You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Thomas Tauber-Marshall (Code Review)" <ge...@cloudera.org> on 2019/07/09 01:22:25 UTC
[Impala-ASF-CR] IMPALA-8584: Add cookie support to the HTTP HS2 server
Hello Andrew Sherman, Todd Lipcon, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/13672
to look at the new patch set (#3).
Change subject: IMPALA-8584: Add cookie support to the HTTP HS2 server
......................................................................
IMPALA-8584: Add cookie support to the HTTP HS2 server
This patch modifies the HTTP HS2 server to accept cookies for
authentication in order to avoid having to authenticate every request
through LDAP.
It adds a flag, --max_cookie_lifetime_s, that determines how long
generated cookies are valid for. Setting the flag to 0 disables cookie
support.
The cookies include a SHA256 HMAC signature that it used to verify
them. They also have a timestamp that is used to determine if they
have expired. If a cookie is successfully verified and hasn't expired,
the username contained in the cookie is set on the connection.
Each impalad uses its own key to generate the signature, so clients
that reconnect to a different impalad will have to reauthenticate.
On a single impalad cookies are valid across sessions and connections.
A new cookie is generated and sent back with the Set-Cookie header
on each request that was not authenticated with a cookie.
Cookies are of the form:
impala.hs2.auth=<cookie>;HttpOnly;MaxAge=<max_cookie_lifetime_s>
<optional ';Secure' flag>
where:
cookie = <signature>&<username>&<create timestamp>&<random number>
and 'signature' is the SHA256 HMAC of the rest of the cookie
The 'Secure' flag, which indicates to clients that the cookie should
only be sent over secure connections, is omitted if
'--ldap_passwords_in_clear_ok' is true. This is intended only for
testing.
It also adds the metrics:
impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-success
impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-failure
Testing:
- Added tests to the FE LDAP tests that use the metrics to verify
successful and failed cookie attempts.
Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4
---
M be/src/rpc/CMakeLists.txt
M be/src/rpc/TAcceptQueueServer.cpp
M be/src/rpc/auth-provider.h
M be/src/rpc/authentication.cc
A be/src/rpc/cookie-util.cc
A be/src/rpc/cookie-util.h
M be/src/rpc/thrift-server.cc
M be/src/rpc/thrift-server.h
M be/src/service/impala-hs2-server.cc
M be/src/service/impala-server.cc
M be/src/service/impala-server.h
M be/src/transport/THttpServer.cpp
M be/src/transport/THttpServer.h
M be/src/util/openssl-util.cc
M be/src/util/openssl-util.h
M common/thrift/metrics.json
M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java
M fe/src/test/java/org/apache/impala/customcluster/LdapJdbcTest.java
M fe/src/test/java/org/apache/impala/service/JdbcTestBase.java
19 files changed, 517 insertions(+), 72 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/72/13672/3
--
To view, visit http://gerrit.cloudera.org:8080/13672
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4
Gerrit-Change-Number: 13672
Gerrit-PatchSet: 3
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>