Github user sohami commented on a diff in the pull request:
https://github.com/apache/drill/pull/1040#discussion_r158166373
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillSpnegoAuthenticator.java
---
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.drill.exec.server.rest.auth;
+
+
+import org.apache.drill.exec.server.rest.WebServerConstants;
+import org.apache.parquet.Strings;
+import org.eclipse.jetty.http.HttpHeader;
+import org.eclipse.jetty.http.HttpVersion;
+import org.eclipse.jetty.security.ServerAuthException;
+import org.eclipse.jetty.security.UserAuthentication;
+import org.eclipse.jetty.security.authentication.DeferredAuthentication;
+import org.eclipse.jetty.security.authentication.SessionAuthentication;
+import org.eclipse.jetty.security.authentication.SpnegoAuthenticator;
+import org.eclipse.jetty.server.Authentication;
+import org.eclipse.jetty.server.HttpChannel;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.UserIdentity;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+
+/**
+ * Custom SpnegoAuthenticator for Drill which provides following:
+ * 1) Perform SPNEGO authentication only when spnegoLogin resource is
requested. This helps to avoid authentication
+ * for each and every resource which the JETTY provided authenticator
does.
+ * 2) Helps to redirect to the target URL after authentication is done
successfully.
+ * 3) Clear-Up in memory session information once LogOut is triggered.
Such that any future request also trigger the
+ * SPNEGO authentication.
+ */
+public class DrillSpnegoAuthenticator extends SpnegoAuthenticator {
+
+ private static final org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(DrillSpnegoAuthenticator.class);
+
+ public DrillSpnegoAuthenticator(String authMethod) {
+ super(authMethod);
+ }
+
+ @Override
+ public Authentication validateRequest(ServletRequest request,
ServletResponse response, boolean mandatory)
+ throws ServerAuthException {
+
+ HttpServletRequest req = (HttpServletRequest) request;
+ HttpServletResponse res = (HttpServletResponse) response;
+ HttpSession session = req.getSession(true);
+ final Authentication authentication =
+ (Authentication)
session.getAttribute("org.eclipse.jetty.security.UserIdentity");
+ String uri = req.getRequestURI();
+
+ //If the Request URI is for /spnegoLogin then perform login
+ mandatory |= uri.equals(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
+
+ //For logout remove the attribute from the session that holds
UserIdentity
+ if (authentication != null &&
uri.equals(WebServerConstants.LOGOUT_RESOURCE_PATH)) {
+ logger.debug("Logging out user {}", req.getRemoteAddr());
+ session.removeAttribute("org.eclipse.jetty.security.UserIdentity");
+ return null;
+ } else if (authentication != null) { // Since already logged in just
return the session attribute
+ return authentication;
+ } else { // The session is not yet authenticated
+ final String header =
req.getHeader(HttpHeader.AUTHORIZATION.asString());
+ if (!mandatory) {
+ return new DeferredAuthentication(this);
+ } else if (header == null) {
+ try {
+ if (DeferredAuthentication.isDeferred(res)) {
+ return Authentication.UNAUTHENTICATED;
+ } else {
+ res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(),
HttpHeader.NEGOTIATE.asString());
+ res.sendError(401);
+ logger.debug("SPNEGOAuthenticator: Sending challenge to client
{}", req.getRemoteAddr());
+ return Authentication.SEND_CONTINUE;
+ }
+ } catch (IOException var9) {
--- End diff --
This code was developed taking help from the base class implementation of
Jetty and adding bunch of other functionality as mentioned in the class level
documentation. I have changed the variable name and moved documentation from
class level to method level. Licensing for Jetty code is under Apache license.
See
[here](https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java)
---
