each copy of the Program.
+
+Contributors may not remove or alter any copyright notices contained within
+the Program.
+
+Each Contributor must identify itself as the originator of its Contribution,
+if any, in a manner that reasonably allows subsequent Recipients to identify
+the originator of the Contribution.
+
+4. COMMERCIAL DISTRIBUTION
+
+Commercial distributors of software may accept certain responsibilities with
+respect to end users, business partners and the like. While this license is
+intended to facilitate the commercial use of the Program, the Contributor who
+includes the Program in a commercial product offering should do so in a manner
+which does not create potential liability for other Contributors. Therefore,
+if a Contributor includes the Program in a commercial product offering, such
+Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
+every other Contributor ("Indemnified Contributor") against any losses,
+damages and costs (collectively "Losses") arising from claims, lawsuits and
+other legal actions brought by a third party against the Indemnified
+Contributor to the extent caused by the acts or omissions of such Commercial
+Contributor in connection with its distribution of the Program in a commercial
+product offering. The obligations in this section do not apply to any claims
+or Losses relating to any actual or alleged intellectual property infringement.
+In order to qualify, an Indemnified Contributor must: a) promptly notify the
+Commercial Contributor in writing of such claim, and b) allow the Commercial
+Contributor to control, and cooperate with the Commercial Contributor in, the
+defense and any related settlement negotiations. The Indemnified Contributor
+may participate in any such claim at its own expense.
+
+For example, a Contributor might include the Program in a commercial product
+offering, Product X. That Contributor is then a Commercial Contributor. If
+that Commercial Contributor then makes performance claims, or offers
+warranties related to Product X, those performance claims and warranties are
+such Commercial Contributor’s responsibility alone. Under this section, the
+Commercial Contributor would have to defend claims against the other
+Contributors related to those performance claims and warranties, and if a
+court requires any other Contributor to pay any damages as a result, the
+Commercial Contributor must pay those damages.
+
+5. NO WARRANTY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON
+AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS
+OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF
+TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+Each Recipient is solely responsible for determining the appropriateness of
+using and distributing the Program and assumes all risks associated with its
+exercise of rights under this Agreement , including but not limited to the
+risks and costs of program errors, compliance with applicable laws, damage to
+or loss of data, programs or equipment, and unavailability or interruption of
+operations.
+
+6. DISCLAIMER OF LIABILITY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
+CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
+LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
+EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY
+OF SUCH DAMAGES.
+
+7. GENERAL
+
+If any provision of this Agreement is invalid or unenforceable under
+applicable law, it shall not affect the validity or enforceability of the
+remainder of the terms of this Agreement, and without further action by the
+parties hereto, such provision shall be reformed to the minimum extent
+necessary to make such provision valid and enforceable.
+
+If Recipient institutes patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Program itself
+(excluding combinations of the Program with other software or hardware)
+infringes such Recipient’s patent(s), then such Recipient’s rights granted
+under Section 2(b) shall terminate as of the date such litigation is filed.
+
+All Recipient’s rights under this Agreement shall terminate if it fails to
+comply with any of the material terms or conditions of this Agreement and
+does not cure such failure in a reasonable period of time after becoming
+aware of such noncompliance. If all Recipient’s rights under this Agreement
+terminate, Recipient agrees to cease use and distribution of the Program as
+soon as reasonably practicable. However, Recipient’s obligations under this
+Agreement and any licenses granted by Recipient relating to the Program shall
+continue and survive.
+
+Everyone is permitted to copy and distribute copies of this Agreement, but in
+order to avoid inconsistency the Agreement is copyrighted and may only be
+modified in the following manner. The Agreement Steward reserves the right to
+publish new versions (including revisions) of this Agreement from time to
+time. No one other than the Agreement Steward has the right to modify this
+Agreement. The Eclipse Foundation is the initial Agreement Steward. The
+Eclipse Foundation may assign the responsibility to serve as the Agreement
+Steward to a suitable separate entity. Each new version of the Agreement
+will be given a distinguishing version number. The Program (including
+Contributions) may always be distributed subject to the version of the
+Agreement under which it was received. In addition, after a new version of
+the Agreement is published, Contributor may elect to distribute the Program
+(including its Contributions) under the new version. Except as expressly
+stated in Sections 2(a) and 2(b) above, Recipient receives no rights or
+licenses to the intellectual property of any Contributor under this Agreement,
+whether expressly, by implication, estoppel or otherwise. All rights in the
+Program not expressly granted under this Agreement are reserved.
+
+This Agreement is governed by the laws of the State of New York and the
+intellectual property laws of the United States of America. No party to this
+Agreement will bring a legal action under this Agreement more than one year
+after the cause of action arose. Each party waives its rights to a jury trial
+in any resulting litigation.
+
+
+--------------------------------------------------------------------------------------------------
+JDBM LICENSE v1.00 (from ApacheDS)
+--------------------------------------------------------------------------------------------------
+/**
+ * JDBM LICENSE v1.00
+ *
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided
+ * that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain copyright
+ * statements and notices. Redistributions must also contain a
+ * copy of this document.
+ *
+ * 2. Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and the
+ * following disclaimer in the documentation and/or other
+ * materials provided with the distribution.
+ *
+ * 3. The name "JDBM" must not be used to endorse or promote
+ * products derived from this Software without prior written
+ * permission of Cees de Groot. For written permission,
+ * please contact cg@cdegroot.com.
+ *
+ * 4. Products derived from this Software may not be called "JDBM"
+ * nor may "JDBM" appear in their names without prior written
+ * permission of Cees de Groot.
+ *
+ * 5. Due credit should be given to the JDBM Project
+ * (http://jdbm.sourceforge.net/).
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE JDBM PROJECT AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
+ * NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+ * CEES DE GROOT OR ANY CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Copyright 2000 (C) Cees de Groot. All Rights Reserved.
+ * Contributions are Copyright (C) 2000 by their associated contributors.
+ *
+ * $Id: LICENSE.txt,v 1.1 2000/05/05 23:59:52 boisvert Exp $
+ */
+
+------------------------------------------------------------------------------
+JLine License - BSD (from Groovy)
+------------------------------------------------------------------------------
+Copyright (c) 2002-2006, Marc Prud'hommeaux <mw...@cornell.edu>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or
+without modification, are permitted provided that the following
+conditions are met:
+
+Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with
+the distribution.
+
+Neither the name of JLine nor the names of its contributors
+may be used to endorse or promote products derived from this
+software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
+BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+------------------------------------------------------------------------------
+SL4J License - MIT
+------------------------------------------------------------------------------
+Copyright (c) 2004-2013 QOS.ch
+All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+------------------------------------------------------------------------------
+Tanuki Software License (from ApacheDS)
+------------------------------------------------------------------------------
+Copyright (c) 1999, 2004 Tanuki Software
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of the Java Service Wrapper and associated
+documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sub-license,
+and/or sell copies of the Software, and to permit persons to
+whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+
+------------------------------------------------------------------------------
+Silver Egg Technology License (from ApacheDS)
+------------------------------------------------------------------------------
+Portions of the Software have been derived from source code
+developed by Silver Egg Technology under the following license:
+
+Copyright (c) 2001 Silver Egg Technology
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sub-license, and/or
+sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+
+------------------------------------------------------------------------------
+Sun Microsystems, Inc. License (from Groovy)
+------------------------------------------------------------------------------
+The following notice applies to the files:
+
+src/main/org/codehaus/groovy/jsr223/GroovyCompiledScript.java
+src/main/org/codehaus/groovy/jsr223/GroovyScriptEngineFactory.java
+src/main/org/codehaus/groovy/jsr223/GroovyScriptEngineImpl.java
+
+/*
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are
+ * permitted provided that the following conditions are met: Redistributions of source code
+ * must retain the above copyright notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other materials
+ * provided with the distribution. Neither the name of the Sun Microsystems nor the names of
+ * is contributors may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+------------------------------------------------------------------------------
+European Commission License (from Hadoop)
+------------------------------------------------------------------------------
+For the org.apache.hadoop.util.bloom.* classes:
+
+/**
+ *
+ * Copyright (c) 2005, European Commission project OneLab under contract
+ * 034819 (http://www.one-lab.org)
+ * All rights reserved.
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the distribution.
+ * - Neither the name of the University Catholique de Louvain - UCL
+ * nor the names of its contributors may be used to endorse or
+ * promote products derived from this software without specific prior
+ * written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+------------------------------------------------------------------------------
+zlib/libpng License
+------------------------------------------------------------------------------
+This software is provided 'as-is', without any express or implied warranty. In
+no event will the authors be held liable for any damages arising from the use of
+this software.
+
+Permission is granted to anyone to use this software for any purpose, including
+commercial applications, and to alter it and redistribute it freely, subject to
+the following restrictions:
+
+ 1. The origin of this software must not be misrepresented; you must not claim
+ that you wrote the original software. If you use this software in a
+ product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ 2. Altered source versions must be plainly marked as such, and must not be
+ misrepresented as being the original software.
+ 3. This notice may not be removed or altered from any source distribution.
+
+
+------------------------------------------------------------------------------
+bzip2 License
+------------------------------------------------------------------------------
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 2. The origin of this software must not be misrepresented; you must not claim
+ that you wrote the original software. If you use this software in a
+ product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ 3. Altered source versions must be plainly marked as such, and must not be
+ misrepresented as being the original software.
+ 4. The name of the author may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+OF SUCH DAMAGE.
+
+Julian Seward, Cambridge, UK.
+jseward@acm.org
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/NOTICE
----------------------------------------------------------------------
diff --git a/hsso-release/home/NOTICE b/hsso-release/home/NOTICE
new file mode 100644
index 0000000..f189d80
--- /dev/null
+++ b/hsso-release/home/NOTICE
@@ -0,0 +1,107 @@
+=========================================================================
+== NOTICE file corresponding to the section 4 d of ==
+== the Apache License, Version 2.0, ==
+== in this case for the Apache Knox distribution. ==
+=========================================================================
+
+Apache Knox
+Copyright 2012-2013 The Apache Software Foundation
+
+This product includes software developed by
+The Apache Software Foundation (http://www.apache.org/).
+
+Language Recognition and parsing support support is provided by the
+ANTLRv2 library package, which is open source software developed at
+GitHub (https://github.com/antlr/antlr). The original software is
+available from http://www.antlr2.org/
+
+Bytecode manipulation and analysis support is provided by the
+ASM library package, which is open source software developed at
+the OW2 Forge (http://forge.ow2.org/projects/asm). The original
+software is available from http://asm.ow2.org/
+
+Cryptographic support is provided the Bouncy Castle library package,
+which is open source software developed at BouncyCastle.org
+:pserver:anonymous@cvs.bouncycastle.org:/home/users/bouncy/cvsroot
+The original software is available from http://www.bouncycastle.org/
+
+HTML parsing support is provided by the Jerico library package,
+which is open source software developed at
+SourceForge (http://sourceforge.net/projects/jerichohtml/)
+The original software is available from http://jericho.htmlparser.net/
+
+Console input support is provided by the JLine library package,
+which is open source software developed at
+GitHub (https://github.com/jline). The original software is
+available from http://jline.sourceforge.net/
+
+Logging Facade API support is provided by the Simple Logging Facade for
+Java (SL4J) library package, which is open source software developed at
+GitHub (https://github.com/qos-ch/slf4j/). The original software is
+available from http://www.slf4j.org/
+
+------------------------------------------------------------------------------
+Jetty
+------------------------------------------------------------------------------
+Web server and javax.servlet container support is provided by the
+Jetty library package, which is open source software developed at
+Eclipse http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git
+The original software is available from http://www.eclipse.org/jetty/
+
+The Jetty Web Container is Copyright Mort Bay Consulting Pty Ltd
+unless otherwise noted. It is dual licensed under the apache 2.0
+license and eclipse 1.0 license. Jetty may be distributed under
+either license.
+
+The UnixCrypt.java code implements the one way cryptography used by
+Unix systems for simple password protection. Copyright 1996 Aki Yoshida,
+modified April 2001 by Iris Van den Broeke, Daniel Deville.
+Permission to use, copy, modify and distribute UnixCrypt
+for non-commercial or commercial purposes and without fee is
+granted provided that the copyright notice appears in all copies.
+
+The javax.servlet package used was sourced from the Apache
+Software Foundation and is distributed under the apache 2.0
+license.
+
+------------------------------------------------------------------------------
+ApacheDS
+------------------------------------------------------------------------------
+Safehaus JUG
+Copyright 2005 Safehaus
+
+This product includes software developed at
+Safehaus (http://docs.safehaus.org/display/HAUS/Home).
+
+OpenSymphony Quartz
+Copyright 2004-2005 OpenSymphony
+
+This product includes software developed at
+OpenSymphony (http://www.opensymphony.com/).
+
+This product also includes software developed by
+Clinton Begin (http://www.ibatis.com).
+
+------------------------------------------------------------------------------
+Groovy
+------------------------------------------------------------------------------
+Groovy Language
+Copyright 2003-2012 The respective authors and developers
+Developers and Contributors are listed in the project POM file
+and Gradle build file
+
+This product includes software developed by
+The Groovy community (http://groovy.codehaus.org/).
+
+------------------------------------------------------------------------------
+Shiro
+------------------------------------------------------------------------------
+The implementation for org.apache.shiro.util.SoftHashMap is based
+on initial ideas from Dr. Heinz Kabutz's publicly posted version
+available at http://www.javaspecialists.eu/archive/Issue015.html,
+with continued modifications.
+
+Certain parts (StringUtils etc.) of the source code for this
+product was copied for simplicity and to reduce dependencies
+from the source code developed by the Spring Framework Project
+(http://www.springframework.org).
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/README
----------------------------------------------------------------------
diff --git a/hsso-release/home/README b/hsso-release/home/README
new file mode 100644
index 0000000..a3cb194
--- /dev/null
+++ b/hsso-release/home/README
@@ -0,0 +1,87 @@
+------------------------------------------------------------------------------
+README file for Apache Knox Gateway
+------------------------------------------------------------------------------
+This distribution includes cryptographic software. The country in
+which you currently reside may have restrictions on the import,
+possession, use, and/or re-export to another country, of
+encryption software. BEFORE using any encryption software, please
+check your country's laws, regulations and policies concerning the
+import, possession, or use, and re-export of encryption software, to
+see if this is permitted. See <http://www.wassenaar.org/> for more
+information.
+
+The U.S. Government Department of Commerce, Bureau of Industry and
+Security (BIS), has classified this software as Export Commodity
+Control Number (ECCN) 5D002.C.1, which includes information security
+software using or performing cryptographic functions with asymmetric
+algorithms. The form and manner of this Apache Software Foundation
+distribution makes it eligible for export under the License Exception
+ENC Technology Software Unrestricted (TSU) exception (see the BIS
+Export Administration Regulations, Section 740.13) for both object
+code and source code.
+
+The following provides more details on the included cryptographic
+software:
+ This package includes the use of ApacheDS which is dependent upon the
+Bouncy Castle Crypto APIs written by the Legion of the Bouncy Castle
+http://www.bouncycastle.org/ feedback-crypto@bouncycastle.org.
+
+------------------------------------------------------------------------------
+Description
+------------------------------------------------------------------------------
+The charter for the Gateway project is to simplify and normalize the
+deployment and implementation of secure Hadoop clusters as well as be
+a centralize access point for the service specific REST APIs exposed from
+within the cluster.
+
+Milestone-1 of this project intends to demonstrate the ability to dynamically
+provision reverse proxy capabilities with filter chains that meet the cluster
+specific needs for authentication.
+
+HTTP BASIC authentication with identity being asserted to the rest of the
+cluster via Pseudo/Simple authentication will be demonstrated for security.
+
+For API aggregation, the Gateway will provide a central endpoint for HDFS,
+Templeton and Oozie APIs for each cluster.
+
+Future Milestone releases will extend these capabilities with additional
+authentication, identity assertion, API aggregation and eventually management
+capabilities.
+
+------------------------------------------------------------------------------
+Changes
+------------------------------------------------------------------------------
+Please see the CHANGES file.
+
+------------------------------------------------------------------------------
+Known Issues
+------------------------------------------------------------------------------
+Please see the ISSUES file.
+
+------------------------------------------------------------------------------
+Installation
+------------------------------------------------------------------------------
+Please see the INSTALL file or the Apache Knox Gateway website.
+http://knox.incubator.apache.org/getting-started.html
+
+------------------------------------------------------------------------------
+Examples
+------------------------------------------------------------------------------
+Please see the Apache Knox Gateway website for detailed examples.
+http://knox.incubator.apache.org/examples.html
+
+------------------------------------------------------------------------------
+Filing bugs
+------------------------------------------------------------------------------
+Currently we do not have Jira setup for Knox. Therefore if you find an issue
+please send an email to the Knox user list (user AT knox.incubator.apache.org)
+with a subject prefix of [BUG] describing the issue. Please include the
+results of this command in the email.
+
+ java -jar bin/gateway-${gateway-version}.jar -version
+
+in the Environment section. Also include the version of Hadoop being used.
+
+One we have Jira setup the email archive will be reviewed and Jira issues
+created for each bug.
+
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/bin/knox.sh
----------------------------------------------------------------------
diff --git a/hsso-release/home/bin/knox.sh b/hsso-release/home/bin/knox.sh
new file mode 100644
index 0000000..0c97e74
--- /dev/null
+++ b/hsso-release/home/bin/knox.sh
@@ -0,0 +1,265 @@
+#!/bin/sh
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#Knox PID
+PID=0
+
+#start, stop, status, clean or setup
+KNOX_LAUNCH_COMMAND=$1
+
+#User Name for setup parameter
+KNOX_LAUNCH_USER=$2
+
+#start/stop script location
+KNOX_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+#App name
+KNOX_NAME=knox
+
+#The Knox's jar name
+KNOX_JAR="$KNOX_SCRIPT_DIR/server.jar"
+
+#Name of PID file
+PID_DIR="/var/run/$KNOX_NAME"
+PID_FILE="$PID_DIR/$KNOX_NAME.pid"
+
+#Name of LOG/OUT/ERR file
+LOG_DIR="/var/log/$KNOX_NAME"
+OUT_FILE="$LOG_DIR/$KNOX_NAME.out"
+ERR_FILE="$LOG_DIR/$KNOX_NAME.err"
+
+#The max time to wait
+MAX_WAIT_TIME=10
+
+function main {
+ case "$1" in
+ start)
+ knoxStart
+ ;;
+ stop)
+ knoxStop
+ ;;
+ status)
+ knoxStatus
+ ;;
+ clean)
+ knoxClean
+ ;;
+ setup)
+ setupEnv $KNOX_LAUNCH_USER
+ ;;
+ help)
+ printHelp
+ ;;
+ *)
+ printf "Usage: $0 {start|stop|status|clean|setup [USER_NAME]}\n"
+ ;;
+ esac
+}
+
+function knoxStart {
+ createLogFiles
+
+ getPID
+ if [ $? -eq 0 ]; then
+ printf "Knox is already running with PID=$PID.\n"
+ return 0
+ fi
+
+ printf "Starting Knox "
+
+ rm -f $PID_FILE
+
+ nohup java -jar $KNOX_JAR >>$OUT_FILE 2>>$ERR_FILE & printf $!>$PID_FILE || return 1
+
+ getPID
+ knoxIsRunning $PID
+ if [ $? -ne 1 ]; then
+ printf "failed.\n"
+ return 1
+ fi
+
+ printf "succeed with PID=$PID.\n"
+ return 0
+}
+
+function knoxStop {
+ getPID
+ knoxIsRunning $PID
+ if [ $? -eq 0 ]; then
+ printf "Knox is not running.\n"
+ return 0
+ fi
+
+ printf "Stopping Knox [$PID] "
+ knoxKill $PID >>$OUT_FILE 2>>$ERR_FILE
+
+ if [ $? -ne 0 ]; then
+ printf "failed. \n"
+ return 1
+ else
+ rm -f $PID_FILE
+ printf "succeed.\n"
+ return 0
+ fi
+}
+
+function knoxStatus {
+ printf "Knox "
+ getPID
+ if [ $? -eq 1 ]; then
+ printf "is not running. No pid file found.\n"
+ return 0
+ fi
+
+ knoxIsRunning $PID
+ if [ $? -eq 1 ]; then
+ printf "is running with PID=$PID.\n"
+ return 1
+ else
+ printf "is not running.\n"
+ return 0
+ fi
+}
+
+# Removed the Knox PID file if Knox is not run
+function knoxClean {
+ getPID
+ knoxIsRunning $PID
+ if [ $? -eq 0 ]; then
+ deleteLogFiles
+ return 0
+ else
+ printf "Can't clean files the Knox is run with PID=$PID.\n"
+ return 1
+ fi
+}
+
+# Returns 0 if the Knox is running and sets the $PID variable.
+function getPID {
+ if [ ! -f $PID_FILE ]; then
+ PID=0
+ return 1
+ fi
+
+ PID="$(<$PID_FILE)"
+ return 0
+}
+
+function knoxIsRunning {
+ if [ $1 -eq 0 ]; then return 0; fi
+
+ ps -p $1 > /dev/null
+
+ if [ $? -eq 1 ]; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+function knoxKill {
+ local localPID=$1
+ kill $localPID || return 1
+ for ((i=0; i<MAX_WAIT_TIME*10; i++)); do
+ knoxIsRunning $localPID
+ if [ $? -eq 0 ]; then return 0; fi
+ sleep 0.1
+ done
+
+ kill -s KILL $localPID || return 1
+ for ((i=0; i<MAX_WAIT_TIME*10; i++)); do
+ knoxIsRunning $localPID
+ if [ $? -eq 0 ]; then return 0; fi
+ sleep 0.1
+ done
+
+ return 1
+}
+
+function createLogFiles {
+ if [ ! -f "$OUT_FILE" ]; then touch $OUT_FILE; fi
+ if [ ! -f "$ERR_FILE" ]; then touch $ERR_FILE; fi
+}
+
+function deleteLogFiles {
+ rm -f $PID_FILE
+ printf "Removed the Knox PID file: $PID_FILE.\n"
+
+ rm -f $OUT_FILE
+ printf "Removed the Knox OUT file: $OUT_FILE.\n"
+
+ rm -f $ERR_FILE
+ printf "Removed the Knox ERR file: $ERR_FILE.\n"
+}
+
+function setDirPermission {
+ local dirName=$1
+ local userName=$2
+
+ if [ ! -d "$dirName" ]; then mkdir -p $dirName; fi
+ if [ $? -ne 0 ]; then
+ printf "Can't access or create \"$dirName\" folder.\n"
+ return 1
+ fi
+
+ chown -f $userName $dirName
+ if [ $? -ne 0 ]; then
+ printf "Can't change owner of \"$dirName\" folder to \"$userName\" user.\n"
+ return 1
+ fi
+
+ chmod o=rwx $dirName
+ if [ $? -ne 0 ]; then
+ printf "Can't grant rwx permission to \"$userName\" user on \"$dirName\"\n"
+ return 1
+ fi
+
+ return 0
+}
+
+function setupEnv {
+ local userName=$1
+
+ if [ -z $userName ]; then
+ printf "Empty user name is not allowed. Parameters: setup [USER_NAME]\n"
+ return 1
+ fi
+
+ id -u $1 >/dev/null 2>&1
+ if [ $? -eq 1 ]; then
+ printf "\"$userName\" is not valid user name. Parameters: setup [USER_NAME]\n"
+ return 1
+ fi
+
+ setDirPermission $PID_DIR $userName
+ setDirPermission $LOG_DIR $userName
+
+ java -jar $KNOX_JAR -persist-master -nostart
+
+ return 0
+}
+
+function printHelp {
+ java -jar $KNOX_JAR -help
+ return 0
+}
+
+#Starting main
+main $KNOX_LAUNCH_COMMAND
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/conf/README
----------------------------------------------------------------------
diff --git a/hsso-release/home/conf/README b/hsso-release/home/conf/README
new file mode 100644
index 0000000..68359c7
--- /dev/null
+++ b/hsso-release/home/conf/README
@@ -0,0 +1 @@
+THIS IS THE DIRECTORY WHERE YOU PLACE COPY OR SAVE THE gateway-site.xml and users.ldif FILE
\ No newline at end of file
[4/4] git commit: POC work and related changes to support a Knox SSO
solution
Posted by lm...@apache.org.
POC work and related changes to support a Knox SSO solution
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/21e6d1da
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/21e6d1da
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/21e6d1da
Branch: refs/heads/master
Commit: 21e6d1da388df03e2fd00880ebb258c251ddadbf
Parents: e98c682
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Jul 10 10:23:11 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Jul 10 10:23:11 2013 -0400
----------------------------------------------------------------------
gateway-provider-security-jwt/pom.xml | 4 -
.../provider/federation/jwt/AccessToken.java | 87 --
.../provider/federation/jwt/JWTAuthority.java | 81 --
.../provider/federation/jwt/JWTMessages.java | 31 +
.../federation/jwt/JWTProviderMessages.java | 49 -
.../provider/federation/jwt/JWTToken.java | 135 --
.../jwt/filter/AccessTokenFederationFilter.java | 24 +-
.../filter/JWTAccessTokenAssertionFilter.java | 23 +-
.../jwt/filter/JWTAuthCodeAssertionFilter.java | 25 +-
.../jwt/filter/JWTFederationFilter.java | 12 +-
.../provider/federation/JWTTokenTest.java | 3 +-
gateway-release/src/assembly.xml | 4 +-
...ache.hadoop.gateway.services.GatewayServices | 20 +
.../apache/hadoop/gateway/GatewayMessages.java | 10 +
.../apache/hadoop/gateway/GatewayServer.java | 30 +-
.../gateway/deploy/DeploymentFactory.java | 14 +-
.../services/DefaultGatewayServices.java | 18 +-
.../gateway/services/HssoGatewayServices.java | 177 +++
.../impl/DefaultServiceRegistryService.java | 191 +++
.../services/registry/impl/RegEntry.java | 52 +
.../services/registry/impl/Registry.java | 33 +
.../security/impl/DefaultAliasService.java | 4 -
.../impl/DefaultTokenAuthorityService.java | 116 ++
gateway-spi/pom.xml | 5 +
.../gateway/services/GatewayServices.java | 6 +-
.../services/registry/ServiceRegistry.java | 30 +
.../security/token/JWTokenAuthority.java | 36 +
.../token/impl/JWTProviderMessages.java | 48 +
.../services/security/token/impl/JWTToken.java | 135 ++
hsso-release/home/CHANGES | 15 +
hsso-release/home/DISCLAIMER | 15 +
hsso-release/home/INSTALL | 251 ++++
hsso-release/home/ISSUES | 10 +
hsso-release/home/LICENSE | 1332 ++++++++++++++++++
hsso-release/home/NOTICE | 107 ++
hsso-release/home/README | 87 ++
hsso-release/home/bin/knox.sh | 265 ++++
hsso-release/home/conf/README | 1 +
hsso-release/home/conf/gateway-site.xml | 39 +
hsso-release/home/conf/log4j.properties | 29 +
hsso-release/home/conf/users.ldif | 36 +
hsso-release/home/deployments/BASIC.xml | 56 +
hsso-release/home/deployments/README | 1 +
hsso-release/home/deployments/sample.xml | 46 +
hsso-release/home/deployments/token.xml | 37 +
hsso-release/home/ext/README | 1 +
hsso-release/home/lib/README | 1 +
hsso-release/home/templates/topology.xml | 62 +
hsso-release/home/templates/users.ldif | 36 +
.../home/templates/workflow-configuration.xml | 47 +
.../home/templates/workflow-definition.xml | 36 +
hsso-release/pom.xml | 177 +++
hsso-release/src/assembly.xml | 86 ++
...ache.hadoop.gateway.services.GatewayServices | 20 +
pom.xml | 6 +
55 files changed, 3785 insertions(+), 417 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/pom.xml b/gateway-provider-security-jwt/pom.xml
index 7364096..498b126 100644
--- a/gateway-provider-security-jwt/pom.xml
+++ b/gateway-provider-security-jwt/pom.xml
@@ -56,10 +56,6 @@
<artifactId>commons-codec</artifactId>
</dependency>
- <dependency>
- <groupId>com.jayway.jsonpath</groupId>
- <artifactId>json-path</artifactId>
- </dependency>
<dependency>
<groupId>junit</groupId>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
deleted file mode 100644
index f765e8e..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
+++ /dev/null
@@ -1,87 +0,0 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt;
-
-import java.io.UnsupportedEncodingException;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.services.security.CryptoService;
-import org.apache.hadoop.gateway.services.security.EncryptionResult;
-
-public class AccessToken {
- private static final String ENCRYPT_ACCESS_TOKENS = "encrypt_access_tokens";
- private static final String GATEWAY = "__gateway";
- private static final JWTProviderMessages LOG = MessagesFactory.get( JWTProviderMessages.class );
-
- private CryptoService crypto = null;
- private String tokenStr = null;
- private String principalName;
- private long expires;
-
- public AccessToken(CryptoService crypto, String principalName, long expires) {
- this.crypto = crypto;
- this.principalName = principalName;
- this.expires = expires;
- }
-
- public String toString() {
- if (tokenStr != null) {
- return tokenStr;
- }
- String claims = principalName + "::" + expires;
- EncryptionResult result;
- try {
- result = crypto.encryptForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS, claims.getBytes("UTF-8"));
- tokenStr = Base64.encodeBase64URLSafeString(result.iv) + "+" +
- Base64.encodeBase64URLSafeString(result.salt) + "+" +
- Base64.encodeBase64URLSafeString(result.cipher);
- } catch (UnsupportedEncodingException e) {
- LOG.unsupportedEncoding( e );
- }
- return tokenStr;
- }
-
- public static AccessToken parseToken(CryptoService crypto, String wireToken) {
- AccessToken token = null;
- String[] parts = wireToken.split("\\+");
- byte[] bytes = crypto.decryptForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS, Base64.decodeBase64(parts[2]), Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]));
-
- try {
- String claims = new String(bytes, "UTF-8");
- String[] claimz = claims.split("\\::");
- token = new AccessToken(crypto, claimz[0], Long.parseLong(claimz[1]));
- token.setTokenStr(wireToken);
- } catch (UnsupportedEncodingException e) {
- LOG.unsupportedEncoding( e );
- }
- return token;
- }
-
- private void setTokenStr(String wireToken) {
- this.tokenStr = wireToken;
- }
-
- public String getPrincipalName() {
- return principalName;
- }
-
- public long getExpires() {
- return expires;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
deleted file mode 100644
index d8c86ae..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
+++ /dev/null
@@ -1,81 +0,0 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt;
-
-import java.security.Principal;
-
-import javax.security.auth.Subject;
-
-import org.apache.hadoop.gateway.services.security.AliasService;
-import org.apache.hadoop.gateway.services.security.CryptoService;
-
-public class JWTAuthority {
- private CryptoService crypto = null;
-
- public JWTAuthority(CryptoService crypto) {
- this.crypto = crypto;
- }
-
- public JWTToken issueToken(Subject subject, String algorithm) {
- Principal p = (Principal) subject.getPrincipals().toArray()[0];
- return issueToken(p, algorithm);
- }
-
- public JWTToken issueToken(Principal p, String algorithm) {
- return issueToken(p, null, algorithm);
- }
-
- public JWTToken issueToken(Principal p, String audience, String algorithm) {
- String[] claimArray = new String[4];
- claimArray[0] = "HSSO";
- claimArray[1] = p.getName();
- if (audience == null) {
- audience = "HSSO";
- }
- claimArray[2] = audience;
- // TODO: make the validity period configurable
- claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
-
- JWTToken token = null;
- if ("RS256".equals(algorithm)) {
- token = new JWTToken("RS256", claimArray);
- signToken(token);
- }
- else {
- // log inappropriate alg
- }
-
- return token;
- }
-
- private void signToken(JWTToken token) {
- byte[] signature = null;
- signature = crypto.sign("SHA256withRSA","gateway-identity",token.getPayloadToSign());
- token.setSignaturePayload(signature);
- }
-
- public boolean verifyToken(JWTToken token) {
- boolean rc = false;
-
- // TODO: interrogate the token for issuer claim in order to determine the public key to use for verification
- // consider jwk for specifying the key too
- rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
- return rc;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
new file mode 100644
index 0000000..1f3b302
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.federation.jwt")
+public interface JWTMessages {
+ @Message( level = MessageLevel.INFO, text = "Failed to validate the audience attribute." )
+ void failedToValidateAudience();
+
+ @Message( level = MessageLevel.INFO, text = "Failed to verify the token signature." )
+ void failedToVerifyTokenSignature();
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
deleted file mode 100644
index 1222790..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-import org.apache.hadoop.gateway.i18n.messages.StackTrace;
-
-/**
- *
- */
-@Messages(logger="org.apache.hadoop.gateway")
-public interface JWTProviderMessages {
-
- @Message( level = MessageLevel.DEBUG, text = "Rendering JWT Token for the wire: {0}" )
- void renderingJWTTokenForTheWire(String string);
-
- @Message( level = MessageLevel.DEBUG, text = "Parsing JWT Token from the wire: {0}" )
- void parsingToken(String wireToken);
-
- @Message( level = MessageLevel.DEBUG, text = "header: {0}" )
- void printTokenHeader( String header );
-
- @Message( level = MessageLevel.DEBUG, text = "claims: {0}" )
- void printTokenClaims( String claims );
-
- @Message( level = MessageLevel.DEBUG, text = "payload: {0}" )
- void printTokenPayload( byte[] payload );
-
- @Message( level = MessageLevel.FATAL, text = "Unsupported encoding: {0}" )
- void unsupportedEncoding( @StackTrace( level = MessageLevel.DEBUG ) Exception e );
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
deleted file mode 100644
index 4ecf7bd..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
+++ /dev/null
@@ -1,135 +0,0 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt;
-
-import java.io.UnsupportedEncodingException;
-import java.text.MessageFormat;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-
-import com.jayway.jsonpath.JsonPath;
-
-public class JWTToken {
- private static final String headerTemplate = "'{'\"alg\": \"{0}\"'}'";
- private static final String claimTemplate = "'{'\"iss\": \"{0}\", \"prn\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
- public static final String PRINCIPAL = "prn";
- public static final String ISSUER = "iss";
- public static final String AUDIENCE = "aud";
- public static final String EXPIRES = "exp";
- private static JWTProviderMessages log = MessagesFactory.get( JWTProviderMessages.class );
-
- public String header = null;
- public String claims = null;
-
- byte[] payload = null;
-
- private JWTToken(byte[] header, byte[] claims, byte[] signature) {
- try {
- this.header = new String(header, "UTF-8");
- this.claims = new String(claims, "UTF-8");
- this.payload = signature;
- } catch (UnsupportedEncodingException e) {
- log.unsupportedEncoding( e );
- }
- }
-
- public JWTToken(String alg, String[] claimsArray) {
- MessageFormat headerFormatter = new MessageFormat(headerTemplate);
- String[] algArray = new String[1];
- algArray[0] = alg;
- header = headerFormatter.format(algArray);
-
- MessageFormat claimsFormatter = new MessageFormat(claimTemplate);
- claims = claimsFormatter.format(claimsArray);
- }
-
- public String getPayloadToSign() {
- StringBuffer sb = new StringBuffer();
- try {
- sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
- sb.append(".");
- sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
- } catch (UnsupportedEncodingException e) {
- log.unsupportedEncoding( e );
- }
-
- return sb.toString();
- }
-
- public String toString() {
- StringBuffer sb = new StringBuffer();
- try {
- sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
- sb.append(".");
- sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
- sb.append(".");
- sb.append(Base64.encodeBase64URLSafeString(payload));
- } catch (UnsupportedEncodingException e) {
- log.unsupportedEncoding( e );
- }
-
- log.renderingJWTTokenForTheWire(sb.toString());
-
- return sb.toString();
- }
-
- public void setSignaturePayload(byte[] payload) {
- this.payload = payload;
- }
-
- public byte[] getSignaturePayload() {
- return this.payload;
- }
-
- public static JWTToken parseToken(String wireToken) {
- JWTToken token = null;
- log.parsingToken(wireToken);
- String[] parts = wireToken.split("\\.");
- token = new JWTToken(Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]), Base64.decodeBase64(parts[2]));
-// System.out.println("header: " + token.header);
-// System.out.println("claims: " + token.claims);
-// System.out.println("payload: " + new String(token.payload));
-
- return token;
- }
-
- public String getClaim(String claimName) {
- String claim = null;
-
- claim = JsonPath.read(claims, "$." + claimName);
-
- return claim;
- }
-
- public String getPrincipal() {
- return getClaim(JWTToken.PRINCIPAL);
- }
-
- public String getIssuer() {
- return getClaim(JWTToken.ISSUER);
- }
-
- public String getAudience() {
- return getClaim(JWTToken.AUDIENCE);
- }
-
- public String getExpires() {
- return getClaim(JWTToken.EXPIRES);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
index e067afc..e2856be 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
@@ -34,23 +34,22 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages;
import org.apache.hadoop.gateway.services.GatewayServices;
-import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
public class AccessTokenFederationFilter implements Filter {
+ private static JWTMessages log = MessagesFactory.get( JWTMessages.class );
private static final String BEARER = "Bearer ";
- private CryptoService crypto = null;
-
- private JWTAuthority authority;
+ private JWTokenAuthority authority;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
- crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
- authority = new JWTAuthority(crypto);
+ authority = (JWTokenAuthority) services.getService(GatewayServices.TOKEN_SERVICE);
}
public void destroy() {
@@ -67,17 +66,19 @@ public class AccessTokenFederationFilter implements Filter {
if (verified) {
// TODO: validate expiration
// TODO: confirm that audience matches intended target
- if (token.getAudience().equals(getAudienceFromRequest(request))) {
+ if (((HttpServletRequest) request).getRequestURL().indexOf(token.getAudience().toLowerCase()) != -1) {
// TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
Subject subject = createSubjectFromToken(token);
continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
}
else {
+ log.failedToValidateAudience();
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
return; //break filter chain
}
}
else {
+ log.failedToVerifyTokenSignature();
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
return; //break filter chain
}
@@ -90,11 +91,6 @@ public class AccessTokenFederationFilter implements Filter {
}
}
- private String getAudienceFromRequest(ServletRequest request) {
- // TODO determine the audience value that would match the requested resource
- return "HDFS";
- }
-
private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
try {
Subject.doAs(
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
index db1fd2c..6b8a41e 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -18,7 +18,6 @@
package org.apache.hadoop.gateway.provider.federation.jwt.filter;
import java.io.IOException;
-import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.Principal;
import java.util.HashMap;
@@ -33,19 +32,21 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
import org.apache.hadoop.gateway.services.GatewayServices;
-import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.registry.ServiceRegistry;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
import org.apache.hadoop.gateway.util.JsonUtils;
public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilter {
+ private static final String SVC_URL = "svc";
private static final String EXPIRES_IN = "expires_in";
private static final String TOKEN_TYPE = "token_type";
private static final String ACCESS_TOKEN = "access_token";
private static final String BEARER = "Bearer ";
private long validity;
- private CryptoService crypto = null;
+ private JWTokenAuthority authority = null;
+ private ServiceRegistry sr;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
@@ -57,7 +58,8 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
validity = Long.parseLong(validityStr);
GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
- crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
+ authority = (JWTokenAuthority) services.getService(GatewayServices.TOKEN_SERVICE);
+ sr = (ServiceRegistry) services.getService(GatewayServices.SERVICE_REGISTRY_SERVICE);
}
@Override
@@ -72,7 +74,6 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
JWTToken token = JWTToken.parseToken(wireToken);
// ensure that there is a valid jwt token available and that there isn't a misconfiguration of filters
if (token != null) {
- JWTAuthority authority = new JWTAuthority(crypto);
authority.verifyToken(token);
}
else {
@@ -91,14 +92,20 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
long expires = System.currentTimeMillis() + validity * 1000;
String serviceName = request.getParameter("service-name");
+ String clusterName = request.getParameter("cluster-name");
String accessToken = getAccessToken(principalName, serviceName, expires);
+ String serviceURL = sr.lookupServiceURL(clusterName, serviceName);
+
HashMap<String, Object> map = new HashMap<String, Object>();
// TODO: populate map from JWT authorization code
map.put(ACCESS_TOKEN, accessToken);
map.put(TOKEN_TYPE, BEARER);
map.put(EXPIRES_IN, expires);
+ // TODO: this url needs to be rewritten when in gateway deployments....
+ map.put(SVC_URL, serviceURL);
+
jsonResponse = JsonUtils.renderAsJsonString(map);
response.getWriter().write(jsonResponse);
@@ -117,7 +124,6 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
private String getAccessToken(final String principalName, String serviceName, long expires) {
String accessToken = null;
- JWTAuthority authority = new JWTAuthority(crypto);
Principal p = new Principal() {
@Override
@@ -127,7 +133,6 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
}
};
JWTToken token = authority.issueToken(p, serviceName, "RS256");
-// AccessToken token = new AccessToken(crypto, principalName, expires);
accessToken = token.toString();
return accessToken;
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
index 072c308..ba691a5 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
@@ -27,20 +27,20 @@ import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
import org.apache.hadoop.gateway.services.GatewayServices;
-import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.registry.ServiceRegistry;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
import org.apache.hadoop.gateway.util.JsonUtils;
public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter {
private static final String BEARER = "Bearer ";
- private CryptoService crypto = null;
+ private JWTokenAuthority authority = null;
+
+ private ServiceRegistry sr;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
@@ -52,7 +52,8 @@ public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter
// validity = Long.parseLong(validityStr);
GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
- crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
+ authority = (JWTokenAuthority) services.getService(GatewayServices.TOKEN_SERVICE);
+ sr = (ServiceRegistry) services.getService(GatewayServices.SERVICE_REGISTRY_SERVICE);
}
@Override
@@ -62,9 +63,14 @@ public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter
Subject subject = Subject.getSubject(AccessController.getContext());
String principalName = getPrincipalName(subject);
principalName = mapper.mapPrincipal(principalName);
- JWTAuthority authority = new JWTAuthority(crypto);
JWTToken authCode = authority.issueToken(subject, "RS256");
+ // get the url for the token service
+ String url = null;
+ if (sr != null) {
+ url = sr.lookupServiceURL("token", "TGS");
+ }
+
HashMap<String, Object> map = new HashMap<String, Object>();
// TODO: populate map from JWT authorization code
map.put("iss", authCode.getIssuer());
@@ -72,6 +78,9 @@ public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter
map.put("aud", authCode.getAudience());
map.put("exp", authCode.getExpires());
map.put("code", authCode.toString());
+ if (url != null) {
+ map.put("tke", url);
+ }
String jsonResponse = JsonUtils.renderAsJsonString(map);
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
index 29dbe5b..20b0b06 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
@@ -18,7 +18,8 @@
package org.apache.hadoop.gateway.provider.federation.jwt.filter;
import org.apache.hadoop.gateway.services.GatewayServices;
-import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
import javax.security.auth.Subject;
import javax.servlet.Filter;
@@ -30,9 +31,6 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
-
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
@@ -40,18 +38,16 @@ import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import java.util.Set;
-
public class JWTFederationFilter implements Filter {
private static final String BEARER = "Bearer ";
- private JWTAuthority authority = null;
+ private JWTokenAuthority authority = null;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
- CryptoService crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
- authority = new JWTAuthority(crypto);
+ authority = (JWTokenAuthority) services.getService(GatewayServices.TOKEN_SERVICE);
}
public void destroy() {
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
index 41214e2..116e18e 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
@@ -18,7 +18,8 @@
package org.apache.hadoop.gateway.provider.federation;
import junit.framework.TestCase;
-import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
+
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
import org.junit.Test;
public class JWTTokenTest extends TestCase {
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-release/src/assembly.xml
----------------------------------------------------------------------
diff --git a/gateway-release/src/assembly.xml b/gateway-release/src/assembly.xml
index fc15c2f..24cae78 100644
--- a/gateway-release/src/assembly.xml
+++ b/gateway-release/src/assembly.xml
@@ -45,13 +45,15 @@
<scope>runtime</scope>
<excludes>
<exclude>${gateway-group}:gateway-*</exclude>
+ <exclude>${gateway-group}:hsso-*</exclude>
</excludes>
</dependencySet>
<dependencySet>
- <useProjectArtifact>false</useProjectArtifact>
<outputDirectory>lib</outputDirectory>
<includes>
<include>${gateway-group}:gateway-*</include>
+ <include>${gateway-group}:hsso-*</include>
+ <include>${gateway-group}:gateway-release-*</include>
</includes>
<excludes>
<exclude>${gateway-group}:gateway-util-launcher</exclude>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices
----------------------------------------------------------------------
diff --git a/gateway-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices b/gateway-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices
new file mode 100644
index 0000000..8cf264d
--- /dev/null
+++ b/gateway-release/src/main/resources/META-INF/services/org.apache.hadoop.gateway.services.GatewayServices
@@ -0,0 +1,20 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+
+org.apache.hadoop.gateway.services.DefaultGatewayServices
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
index dd2e975..90befc7 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
@@ -25,6 +25,7 @@ import org.apache.hadoop.gateway.i18n.messages.StackTrace;
import java.io.File;
import java.net.URI;
+import java.util.Map;
/**
*
@@ -247,4 +248,13 @@ public interface GatewayMessages {
@Message( level = MessageLevel.ERROR, text = "Failed to establish connection to {0}: {1}" )
void failedToEstablishConnectionToUrl( String url, @StackTrace( level = MessageLevel.DEBUG ) Exception e );
+
+ @Message( level = MessageLevel.ERROR, text = "Failed to instantiate the internal gateway services." )
+ void failedToInstantiateGatewayServices();
+
+ @Message( level = MessageLevel.ERROR, text = "Failed to serialize map to Json string {0}: {1}" )
+ void failedToSerializeMapToJSON( Map<String, Object> map, @StackTrace( level = MessageLevel.DEBUG ) Exception e );
+
+ @Message( level = MessageLevel.ERROR, text = "Failed to get map from Json string {0}: {1}" )
+ void failedToGetMapFromJsonString( String json, @StackTrace( level = MessageLevel.DEBUG ) Exception e );
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
index 5242e4e..85d35de 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
@@ -24,11 +24,13 @@ import org.apache.commons.io.IOUtils;
import org.apache.hadoop.gateway.config.GatewayConfig;
import org.apache.hadoop.gateway.config.impl.GatewayConfigImpl;
import org.apache.hadoop.gateway.deploy.DeploymentFactory;
+import org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.i18n.resources.ResourcesFactory;
import org.apache.hadoop.gateway.services.DefaultGatewayServices;
import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.registry.ServiceRegistry;
import org.apache.hadoop.gateway.services.security.SSLService;
import org.apache.hadoop.gateway.topology.Topology;
import org.apache.hadoop.gateway.topology.TopologyEvent;
@@ -52,9 +54,11 @@ import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.util.HashMap;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
+import java.util.ServiceLoader;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
@@ -62,7 +66,7 @@ public class GatewayServer {
private static GatewayResources res = ResourcesFactory.get( GatewayResources.class );
private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
private static GatewayServer server;
- private static DefaultGatewayServices services;
+ private static GatewayServices services;
private static Properties buildProperties;
@@ -84,7 +88,10 @@ public class GatewayServer {
buildProperties.getProperty( "build.version", "unknown" ),
buildProperties.getProperty( "build.hash", "unknown" ) ) );
} else {
- services = new DefaultGatewayServices();
+ services = instantiateGatewayServices();
+ if (services == null) {
+ log.failedToInstantiateGatewayServices();
+ }
GatewayConfig config = new GatewayConfigImpl();
configureLogging( config );
if (config.isHadoopKerberosSecured()) {
@@ -92,7 +99,7 @@ public class GatewayServer {
}
Map<String,String> options = new HashMap<String,String>();
options.put(GatewayCommandLine.PERSIST_LONG, Boolean.toString(cmd.hasOption(GatewayCommandLine.PERSIST_LONG)));
- services.init(config, options);
+ ((org.apache.hadoop.gateway.services.Service) services).init(config, options);
if (!cmd.hasOption(GatewayCommandLine.NOSTART_LONG)) {
startGateway( config, services );
}
@@ -104,6 +111,15 @@ public class GatewayServer {
}
}
+ private static GatewayServices instantiateGatewayServices() {
+ ServiceLoader<GatewayServices> loader = ServiceLoader.load( GatewayServices.class );
+ Iterator<GatewayServices> services = loader.iterator();
+ if (services.hasNext()) {
+ return services.next();
+ }
+ return null;
+ }
+
public static synchronized GatewayServices getGatewayServices() {
return services;
}
@@ -188,13 +204,13 @@ public class GatewayServer {
input.close();
}
- public static GatewayServer startGateway( GatewayConfig config, DefaultGatewayServices srvics ) {
+ public static GatewayServer startGateway( GatewayConfig config, GatewayServices svcs ) {
try {
log.startingGateway();
server = new GatewayServer( config );
synchronized (server ) {
if (services == null) {
- services = srvics;
+ services = svcs;
}
services.start();
DeploymentFactory.setGatewayServices(services);
@@ -338,6 +354,10 @@ public class GatewayServer {
private synchronized void internalUndeploy( Topology topology ) {
WebAppContext context = deployments.remove( topology.getName() );
if( context != null ) {
+ ServiceRegistry sr = (ServiceRegistry) this.getGatewayServices().getService(GatewayServices.SERVICE_REGISTRY_SERVICE);
+ if (sr != null) {
+ sr.removeClusterServices(topology.getName());
+ }
contexts.removeHandler( context ) ;
try {
context.stop();
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentFactory.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentFactory.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentFactory.java
index 2ade641..ce2f7af 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentFactory.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentFactory.java
@@ -25,7 +25,8 @@ import org.apache.hadoop.gateway.descriptor.GatewayDescriptor;
import org.apache.hadoop.gateway.descriptor.GatewayDescriptorFactory;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.i18n.resources.ResourcesFactory;
-import org.apache.hadoop.gateway.services.DefaultGatewayServices;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.registry.ServiceRegistry;
import org.apache.hadoop.gateway.topology.Provider;
import org.apache.hadoop.gateway.topology.Service;
import org.apache.hadoop.gateway.topology.Topology;
@@ -53,7 +54,7 @@ public abstract class DeploymentFactory {
private static GatewayResources res = ResourcesFactory.get( GatewayResources.class );
private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
- private static DefaultGatewayServices gatewayServices = null;
+ private static GatewayServices gatewayServices = null;
//private static Set<ServiceDeploymentContributor> SERVICE_CONTRIBUTORS;
private static Map<String,Map<String,ServiceDeploymentContributor>> SERVICE_CONTRIBUTOR_MAP;
@@ -67,7 +68,7 @@ public abstract class DeploymentFactory {
loadProviderContributors();
}
- public static void setGatewayServices(DefaultGatewayServices services) {
+ public static void setGatewayServices(GatewayServices services) {
DeploymentFactory.gatewayServices = services;
}
@@ -244,6 +245,13 @@ public abstract class DeploymentFactory {
if( contributor != null ) {
try {
contributor.contributeService( context, service );
+ if (gatewayServices != null) {
+ ServiceRegistry sr = (ServiceRegistry) gatewayServices.getService(GatewayServices.SERVICE_REGISTRY_SERVICE);
+ if (sr != null) {
+ String regCode = sr.getRegistrationCode(topology.getName());
+ sr.registerService(regCode, topology.getName(), service.getRole(), service.getUrl().toExternalForm());
+ }
+ }
} catch( Exception e ) {
// Maybe it makes sense to throw exception
log.failedToContributeService( service.getName(), service.getRole(), e );
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
index fddf865..b17c98c 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
@@ -25,13 +25,13 @@ import java.util.Map;
import org.apache.hadoop.gateway.GatewayMessages;
import org.apache.hadoop.gateway.config.GatewayConfig;
import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor;
import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.Service;
import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.registry.impl.DefaultServiceRegistryService;
import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
import org.apache.hadoop.gateway.services.security.SSLService;
import org.apache.hadoop.gateway.services.security.impl.DefaultAliasService;
@@ -39,9 +39,11 @@ import org.apache.hadoop.gateway.services.security.impl.DefaultCryptoService;
import org.apache.hadoop.gateway.services.security.impl.DefaultKeystoreService;
import org.apache.hadoop.gateway.services.security.impl.DefaultMasterService;
import org.apache.hadoop.gateway.services.security.impl.JettySSLService;
+import org.apache.hadoop.gateway.services.token.impl.DefaultTokenAuthorityService;
import org.apache.hadoop.gateway.topology.Provider;
-public class DefaultGatewayServices implements Service, ProviderDeploymentContributor, GatewayServices {
+public class DefaultGatewayServices implements GatewayServices {
+
private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
private Map<String,Service> services = new HashMap<String, Service>();
@@ -71,6 +73,12 @@ public class DefaultGatewayServices implements Service, ProviderDeploymentContri
crypto.init(config, options);
services.put(CRYPTO_SERVICE, crypto);
+ DefaultTokenAuthorityService ts = new DefaultTokenAuthorityService();
+ ts.setCryptoService(crypto);
+ ts.init(config, options);
+ // prolly should not allow the token service to be looked up?
+ services.put(TOKEN_SERVICE, ts);
+
JettySSLService ssl = new JettySSLService();
ssl.setAliasService(alias);
ssl.setKeystoreService(ks);
@@ -121,18 +129,17 @@ public class DefaultGatewayServices implements Service, ProviderDeploymentContri
@Override
public String getRole() {
- // TODO Auto-generated method stub
return "Services";
}
@Override
public String getName() {
- // TODO Auto-generated method stub
return "GatewayServices";
}
@Override
public void initializeContribution(DeploymentContext context) {
+ // setup credential store as appropriate
String clusterName = context.getTopology().getName();
try {
if (!ks.isCredentialStoreForClusterAvailable(clusterName)) {
@@ -140,7 +147,6 @@ public class DefaultGatewayServices implements Service, ProviderDeploymentContri
ks.createCredentialStoreForCluster(clusterName);
}
else {
- // TODO: log appropriately
log.credentialStoreForClusterFoundNotCreating(clusterName);
}
} catch (KeystoreServiceException e) {
@@ -156,8 +162,6 @@ public class DefaultGatewayServices implements Service, ProviderDeploymentContri
public void contributeFilter(DeploymentContext context, Provider provider,
org.apache.hadoop.gateway.topology.Service service,
ResourceDescriptor resource, List<FilterParamDescriptor> params) {
- // TODO Auto-generated method stub
-
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/HssoGatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/HssoGatewayServices.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/HssoGatewayServices.java
new file mode 100644
index 0000000..1711dc8
--- /dev/null
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/HssoGatewayServices.java
@@ -0,0 +1,177 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.hadoop.gateway.GatewayMessages;
+import org.apache.hadoop.gateway.config.GatewayConfig;
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.Service;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.registry.impl.DefaultServiceRegistryService;
+import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
+import org.apache.hadoop.gateway.services.security.SSLService;
+import org.apache.hadoop.gateway.services.security.impl.DefaultAliasService;
+import org.apache.hadoop.gateway.services.security.impl.DefaultCryptoService;
+import org.apache.hadoop.gateway.services.security.impl.DefaultKeystoreService;
+import org.apache.hadoop.gateway.services.security.impl.DefaultMasterService;
+import org.apache.hadoop.gateway.services.security.impl.JettySSLService;
+import org.apache.hadoop.gateway.services.token.impl.DefaultTokenAuthorityService;
+import org.apache.hadoop.gateway.topology.Provider;
+
+public class HssoGatewayServices implements GatewayServices {
+
+ private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
+
+ private Map<String,Service> services = new HashMap<String, Service>();
+ private DefaultMasterService ms = null;
+ private DefaultKeystoreService ks = null;
+
+ public HssoGatewayServices() {
+ super();
+ }
+
+ public void init(GatewayConfig config, Map<String,String> options) throws ServiceLifecycleException {
+ ms = new DefaultMasterService();
+ ms.init(config, options);
+
+ ks = new DefaultKeystoreService();
+ ks.setMasterService(ms);
+ ks.init(config, options);
+
+ DefaultAliasService alias = new DefaultAliasService();
+ alias.setKeystoreService(ks);
+ alias.init(config, options);
+ services.put(ALIAS_SERVICE, alias);
+
+ DefaultCryptoService crypto = new DefaultCryptoService();
+ crypto.setKeystoreService(ks);
+ crypto.setAliasService(alias);
+ crypto.init(config, options);
+ services.put(CRYPTO_SERVICE, crypto);
+
+ DefaultTokenAuthorityService ts = new DefaultTokenAuthorityService();
+ ts.setCryptoService(crypto);
+ ts.init(config, options);
+ // prolly should not allow the token service to be looked up?
+ services.put(TOKEN_SERVICE, ts);
+
+ DefaultServiceRegistryService sr = new DefaultServiceRegistryService();
+ sr.setCryptoService(crypto);
+ sr.init(config, options);
+ services.put(SERVICE_REGISTRY_SERVICE, sr);
+
+ JettySSLService ssl = new JettySSLService();
+ ssl.setAliasService(alias);
+ ssl.setKeystoreService(ks);
+ ssl.setMasterService(ms);
+ ssl.init(config, options);
+ services.put(SSL_SERVICE, ssl);
+ }
+
+ public void start() throws ServiceLifecycleException {
+ ms.start();
+
+ ks.start();
+
+ DefaultAliasService alias = (DefaultAliasService) services.get(ALIAS_SERVICE);
+ alias.start();
+
+ SSLService ssl = (SSLService) services.get(SSL_SERVICE);
+ ssl.start();
+ }
+
+ public void stop() throws ServiceLifecycleException {
+ ms.stop();
+
+ ks.stop();
+
+ DefaultAliasService alias = (DefaultAliasService) services.get(ALIAS_SERVICE);
+ alias.stop();
+
+ SSLService ssl = (SSLService) services.get(SSL_SERVICE);
+ ssl.stop();
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.GatewayServices#getServiceNames()
+ */
+ @Override
+ public Collection<String> getServiceNames() {
+ return services.keySet();
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.GatewayServices#getService(java.lang.String)
+ */
+ @Override
+ public Service getService(String serviceName) {
+ return services.get(serviceName);
+ }
+
+ @Override
+ public String getRole() {
+ return "Services";
+ }
+
+ @Override
+ public String getName() {
+ return "GatewayServices";
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ // setup credential store as appropriate
+ String clusterName = context.getTopology().getName();
+ try {
+ if (!ks.isCredentialStoreForClusterAvailable(clusterName)) {
+ log.creatingCredentialStoreForCluster(clusterName);
+ ks.createCredentialStoreForCluster(clusterName);
+ }
+ else {
+ log.credentialStoreForClusterFoundNotCreating(clusterName);
+ }
+ } catch (KeystoreServiceException e) {
+ throw new RuntimeException("Credential store was found but was unable to be loaded - the provided (or persisted) master secret may not match the password for the credential store.", e);
+ }
+ }
+
+ @Override
+ public void contributeProvider(DeploymentContext context, Provider provider) {
+ }
+
+ @Override
+ public void contributeFilter(DeploymentContext context, Provider provider,
+ org.apache.hadoop.gateway.topology.Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+ }
+
+ @Override
+ public void finalizeContribution(DeploymentContext context) {
+ // Tell the provider the location of the descriptor.
+ context.getWebAppDescriptor().createListener().listenerClass( GatewayServicesContextListener.class.getName() );
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/DefaultServiceRegistryService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/DefaultServiceRegistryService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/DefaultServiceRegistryService.java
new file mode 100644
index 0000000..92b8621
--- /dev/null
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/DefaultServiceRegistryService.java
@@ -0,0 +1,191 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.registry.impl;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Random;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.gateway.GatewayMessages;
+import org.apache.hadoop.gateway.config.GatewayConfig;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.hadoop.gateway.services.Service;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.registry.ServiceRegistry;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+public class DefaultServiceRegistryService implements ServiceRegistry, Service {
+ private static GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class );
+
+ protected char[] chars = { 'a', 'b', 'c', 'd', 'e', 'f', 'g',
+ 'h', 'j', 'k', 'm', 'n', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w',
+ 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K',
+ 'M', 'N', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
+ '2', '3', '4', '5', '6', '7', '8', '9',};
+
+ private CryptoService crypto;
+ private Registry registry = new Registry();
+
+ private String registryFileName;
+
+ public DefaultServiceRegistryService() {
+ }
+
+ public void setCryptoService(CryptoService crypto) {
+ this.crypto = crypto;
+ }
+
+ public String getRegistrationCode(String clusterName) {
+ String code = generateRegCode(16);
+ byte[] signature = crypto.sign("SHA256withRSA","gateway-identity",code);
+ String encodedSig = Base64.encodeBase64URLSafeString(signature);
+
+ return code + "::" + encodedSig;
+ }
+
+ private String generateRegCode(int length) {
+ StringBuffer sb = new StringBuffer();
+ Random r = new Random();
+ for (int i = 0; i < length; i++) {
+ sb.append(chars[r.nextInt(chars.length)]);
+ }
+ return sb.toString();
+ }
+
+ public void removeClusterServices(String clusterName) {
+ registry.remove(clusterName);
+ }
+
+ public boolean registerService(String regCode, String clusterName, String serviceName, String url) {
+ boolean rc = false;
+ // verify the signature of the regCode
+ if (regCode == null) {
+ throw new IllegalArgumentException("Registration Code must not be null.");
+ }
+ String[] parts = regCode.split("::");
+
+ // part one is the code and part two is the signature
+ boolean verified = crypto.verify("SHA256withRSA", "gateway-identity", parts[0], Base64.decodeBase64(parts[1]));
+ if (verified) {
+ HashMap<String,RegEntry> clusterServices = registry.get(clusterName);
+ if (clusterServices == null) {
+ synchronized(this) {
+ clusterServices = new HashMap<String,RegEntry>();
+ registry.put(clusterName, clusterServices);
+ }
+ }
+ RegEntry regEntry = new RegEntry();
+ regEntry.setClusterName(clusterName);
+ regEntry.setServiceName(serviceName);
+ regEntry.setUrl(url);
+ clusterServices.put(serviceName , regEntry);
+ String json = renderAsJsonString(registry);
+ try {
+ FileUtils.write(new File(registryFileName), json);
+ rc = true;
+ } catch (IOException e) {
+ // log appropriately
+ e.printStackTrace();
+ }
+ }
+
+ return rc;
+ }
+
+ private String renderAsJsonString(HashMap<String,HashMap<String,RegEntry>> registry) {
+ String json = null;
+ ObjectMapper mapper = new ObjectMapper();
+
+ try {
+ // write JSON to a file
+ json = mapper.writeValueAsString((Object)registry);
+
+ } catch ( JsonProcessingException e ) {
+ e.printStackTrace();
+ }
+ return json;
+ }
+
+ public String lookupServiceURL(String clusterName, String serviceName) {
+ RegEntry entry = null;
+ HashMap clusterServices = registry.get(clusterName);
+ if (clusterServices != null) {
+ entry = (RegEntry) clusterServices.get(serviceName);
+ }
+ return entry.url;
+ }
+
+ private HashMap<String, HashMap<String,RegEntry>> getMapFromJsonString(String json) {
+ Registry map = null;
+ JsonFactory factory = new JsonFactory();
+ ObjectMapper mapper = new ObjectMapper(factory);
+ TypeReference<Registry> typeRef
+ = new TypeReference<Registry>() {};
+ try {
+ map = mapper.readValue(json, typeRef);
+ } catch (JsonParseException e) {
+ LOG.failedToGetMapFromJsonString( json, e );
+ } catch (JsonMappingException e) {
+ LOG.failedToGetMapFromJsonString( json, e );
+ } catch (IOException e) {
+ LOG.failedToGetMapFromJsonString( json, e );
+ }
+ return map;
+ }
+
+ @Override
+ public void init(GatewayConfig config, Map<String, String> options)
+ throws ServiceLifecycleException {
+ String securityDir = config.getGatewayHomeDir() + File.separator + "conf" + File.separator + "security";
+ String filename = "registry";
+ setupRegistryFile(securityDir, filename);
+ }
+
+ protected void setupRegistryFile(String securityDir, String filename) throws ServiceLifecycleException {
+ File registryFile = new File(securityDir, filename);
+ if (registryFile.exists()) {
+ try {
+ String json = FileUtils.readFileToString(registryFile);
+ registry = (Registry) getMapFromJsonString(json);
+ } catch (Exception e) {
+ throw new ServiceLifecycleException("Unable to load the persisted registry.", e);
+ }
+ }
+ registryFileName = registryFile.getAbsolutePath();
+ }
+
+ @Override
+ public void start() throws ServiceLifecycleException {
+ }
+
+ @Override
+ public void stop() throws ServiceLifecycleException {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/RegEntry.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/RegEntry.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/RegEntry.java
new file mode 100644
index 0000000..847d72e
--- /dev/null
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/RegEntry.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.registry.impl;
+
+public class RegEntry {
+ public String clusterName;
+ public String serviceName;
+ public String url;
+
+ public RegEntry() {
+ }
+
+ public String getClusterName() {
+ return clusterName;
+ }
+
+ public void setClusterName(String clusterName) {
+ this.clusterName = clusterName;
+ }
+
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public void setServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ public String getUrl() {
+ return url;
+ }
+
+ public void setUrl(String url) {
+ this.url = url;
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/Registry.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/Registry.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/Registry.java
new file mode 100644
index 0000000..a82284b
--- /dev/null
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/registry/impl/Registry.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.registry.impl;
+
+import java.util.HashMap;
+
+class Registry extends HashMap<String,HashMap<String,RegEntry>> {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
+ public Registry() {
+ super();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java
index f16c07a..5fd2883 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultAliasService.java
@@ -45,14 +45,10 @@ public class DefaultAliasService implements AliasService {
@Override
public void start() throws ServiceLifecycleException {
- // TODO Auto-generated method stub
-
}
@Override
public void stop() throws ServiceLifecycleException {
- // TODO Auto-generated method stub
-
}
/* (non-Javadoc)
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
new file mode 100644
index 0000000..21cef3f
--- /dev/null
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.token.impl;
+
+import java.security.Principal;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.gateway.config.GatewayConfig;
+import org.apache.hadoop.gateway.services.Service;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
+
+public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
+
+ private CryptoService crypto = null;
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(javax.security.auth.Subject, java.lang.String)
+ */
+ @Override
+ public JWTToken issueToken(Subject subject, String algorithm) {
+ Principal p = (Principal) subject.getPrincipals().toArray()[0];
+ return issueToken(p, algorithm);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String)
+ */
+ @Override
+ public JWTToken issueToken(Principal p, String algorithm) {
+ return issueToken(p, null, algorithm);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
+ */
+ @Override
+ public JWTToken issueToken(Principal p, String audience, String algorithm) {
+ String[] claimArray = new String[4];
+ claimArray[0] = "HSSO";
+ claimArray[1] = p.getName();
+ if (audience == null) {
+ audience = "HSSO";
+ }
+ claimArray[2] = audience;
+ // TODO: make the validity period configurable
+ claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+
+ JWTToken token = null;
+ if ("RS256".equals(algorithm)) {
+ token = new JWTToken("RS256", claimArray);
+ signToken(token);
+ }
+ else {
+ // log inappropriate alg
+ }
+
+ return token;
+ }
+
+ private void signToken(JWTToken token) {
+ byte[] signature = null;
+ signature = crypto.sign("SHA256withRSA","gateway-identity",token.getPayloadToSign());
+ token.setSignaturePayload(signature);
+ }
+
+ @Override
+ public boolean verifyToken(JWTToken token) {
+ boolean rc = false;
+
+ // TODO: interrogate the token for issuer claim in order to determine the public key to use for verification
+ // consider jwk for specifying the key too
+ rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
+ return rc;
+ }
+
+ public void setCryptoService(CryptoService crypto) {
+ this.crypto = crypto;
+ }
+
+ @Override
+ public void init(GatewayConfig config, Map<String, String> options)
+ throws ServiceLifecycleException {
+ if (crypto == null) {
+ throw new ServiceLifecycleException("Crypto service is not set");
+ }
+ }
+
+ @Override
+ public void start() throws ServiceLifecycleException {
+ }
+
+ @Override
+ public void stop() throws ServiceLifecycleException {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-spi/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-spi/pom.xml b/gateway-spi/pom.xml
index d6dadb6..1d69dbc 100644
--- a/gateway-spi/pom.xml
+++ b/gateway-spi/pom.xml
@@ -94,6 +94,11 @@
<artifactId>httpclient</artifactId>
</dependency>
<dependency>
+ <groupId>com.jayway.jsonpath</groupId>
+ <artifactId>json-path</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
index f13fe33..d97d3cb 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
@@ -19,12 +19,16 @@ package org.apache.hadoop.gateway.services;
import java.util.Collection;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor;
-public interface GatewayServices {
+
+public interface GatewayServices extends Service, ProviderDeploymentContributor {
public static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
public static final String SSL_SERVICE = "SSLService";
public static final String CRYPTO_SERVICE = "CryptoService";
public static final String ALIAS_SERVICE = "AliasService";
+ public static final String TOKEN_SERVICE = "TokenService";
+ public static final String SERVICE_REGISTRY_SERVICE = "ServiceRegistryService";
public abstract Collection<String> getServiceNames();
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/registry/ServiceRegistry.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/registry/ServiceRegistry.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/registry/ServiceRegistry.java
new file mode 100644
index 0000000..fc41c57
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/registry/ServiceRegistry.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.registry;
+
+public interface ServiceRegistry {
+
+ String getRegistrationCode(String clusterName);
+
+ boolean registerService(String regCode, String ClusterName, String serviceName, String url);
+
+ String lookupServiceURL(String ClusterName, String serviceName);
+
+ void removeClusterServices(String clusterName);
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
new file mode 100644
index 0000000..e603ff3
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.security.token;
+
+import java.security.Principal;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
+
+public interface JWTokenAuthority {
+
+ public abstract JWTToken issueToken(Subject subject, String algorithm);
+
+ public abstract JWTToken issueToken(Principal p, String algorithm);
+
+ public abstract JWTToken issueToken(Principal p, String audience,
+ String algorithm);
+
+ public abstract boolean verifyToken(JWTToken token);
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
new file mode 100644
index 0000000..1b0b1ee
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.security.token.impl;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+import org.apache.hadoop.gateway.i18n.messages.StackTrace;
+
+/**
+ *
+ */
+@Messages(logger="org.apache.hadoop.gateway")
+public interface JWTProviderMessages {
+
+ @Message( level = MessageLevel.DEBUG, text = "Rendering JWT Token for the wire: {0}" )
+ void renderingJWTTokenForTheWire(String string);
+
+ @Message( level = MessageLevel.DEBUG, text = "Parsing JWT Token from the wire: {0}" )
+ void parsingToken(String wireToken);
+
+ @Message( level = MessageLevel.DEBUG, text = "header: {0}" )
+ void printTokenHeader( String header );
+
+ @Message( level = MessageLevel.DEBUG, text = "claims: {0}" )
+ void printTokenClaims( String claims );
+
+ @Message( level = MessageLevel.DEBUG, text = "payload: {0}" )
+ void printTokenPayload( byte[] payload );
+
+ @Message( level = MessageLevel.FATAL, text = "Unsupported encoding: {0}" )
+ void unsupportedEncoding( @StackTrace( level = MessageLevel.DEBUG ) Exception e );
+}
[3/4] POC work and related changes to support a Knox SSO solution
Posted by lm...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
new file mode 100644
index 0000000..cb0836d
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
@@ -0,0 +1,135 @@
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.services.security.token.impl;
+
+import java.io.UnsupportedEncodingException;
+import java.text.MessageFormat;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+
+import com.jayway.jsonpath.JsonPath;
+
+public class JWTToken {
+ private static final String headerTemplate = "'{'\"alg\": \"{0}\"'}'";
+ private static final String claimTemplate = "'{'\"iss\": \"{0}\", \"prn\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
+ public static final String PRINCIPAL = "prn";
+ public static final String ISSUER = "iss";
+ public static final String AUDIENCE = "aud";
+ public static final String EXPIRES = "exp";
+ private static JWTProviderMessages log = MessagesFactory.get( JWTProviderMessages.class );
+
+ public String header = null;
+ public String claims = null;
+
+ byte[] payload = null;
+
+ private JWTToken(byte[] header, byte[] claims, byte[] signature) {
+ try {
+ this.header = new String(header, "UTF-8");
+ this.claims = new String(claims, "UTF-8");
+ this.payload = signature;
+ } catch (UnsupportedEncodingException e) {
+ log.unsupportedEncoding( e );
+ }
+ }
+
+ public JWTToken(String alg, String[] claimsArray) {
+ MessageFormat headerFormatter = new MessageFormat(headerTemplate);
+ String[] algArray = new String[1];
+ algArray[0] = alg;
+ header = headerFormatter.format(algArray);
+
+ MessageFormat claimsFormatter = new MessageFormat(claimTemplate);
+ claims = claimsFormatter.format(claimsArray);
+ }
+
+ public String getPayloadToSign() {
+ StringBuffer sb = new StringBuffer();
+ try {
+ sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
+ sb.append(".");
+ sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
+ } catch (UnsupportedEncodingException e) {
+ log.unsupportedEncoding( e );
+ }
+
+ return sb.toString();
+ }
+
+ public String toString() {
+ StringBuffer sb = new StringBuffer();
+ try {
+ sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
+ sb.append(".");
+ sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
+ sb.append(".");
+ sb.append(Base64.encodeBase64URLSafeString(payload));
+ } catch (UnsupportedEncodingException e) {
+ log.unsupportedEncoding( e );
+ }
+
+ log.renderingJWTTokenForTheWire(sb.toString());
+
+ return sb.toString();
+ }
+
+ public void setSignaturePayload(byte[] payload) {
+ this.payload = payload;
+ }
+
+ public byte[] getSignaturePayload() {
+ return this.payload;
+ }
+
+ public static JWTToken parseToken(String wireToken) {
+ JWTToken token = null;
+ log.parsingToken(wireToken);
+ String[] parts = wireToken.split("\\.");
+ token = new JWTToken(Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]), Base64.decodeBase64(parts[2]));
+// System.out.println("header: " + token.header);
+// System.out.println("claims: " + token.claims);
+// System.out.println("payload: " + new String(token.payload));
+
+ return token;
+ }
+
+ public String getClaim(String claimName) {
+ String claim = null;
+
+ claim = JsonPath.read(claims, "$." + claimName);
+
+ return claim;
+ }
+
+ public String getPrincipal() {
+ return getClaim(JWTToken.PRINCIPAL);
+ }
+
+ public String getIssuer() {
+ return getClaim(JWTToken.ISSUER);
+ }
+
+ public String getAudience() {
+ return getClaim(JWTToken.AUDIENCE);
+ }
+
+ public String getExpires() {
+ return getClaim(JWTToken.EXPIRES);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/CHANGES
----------------------------------------------------------------------
diff --git a/hsso-release/home/CHANGES b/hsso-release/home/CHANGES
new file mode 100644
index 0000000..9fdb658
--- /dev/null
+++ b/hsso-release/home/CHANGES
@@ -0,0 +1,15 @@
+------------------------------------------------------------------------------
+Changes v0.2.0 - v0.3.0
+------------------------------------------------------------------------------
+
+------------------------------------------------------------------------------
+Changes v0.1.0 - v0.2.0
+------------------------------------------------------------------------------
+HTTPS Support (Client side)
+Oozie Support
+Protected DataNode URL query strings
+Pluggable Identity Asserters
+Principal Mapping
+URL Rewriting Enhancements
+KnoxShell Client DSL
+
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/DISCLAIMER
----------------------------------------------------------------------
diff --git a/hsso-release/home/DISCLAIMER b/hsso-release/home/DISCLAIMER
new file mode 100644
index 0000000..e6af5c0
--- /dev/null
+++ b/hsso-release/home/DISCLAIMER
@@ -0,0 +1,15 @@
+Apache Knox is an effort undergoing incubation at the Apache Software
+Foundation (ASF), sponsored by the Apache Incubator PMC.
+
+Incubation is required of all newly accepted projects until a further review
+indicates that the infrastructure, communications, and decision making process
+have stabilized in a manner consistent with other successful ASF projects.
+
+While incubation status is not necessarily a reflection of the completeness
+or stability of the code, it does indicate that the project has yet to be
+fully endorsed by the ASF.
+
+For more information about the incubation status of the Apache Knox project you
+can go to the following page:
+
+http://incubator.apache.org/projects/knox.html
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/INSTALL
----------------------------------------------------------------------
diff --git a/hsso-release/home/INSTALL b/hsso-release/home/INSTALL
new file mode 100644
index 0000000..9cab07b
--- /dev/null
+++ b/hsso-release/home/INSTALL
@@ -0,0 +1,251 @@
+------------------------------------------------------------------------------
+Requirements
+------------------------------------------------------------------------------
+Java:
+ Java 1.6 or later
+
+Hadoop Cluster:
+ A local installation of a Hadoop Cluster is required at this time. Hadoop
+ EC2 cluster and/or Sandbox installations are currently difficult to access
+ remotely via the Gateway. The EC2 and Sandbox limitation is caused by
+ Hadoop services running with internal IP addresses. For the Gateway to work
+ in these cases it will need to be deployed on the EC2 cluster or Sandbox, at
+ this time.
+
+ The instructions that follow assume that the Gateway is *not* collocated
+ with the Hadoop clusters themselves and (most importantly) that the
+ hostnames and IP addresses of the cluster services are accessible by the
+ gateway where ever it happens to be running.
+
+ The Hadoop cluster should be ensured to have WebHDFS, WebHCat
+ (i.e. Templeton) and Oozie configured, deployed and running.
+
+------------------------------------------------------------------------------
+Installation and Deployment Instructions
+------------------------------------------------------------------------------
+1. Install
+ Download and extract the knox-{VERSION}.zip file into the
+ installation directory that will contain your GATEWAY_HOME
+ jar xf knox-{VERSION}.zip
+ This will create a directory 'gateway' in your current directory.
+
+2. Enter Gateway Home directory
+ cd gateway
+ The fully qualified name of this directory will be referenced as
+ {GATEWAY_HOME} throughout the remainder of this document.
+
+3. Start the demo LDAP server (ApacheDS)
+ a. First, understand that the LDAP server provided here is for demonstration
+ purposes. You may configure the LDAP specifics within the topology
+ descriptor for the cluster as described in step 5 below, in order to
+ customize what LDAP instance to use. The assumption is that most users
+ will leverage the demo LDAP server while evaluating this release and
+ should therefore continue with the instructions here in step 3.
+ b. Edit {GATEWAY_HOME}/conf/users.ldif if required and add your users and
+ groups to the file. A number of normal Hadoop users
+ (e.g. hdfs, mapred, hcat, hive) have already been included. Note that
+ the passwords in this file are "fictitious" and have nothing to do with
+ the actual accounts on the Hadoop cluster you are using. There is also
+ a copy of this file in the templates directory that you can use to start
+ over if necessary.
+ c. Start the LDAP server - pointing it to the config dir where it will find
+ the users.ldif file in the conf directory.
+ java -jar bin/ldap.jar conf &
+ There are a number of log messages of the form "Created null." that can
+ safely be ignored. Take note of the port on which it was started as this
+ needs to match later configuration. This will create a directory named
+ 'org.apache.hadoop.gateway.security.EmbeddedApacheDirectoryServer' that
+ can safely be ignored.
+
+4. Start the Gateway server
+ java -jar bin/server.jar
+ a. Take note of the port identified in the logging output as you will need this for
+ accessing the gateway.
+ b. The server will prompt you for the master secret (password). This secret is used
+ to secure artifacts used to secure artifacts used by the gateway server for
+ things like SSL, credential/password aliasing. This secret will have to be entered
+ at startup unless you choose to persist it. Remember this secret and keep it safe.
+ It represents the keys to the kingdom. See the Persisting the Master section for
+ more information.
+
+5. Configure the Gateway with the topology of your Hadoop cluster
+ a. Edit the file {GATEWAY_HOME}/deployments/sample.xml
+ b. Change the host and port in the urls of the <service> elements for
+ NAMENODE, TEMPLETON and OOZIE services to match your Hadoop cluster
+ deployment.
+ c. The default configuration contains the LDAP URL for a LDAP server. By
+ default that file is configured to access the demo ApacheDS based LDAP
+ server and its default configuration. By default, this server listens on
+ port 33389. Optionally, you can change the LDAP URL for the LDAP server
+ to be used for authentication. This is set via the
+ main.ldapRealm.contextFactory.url property in the
+ <gateway><provider><authentication> section.
+ d. Save the file. The directory {GATEWAY_HOME}/deployments is monitored
+ by the Gateway server and reacts to the discovery of a new or changed
+ cluster topology descriptor by provisioning the endpoints and required
+ filter chains to serve the needs of each cluster as described by the
+ topology file. Note that the name of the file excluding the extension
+ is also used as the path for that cluster in the URL. So for example
+ the sample.xml file will result in Gateway URLs of the form
+ http://{gateway-host}:{gateway-port}/gateway/sample/namenode/api/v1
+
+6. Test the installation and configuration of your Gateway
+ Invoke the LISTSATUS operation on HDFS represented by your configured
+ NAMENODE by using your web browser or curl:
+
+ curl -i -k -u hdfs:hdfs-password -X GET \
+ 'https://localhost:8443/gateway/sample/namenode/api/v1/?op=LISTSTATUS'
+
+ The results of the above command should result in something to along the
+ lines of the output below. The exact information returned is subject to
+ the content within HDFS in your Hadoop cluster.
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+ Content-Length: 760
+ Server: Jetty(6.1.26)
+
+ {"FileStatuses":{"FileStatus":[
+ {"accessTime":0,"blockSize":0,"group":"hdfs","length":0,"modificationTime":1350595859762,"owner":"hdfs","pathSuffix":"apps","permission":"755","replication":0,"type":"DIRECTORY"},
+ {"accessTime":0,"blockSize":0,"group":"mapred","length":0,"modificationTime":1350595874024,"owner":"mapred","pathSuffix":"mapred","permission":"755","replication":0,"type":"DIRECTORY"},
+ {"accessTime":0,"blockSize":0,"group":"hdfs","length":0,"modificationTime":1350596040075,"owner":"hdfs","pathSuffix":"tmp","permission":"777","replication":0,"type":"DIRECTORY"},
+ {"accessTime":0,"blockSize":0,"group":"hdfs","length":0,"modificationTime":1350595857178,"owner":"hdfs","pathSuffix":"user","permission":"755","replication":0,"type":"DIRECTORY"}
+ ]}}
+
+ For additional information on WebHDFS, Templeton/WebHCat and Oozie
+ REST APIs, see the following URLs respectively:
+
+ http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html
+ http://people.apache.org/~thejas/templeton_doc_v1/
+ http://oozie.apache.org/docs/3.3.1/WebServicesAPI.html
+
+------------------------------------------------------------------------------
+Persisting the Master
+------------------------------------------------------------------------------
+The master secret is required to start the server. This secret is used to access secured artifacts by the gateway
+instance. Keystore, trust stores and credential stores are all protected with the master secret.
+
+You may persist the master secret by supplying the *-persist-master* switch at startup. This will result in a
+warning indicating that persisting the secret is less secure than providing it at startup. We do make some provisions in
+order to protect the persisted password.
+
+It is encrypted with AES 128 bit encryption and where possible the file permissions are set to only be accessible by
+the user that the gateway is running as.
+
+After persisting the secret, ensure that the file at config/security/master has the appropriate permissions set for your
+environment. This is probably the most important layer of defense for master secret. Do not assume that the encryption if
+sufficient protection.
+
+A specific user should be created to run the gateway this will protect a persisted master file.
+
+------------------------------------------------------------------------------
+Management of Security Artifacts
+------------------------------------------------------------------------------
+There are a number of artifacts that are used by the gateway in ensuring the security of wire level communications,
+access to protected resources and the encryption of sensitive data. These artifacts can be managed from outside of
+the gateway instances or generated and populated by the gateway instance itself.
+
+The following is a description of how this is coordinated with both standalone (development, demo, etc) gateway
+instances and instances as part of a cluster of gateways in mind.
+
+Upon start of the gateway server we:
+
+1. Look for an identity store at conf/security/keystores/gateway.jks. The identity store contains the certificate
+ and private key used to represent the identity of the server for SSL connections and signtature creation.
+ a. If there is no identity store we create one and generate a self-signed certificate for use in standalone/demo
+ mode. The certificate is stored with an alias of gateway-identity.
+ b. If there is an identity store found than we ensure that it can be loaded using the provided master secret and
+ that there is an alias with called gateway-identity.
+2. Look for a credential store at conf/security/keystores/__gateway-credentials.jceks. This credential store is used
+ to store secrets/passwords that are used by the gateway. For instance, this is where the passphrase for accessing
+ the gateway-identity certificate is kept.
+ a. If there is no credential store found then we create one and populate it with a generated passphrase for the alias
+ gateway-identity-passphrase. This is coordinated with the population of the self-signed cert into the identity-store.
+ b. If a credential store is found then we ensure that it can be loaded using the provided master secret and that the
+ expected aliases have been populated with secrets.
+
+Upon deployment of a Hadoop cluster topology within the gateway we:
+
+1. Look for a credential store for the topology. For instance, we have a sample topology that gets deployed out of the box.
+ We look for conf/security/keystores/sample-credentials.jceks. This topology specific credential store is used for storing
+ secrets/passwords that are used for encrypting sensitive data with topology specific keys.
+ a. If no credential store is found for the topology being deployed then one is created for it. Population of the aliases
+ is delegated to the configured providers within the system that will require the use of a secret for a particular
+ task. They may programmatically set the value of the secret or choose to have the value for the specified alias
+ generated through the AliasService..
+ b. If a credential store is found then we ensure that it can be loaded with the provided master secret and the confgured
+ providers have the opportunity to ensure that the aliases are populated and if not to populate them.
+
+ By leveraging the algorithm described above we can provide a window of opportunity for management of these artifacts in a
+ number of ways.
+
+ 1. Using a single gateway instance as a master instance the artifacts can be generated or placed into the expected location
+ and then replicated across all of the slave instances before startup.
+ 2. Using an NFS mount as a central location for the artifacts would provide a single source of truth without the need to
+ replicate them over the network. Of course, NFS mounts have their own challenges.
+
+Summary of Secrets to be Managed:
+
+1. Master secret - the same for all gateway instances in a cluster of gateways
+2. All security related artifacts are protected with the master secret
+3. Secrets used by the gateway itself are stored within the gateway credential store and are the same across all gateway
+ instances in the cluster of gateways
+4. Secrets used by providers within cluster topologies are stored in topology specific credential stores and are the same
+ for the same topology across the cluster of gateway instances. However, they are specific to the topology - so secrets
+ for one hadoop cluster are different from those of another. This allows for failover from one gateway instance to another
+ even when encryption is being used while not allowing the compromise of one encryption key to expose the data for all clusters.
+
+NOTE: the SSL certificate will need special consideration depending on the type of certificate. Wildcard certs may be able
+to be shared across all gateway instances in a cluster. When certs are dedicated to specific machines the gateway identity
+store will not be able to be blindly replicated as hostname verification problems will ensue. Obviously, truststores will
+need to be taken into account as well.
+
+------------------------------------------------------------------------------
+Mapping Gateway URLs to Hadoop cluster URLs
+------------------------------------------------------------------------------
+The Gateway functions much like a reverse proxy. As such it maintains a
+mapping of URLs that are exposed externally by the Gateway to URLs that are
+provided by the Hadoop cluster. Examples of mappings for the NameNode and
+Templeton are shown below. These mapping are generated from the combination
+of the Gateway configuration file (i.e. {GATEWAY_HOME}/gateway-site.xml)
+and the cluster topology descriptors
+(e.g. {GATEWAY_HOME}/deployments/<cluster-name>.xml).
+
+ HDFS (NameNode)
+ Gateway: http://<gateway-host>:<gateway-port>/<gateway-path>/<cluster-name>/namenode/api/v1
+ Cluster: http://<namenode-host>:50070/webhdfs/v1
+ WebHCat (Templeton)
+ Gateway: http://<gateway-host>:<gateway-port>/<gateway-path>/<cluster-name>/templeton/api/v1
+ Cluster: http://<templeton-host>:50111/templeton/v1
+ Oozie
+ Gateway: http://<gateway-host>:<gateway-port>/<gateway-path>/<cluster-name>/oozie/api/v1
+ Cluster: http://<templeton-host>:11000/oozie/v1
+
+The values for <gateway-host>, <gateway-port>, <gateway-path> are provided via
+the Gateway configuration file (i.e. {GATEWAY_HOME}/gateway-site.xml).
+
+The value for <cluster-name> is derived from the name of the cluster topology
+descriptor (e.g. {GATEWAY_HOME}/deployments/<cluster-name>.xml).
+
+The value for <namenode-host> and <templeton-host> is provided via the cluster
+topology descriptor (e.g. {GATEWAY_HOME}/deployments/<cluster-name>.xml).
+
+Note: The ports 50070, 50111 and 11000 are the defaults for NameNode,
+ Templeton and Oozie respectively. Their values can also be provided via
+ the cluster topology descriptor if your Hadoop cluster uses different
+ ports.
+
+------------------------------------------------------------------------------
+Usage Examples
+------------------------------------------------------------------------------
+Please see the Apache Knox Gateway website for detailed examples.
+http://knox.incubator.apache.org/examples.html
+
+------------------------------------------------------------------------------
+Enabling logging
+------------------------------------------------------------------------------
+If necessary you can enable additional logging by editing the log4j.properties
+file in the conf directory. Changing the rootLogger value from ERROR to DEBUG
+will generate a large amount of debug logging. A number of useful, more fine
+loggers are also provided in the file.
+
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/21e6d1da/hsso-release/home/ISSUES
----------------------------------------------------------------------
diff --git a/hsso-release/home/ISSUES b/hsso-release/home/ISSUES
new file mode 100644
index 0000000..6f43c5d
--- /dev/null
+++ b/hsso-release/home/ISSUES
@@ -0,0 +1,10 @@
+------------------------------------------------------------------------------
+Know Issues
+------------------------------------------------------------------------------
+The Gateway cannot be be used against either EC2 cluster unless the gateway
+is deployed within the EC2.
+
+If the cluster deployment descriptors in {GATEWAY_HOME}/deployments are
+incorrect, the errors logged by the gateway are overly detailed and not
+diagnostic enough.
+