This is an automated email from the ASF dual-hosted git repository. krisden pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push: new f7acac9 KNOX-2026 - Accept Impala's authentication cookies (#161) f7acac9 is described below commit f7acac99b10064f6f992f3352d2446d6661fe373 Author: Thomas Tauber-Marshall <tmarsh...@cloudera.com> AuthorDate: Wed Oct 9 08:58:32 2019 -0700 KNOX-2026 - Accept Impala's authentication cookies (#161) This patch modifies HadoopAuthCookieStore to accept cookies with Impala's cookie name, "impala.auth". It also updates a check that is used to ensure the cookie belongs to Knox - previously, this check parsed the cookie according to the specific format that Hadoop uses for its cookies and ensures that the Knox principal appears in the expected location. Impala uses a similar cookie format, but with a few changes such as fields being in a different order. The check is made more permissive such that it will accept any cookie that contains the Knox principal anywhere in it. Testing: - Deployed in a cluster and verified that Knox accepts and returns Impala's cookies as expected. --- .../gateway/dispatch/HadoopAuthCookieStore.java | 24 ++++++++-------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java index bd85617..522019b 100644 --- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java +++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java @@ -38,6 +38,7 @@ public class HadoopAuthCookieStore extends BasicCookieStore { private static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth"; private static final String HIVE_SERVER2_AUTH_COOKIE_NAME = "hive.server2.auth"; + private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth"; private static String knoxPrincipal; @@ -73,28 +74,21 @@ public class HadoopAuthCookieStore extends BasicCookieStore { private boolean isAuthCookie(Cookie cookie) { return HADOOP_AUTH_COOKIE_NAME.equals(cookie.getName()) || - HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()); + HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()) || + IMPALA_AUTH_COOKIE_NAME.equals(cookie.getName()); } private boolean isKnoxCookie(Cookie cookie) { boolean result = false; + // We expect cookies to be some delimited list of parameters, eg. username, principal, + // timestamp, random number, etc. along with an HMAC signature. To ensure we only + // store cookies that are relevant to Knox, we check that the Knox principal appears + // somewhere in the cookie value. if (cookie != null) { String value = cookie.getValue(); - if (value != null && !value.isEmpty()) { - String principal = null; - - String[] cookieParts = value.split("&"); - if (cookieParts.length > 1) { - String[] elementParts = cookieParts[1].split("="); - if (elementParts.length == 2) { - principal = elementParts[1]; - } - - if (principal != null) { - result = principal.equals(knoxPrincipal); - } - } + if (value != null && value.contains(knoxPrincipal)) { + result = true; } }