[jira] [Updated] (HADOOP-10771) Refactor HTTP delegation support out of httpfs to common

Alejandro Abdelnur (JIRA) Tue, 22 Jul 2014 09:07:23 -0700

     [ 
https://issues.apache.org/jira/browse/HADOOP-10771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Alejandro Abdelnur updated HADOOP-10771:
----------------------------------------

    Attachment: HADOOP-10771.patch
                HADOOP-10771.sh

Run the script first, using 'fs' parameter if in a GIT checkout or using 'svn' 
if in a SVN checkout.

Following some comments that may help the review.

*Moves:*

{code}
src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSKerberosAuthenticator.java
 
dst: 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java

NOTES: refactored client Delegation Token management logic (get/renew/cancel) 
into an auth 
       abstract authenticator. introduced a special auth-token subclass to 
encapsulate client
       side handling of the delegation token.

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSPseudoAuthenticator.java
 
dst: 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java

NOTES: simple move, this is a simple authenticator that uses UGI instead of 
       System.getProperties("user.name") as in hadoop-auth

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java
 
dst: 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java

NOTES: move and minor clean up of config loading for general use.

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandler.java
 
dst: 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java

NOTES: simple move and minor tweaks. this is where the Delegation Token 
       management (get/renew/cancel) happens on the server sdie.

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenIdentifier.java
dst: 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java

NOTES: simple move

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/DelegationTokenManagerService.java
 
dst: 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java

NOTES: move and code simplification, and generalization to be able to use an 
       existing secret manager if provided in the servlet context.

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestDelegationTokenManagerService.java
 
dst: 
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java

NOTES: simple move

src: 
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSKerberosAuthenticationHandler.java
 
dst: 
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java


NOTES: move, adding more tests.
{code}

*New code:*

* DelegationTokenAuthenticatedURL.java: AuthenticatedURL subclass providing 
public API to do delegation token management.
* KerberosDelegationTokenAuthenticator.java: client subclass that composes the 
existing Kerberos authenticator with the delegation token management one.
* PseudoDelegationTokenAuthenticator.java: client subclass that composes the 
existing simple authenticator with the delegation token management one.
* PseudoDelegationTokenAuthenticationHandler.java: server subclass that 
provides pseudo auth with delegation token support, simply setting the 
auth-token type to be 'simple-dt'.
* KerberosDelegationTokenAuthenticationHandler.java: server subclass that 
provides kerberos auth with delegation token support, simply setting the 
auth-token type to be 'kerberos-dt'.


> Refactor HTTP delegation support out of httpfs to common
> --------------------------------------------------------
>
>                 Key: HADOOP-10771
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10771
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-10771.patch, HADOOP-10771.sh
>
>
> HttpFS implements delegation token support in {{AuthenticationFilter}} & 
> {{AuthenticationHandler}} subclasses.
> For HADOOP-10770 we need similar functionality for KMS.
> Not to duplicate code, we should refactor existing code to common.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Updated] (HADOOP-10771) Refactor HTTP delegation support out of httpfs to common

Reply via email to