Repository: knox Updated Branches: refs/heads/master c65fbb878 -> 432494a17
KNOX-659 - Default Keystore Details in Pac4j Provider SAML Config to Gateway Identity Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/432494a1 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/432494a1 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/432494a1 Branch: refs/heads/master Commit: 432494a17ef2a9c329531b76bd3a4446b866c15e Parents: c65fbb8 Author: Larry McCay <lmc...@hortonworks.com> Authored: Fri Jan 29 13:54:58 2016 -0500 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Fri Jan 29 13:54:58 2016 -0500 ---------------------------------------------------------------------- .../hadoop/gateway/pac4j/Pac4jMessages.java | 4 +++ .../pac4j/filter/Pac4jDispatcherFilter.java | 38 +++++++++++++++++++- .../services/DefaultGatewayServices.java | 1 + .../security/impl/DefaultKeystoreService.java | 21 +++++++---- .../services/security/KeystoreService.java | 2 ++ 5 files changed, 58 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/432494a1/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/Pac4jMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/Pac4jMessages.java b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/Pac4jMessages.java index b3526ae..51be6a0 100644 --- a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/Pac4jMessages.java +++ b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/Pac4jMessages.java @@ -40,4 +40,8 @@ public interface Pac4jMessages { @Message( level = MessageLevel.ERROR, text = "Unable to generate a password for encryption") public void unableToGenerateAPasswordForEncryption(Exception e); + + @Message( level = MessageLevel.INFO, text = + "No private key passphrase alias found. Defaulting to master. Exception encountered: {0}") + public void noPrivateKeyPasshraseProvisioned(Exception e); } http://git-wip-us.apache.org/repos/asf/knox/blob/432494a1/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java index 65a42cc..da446ab 100644 --- a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java +++ b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java @@ -21,6 +21,8 @@ import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.pac4j.Pac4jMessages; import org.apache.hadoop.gateway.pac4j.session.KnoxSessionStore; import org.apache.hadoop.gateway.services.GatewayServices; +import org.apache.hadoop.gateway.services.security.KeystoreService; +import org.apache.hadoop.gateway.services.security.MasterService; import org.apache.hadoop.gateway.services.security.AliasService; import org.apache.hadoop.gateway.services.security.AliasServiceException; import org.apache.hadoop.gateway.services.security.CryptoService; @@ -73,20 +75,24 @@ public class Pac4jDispatcherFilter implements Filter { private CallbackFilter callbackFilter; private RequiresAuthenticationFilter requiresAuthenticationFilter; + private MasterService masterService = null; + private KeystoreService keystoreService = null; + private AliasService aliasService = null; @Override public void init( FilterConfig filterConfig ) throws ServletException { // JWT service final ServletContext context = filterConfig.getServletContext(); CryptoService cryptoService = null; - AliasService aliasService = null; String clusterName = null; if (context != null) { GatewayServices services = (GatewayServices) context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE); clusterName = (String) context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE); if (services != null) { + keystoreService = (KeystoreService) services.getService(GatewayServices.KEYSTORE_SERVICE); cryptoService = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE); aliasService = (AliasService) services.getService(GatewayServices.ALIAS_SERVICE); + masterService = (MasterService) services.getService("MasterService"); } } // crypto service, alias service and cluster name are mandatory @@ -124,6 +130,7 @@ public class Pac4jDispatcherFilter implements Filter { // get clients from the init parameters final Map<String, String> properties = new HashMap<>(); final Enumeration<String> names = filterConfig.getInitParameterNames(); + addDefaultConfig(clientNameParameter, properties); while (names.hasMoreElements()) { final String key = names.nextElement(); properties.put(key, filterConfig.getInitParameter(key)); @@ -152,6 +159,35 @@ public class Pac4jDispatcherFilter implements Filter { ConfigSingleton.setConfig(config); } + private void addDefaultConfig(String clientNameParameter, Map<String, String> properties) { + // add default saml params + if (clientNameParameter.contains("SAML2Client")) { + properties.put(PropertiesConfigFactory.SAML_KEYSTORE_PATH, + keystoreService.getKeystorePath()); + + properties.put(PropertiesConfigFactory.SAML_KEYSTORE_PASSWORD, + new String(masterService.getMasterSecret())); + + // check for provisioned alias for private key + char[] gip = null; + try { + gip = aliasService.getGatewayIdentityPassphrase(); + } + catch(AliasServiceException ase) { + log.noPrivateKeyPasshraseProvisioned(ase); + } + if (gip != null) { + properties.put(PropertiesConfigFactory.SAML_PRIVATE_KEY_PASSWORD, + new String(gip)); + } + else { + // no alias provisioned then use the master + properties.put(PropertiesConfigFactory.SAML_PRIVATE_KEY_PASSWORD, + new String(masterService.getMasterSecret())); + } + } + } + @Override public void doFilter( ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { http://git-wip-us.apache.org/repos/asf/knox/blob/432494a1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java index fe4125a..4455078 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java @@ -61,6 +61,7 @@ public class DefaultGatewayServices implements GatewayServices { ks = new DefaultKeystoreService(); ks.setMasterService(ms); ks.init(config, options); + services.put(KEYSTORE_SERVICE, ks); DefaultAliasService alias = new DefaultAliasService(); alias.setKeystoreService(ks); http://git-wip-us.apache.org/repos/asf/knox/blob/432494a1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java index 8d91c65..4500230 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java @@ -48,7 +48,7 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst private static final String dnTemplate = "CN={0},OU=Test,O=Hadoop,L=Test,ST=Test,C=US"; private static final String CREDENTIALS_SUFFIX = "-credentials.jceks"; - private static final String GATEWAY_KEYSTORE = "gateway.jks"; + public static final String GATEWAY_KEYSTORE = "gateway.jks"; private static final String CERT_GEN_MODE = "hadoop.gateway.cert.gen.mode"; private static final String CERT_GEN_MODE_LOCALHOST = "localhost"; private static final String CERT_GEN_MODE_HOSTNAME = "hostname"; @@ -77,7 +77,7 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst @Override public void createKeystoreForGateway() throws KeystoreServiceException { - String filename = keyStoreDir + GATEWAY_KEYSTORE; + String filename = getKeystorePath(); createKeystore(filename, "JKS"); } @@ -149,26 +149,30 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst @Override public boolean isCredentialStoreForClusterAvailable(String clusterName) throws KeystoreServiceException { + boolean rc = false; final File keyStoreFile = new File( keyStoreDir + clusterName + CREDENTIALS_SUFFIX ); try { - return isKeystoreAvailable(keyStoreFile, "JCEKS"); + rc = isKeystoreAvailable(keyStoreFile, "JCEKS"); } catch (KeyStoreException e) { throw new KeystoreServiceException(e); } catch (IOException e) { throw new KeystoreServiceException(e); } + return rc; } @Override public boolean isKeystoreForGatewayAvailable() throws KeystoreServiceException { + boolean rc = false; final File keyStoreFile = new File( keyStoreDir + GATEWAY_KEYSTORE ); try { - return isKeystoreAvailable(keyStoreFile, "JKS"); + rc = isKeystoreAvailable(keyStoreFile, "JKS"); } catch (KeyStoreException e) { throw new KeystoreServiceException(e); } catch (IOException e) { throw new KeystoreServiceException(e); } + return rc; } @Override @@ -242,9 +246,7 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst return credential; } - /* (non-Javadoc) - * @see org.apache.hadoop.gateway.services.security.KeystoreService#removeCredentialForCluster(java.lang.String, java.lang.String, java.security.KeyStore) - */ + @Override public void removeCredentialForCluster(String clusterName, String alias) throws KeystoreServiceException { KeyStore ks = getCredentialStoreForCluster(clusterName); @@ -262,4 +264,9 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst LOG.failedToRemoveCredentialForCluster(clusterName, e); } } + + @Override + public String getKeystorePath() { + return keyStoreDir + GATEWAY_KEYSTORE; + } } http://git-wip-us.apache.org/repos/asf/knox/blob/432494a1/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java index 04a35f4..6ed8990 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/KeystoreService.java @@ -45,4 +45,6 @@ public interface KeystoreService { public void removeCredentialForCluster(String clusterName, String alias) throws KeystoreServiceException; public char[] getCredentialForCluster(String clusterName, String alias) throws KeystoreServiceException; + + public String getKeystorePath(); }