Wahoo - Congrats!
On Wed, Aug 21, 2013 at 2:19 PM, <[email protected]> wrote:
Updated Branches:
refs/heads/master 0f763c6bb -> e36fc4a31
patch to fix KNOX-89, Knox doing SPNego with Hadoop for every
client
request is not scalable
Project:
http://git-wip-us.apache.org/**repos/asf/incubator-knox/repo<http://git-wip-us.apache.org/repos/asf/incubator-knox/repo>
Commit:
http://git-wip-us.apache.org/**repos/asf/incubator-knox/**
commit/e36fc4a3<http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/e36fc4a3>
Tree:
http://git-wip-us.apache.org/**repos/asf/incubator-knox/tree/**e36fc4a3<http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/e36fc4a3>
Diff:
http://git-wip-us.apache.org/**repos/asf/incubator-knox/diff/**e36fc4a3<http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/e36fc4a3>
Branch: refs/heads/master
Commit: e36fc4a3151d208e4327132f2bffb9**e383d2c060
Parents: 0f763c6
Author: Dilli Dorai Arumugam <[email protected]>
Authored: Tue Aug 20 22:37:49 2013 -0700
Committer: Dilli Dorai Arumugam <[email protected]>
Committed: Wed Aug 21 11:12:19 2013 -0700
------------------------------**------------------------------**
----------
.../home/templates/**krb5JAASLogin.conf | 31 +--
.../apache/hadoop/gateway/**GatewayMessages.java | 6 +
.../gateway/dispatch/**AppCookieManager.java | 190
+++++++++++++++++++
.../gateway/dispatch/**HttpClientDispatch.java | 109 ++++++-----
.../gateway/dispatch/**AppCookieManagerTest.java | 53 ++++++
5 files changed, 312 insertions(+), 77 deletions(-)
------------------------------**------------------------------**
----------
http://git-wip-us.apache.org/**repos/asf/incubator-knox/blob/**
e36fc4a3/gateway-release/home/**templates/krb5JAASLogin.conf<http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/e36fc4a3/gateway-release/home/templates/krb5JAASLogin.conf>
------------------------------**------------------------------**
----------
diff --git a/gateway-release/home/**templates/krb5JAASLogin.conf
b/gateway-release/home/**templates/krb5JAASLogin.conf
index cfb4d19..d9f8d7b 100644
--- a/gateway-release/home/**templates/krb5JAASLogin.conf
+++ b/gateway-release/home/**templates/krb5JAASLogin.conf
@@ -17,20 +17,6 @@
*
* IMPORTANT: REPLACE EXAMPLE.COM and keyTab file location
with your
site
specific values
*/
-com.sun.security.jgss.login {
- com.sun.security.auth.module.**Krb5LoginModule required
- renewTGT=true
- doNotPrompt=true
- useKeyTab=true
- keyTab="/etc/knox/conf/knox.**service.keytab"
- principal="[email protected]"
- isInitiator=true
- storeKey=true
- useTicketCache=true
- client=true
- debug=true;
-};
-
com.sun.security.jgss.initiate {
com.sun.security.auth.module.**Krb5LoginModule required
renewTGT=true
@@ -41,20 +27,5 @@ com.sun.security.jgss.initiate {
isInitiator=true
storeKey=true
useTicketCache=true
- client=true
- debug=true;
-};
-
-com.sun.security.jgss.accept {
- com.sun.security.auth.module.**Krb5LoginModule required
- renewTGT=true
- doNotPrompt=true
- useKeyTab=true
- keyTab="/etc/knox/conf/knox.**service.keytab"
- principal="[email protected]"
- isInitiator=true
- storeKey=true
- useTicketCache=true
- client=true
- debug=true;
+ client=true;
};
http://git-wip-us.apache.org/**repos/asf/incubator-knox/blob/**
e36fc4a3/gateway-server/src/**main/java/org/apache/hadoop/**
gateway/GatewayMessages.java<http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/e36fc4a3/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java>
------------------------------**------------------------------**
----------
diff --git
a/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/GatewayMessages.java
b/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/GatewayMessages.java
index 3337b19..34ef775 100644
---
a/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/GatewayMessages.java
+++
b/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/GatewayMessages.java
@@ -260,4 +260,10 @@ public interface GatewayMessages {
@Message( level = MessageLevel.ERROR, text = "Failed to get
map
from
Json string {0}: {1}" )
void failedToGetMapFromJsonString( String json,
@StackTrace( level
=
MessageLevel.DEBUG ) Exception e );
+
+ @Message( level = MessageLevel.INFO, text = "Successful
Knox->Hadoop
SPNegotiation authentication for URL: {0}" )
+ void successfulSPNegoAuthn(String uri);
+
+ @Message( level = MessageLevel.ERROR, text = "Failed
Knox->Hadoop
SPNegotiation authentication for URL: {0}" )
+ void failedSPNegoAuthn(String uri);
}
http://git-wip-us.apache.org/**repos/asf/incubator-knox/blob/**
e36fc4a3/gateway-server/src/**main/java/org/apache/hadoop/**
gateway/dispatch/**AppCookieManager.java<http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/e36fc4a3/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/AppCookieManager.java>
------------------------------**------------------------------**
----------
diff --git
a/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/dispatch/**AppCookieManager.java
b/gateway-server/src/main/**java/org/apache/hadoop/**gateway/dispatch/*
*AppCookieManager.java
new file mode 100644
index 0000000..d0f0ecc
--- /dev/null
+++
b/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/dispatch/**AppCookieManager.java
@@ -0,0 +1,190 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ *
http://www.apache.org/**licenses/LICENSE-2.0<http://www.apache.org/licenses/LICENSE-2.0>
+ *
+ * Unless required by applicable law or agreed to in writing,
software
+ * distributed under the License is distributed on an "AS IS"
BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
+ * See the License for the specific language governing
permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.**dispatch;
+
+import java.io.IOException;
+import java.net.URI;
+import java.security.Principal;
+
+import org.apache.hadoop.gateway.**GatewayMessages;
+import org.apache.hadoop.gateway.**i18n.messages.MessagesFactory;
+import org.apache.http.Header;
+import org.apache.http.HeaderElement;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.auth.**AuthScope;
+import org.apache.http.auth.**Credentials;
+import org.apache.http.client.**methods.HttpGet;
+import org.apache.http.client.**methods.HttpOptions;
+import org.apache.http.client.**methods.HttpUriRequest;
+import org.apache.http.client.params.**AuthPolicy;
+import org.apache.http.impl.auth.**SPNegoSchemeFactory;
+import org.apache.http.impl.client.**DefaultHttpClient;
+
+/**
+ * Handles SPNego authentication as a client of hadoop service,
caches
+ * hadoop.auth cookie returned by hadoop service on successful
SPNego
+ * authentication. Refreshes hadoop.auth cookie on demand if the
cookie
has
+ * expired.
+ *
+ */
+public class AppCookieManager {
+
+ static final String HADOOP_AUTH = "hadoop.auth";
+ private static final String HADOOP_AUTH_EQ = "hadoop.auth=";
+ private static final String SET_COOKIE = "Set-Cookie";
+
+ private static GatewayMessages LOG =
MessagesFactory.get(**GatewayMessages.class);
+
+ private static final EmptyJaasCredentials
EMPTY_JAAS_CREDENTIALS =
new
EmptyJaasCredentials();
+
+ String appCookie;
+
+ /**
+ * Utility method to excerise AppCookieManager directly
+ * @param args element 0 of args should be a URL to hadoop
service
protected by SPengo
+ * @throws IOException in case of errors
+ */
+ public static void main(String[] args) throws IOException {
+ HttpUriRequest outboundRequest = new HttpGet(args[0]);
+ new AppCookieManager().**getAppCookie(outboundRequest, false);
+ }
+
+ public AppCookieManager() {
+ }
+
+ /**
+ * Fetches hadoop.auth cookie from hadoop service authenticating
using
SpNego
+ *
+ * @param outboundRequest
+ * out going request
+ * @param refresh
+ * flag indicating whether to refresh the cached cookie
+ * @return hadoop.auth cookie from hadoop service authenticating
using
SpNego
+ * @throws IOException
+ * in case of errors
+ */
+ public String getAppCookie(HttpUriRequest outboundRequest,
boolean
refresh)
+ throws IOException {
+
+ URI uri = outboundRequest.getURI();
+ String scheme = uri.getScheme();
+ String host = uri.getHost();
+ int port = uri.getPort();
+ String path = uri.getPath();
+ if (!refresh) {
+ if (appCookie != null) {
+ return appCookie;
+ }
+ }
+
+ DefaultHttpClient client = new DefaultHttpClient();
+ SPNegoSchemeFactory spNegoSF = new SPNegoSchemeFactory(
+ /* stripPort */true);
+ // spNegoSF.setSpengoGenerator(**new
BouncySpnegoTokenGenerator());
+ client.getAuthSchemes().**register(AuthPolicy.SPNEGO, spNegoSF);
+ client.getCredentialsProvider(**).setCredentials(
+ new AuthScope(/* host */null, /* port */-1, /* realm
*/null),
+ EMPTY_JAAS_CREDENTIALS);
+
+ clearAppCookie();
+ String hadoopAuthCookie = null;
+ HttpResponse httpResponse = null;
+ try {
+ HttpHost httpHost = new HttpHost(host, port, scheme);
+ HttpRequest httpRequest = new HttpOptions(path);
+ httpResponse = client.execute(httpHost, httpRequest);
+ Header[] headers = httpResponse.getHeaders(SET_**COOKIE);
+ hadoopAuthCookie = getHadoopAuthCookieValue(**headers);
+ if (hadoopAuthCookie == null) {
+ LOG.failedSPNegoAuthn(uri.**toString());
+ throw new IOException(
+ "SPNego authn failed, can not get hadoop.auth
cookie");
+ }
+ } finally {
+ if (httpResponse != null) {
+ HttpEntity entity = httpResponse.getEntity();
+ if (entity != null) {
+ entity.getContent().close();
+ }
+ }
+
+ }
+ LOG.successfulSPNegoAuthn(uri.**toString());
+ hadoopAuthCookie = HADOOP_AUTH_EQ + quote(hadoopAuthCookie);
+ setAppCookie(hadoopAuthCookie)**;
+ return appCookie;
+ }
+
+ /**
+ * Returns the cached app cookie
+ *
+ * @return the cached app cookie, can be null
+ */
+ public String getCachedKnoxAppCookie() {
+ return appCookie;
+ }
+
+ private void setAppCookie(String appCookie) {
+ this.appCookie = appCookie;
+ }
+
+ private void clearAppCookie() {
+ appCookie = null;
+ }
+
+ static String quote(String s) {
+ return s == null ? s : "\"" + s + "\"";
+ }
+
+ static String getHadoopAuthCookieValue(**Header[] headers) {
+ if (headers == null) {
+ return null;
+ }
+ for (Header header : headers) {
+ HeaderElement[] elements = header.getElements();
+ for (HeaderElement element : elements) {
+ String cookieName = element.getName();
+ if (cookieName.equals(HADOOP_**AUTH)) {
+ if (element.getValue() != null) {
+ String trimmedVal = element.getValue().trim();
+ if (!trimmedVal.isEmpty()) {
+ return trimmedVal;
+ }
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+ private static class EmptyJaasCredentials implements
Credentials {
+
+ public String getPassword() {
+ return null;
+ }
+
+ public Principal getUserPrincipal() {
+ return null;
+ }
+
+ }
+
+}
http://git-wip-us.apache.org/**repos/asf/incubator-knox/blob/**
e36fc4a3/gateway-server/src/**main/java/org/apache/hadoop/**
gateway/dispatch/**HttpClientDispatch.java<http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/e36fc4a3/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/HttpClientDispatch.java>
------------------------------**------------------------------**
----------
diff --git
a/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/dispatch/**HttpClientDispatch.java
b/gateway-server/src/main/**java/org/apache/hadoop/**gateway/dispatch/*
*HttpClientDispatch.java
index 2d38aea..ac8d85c 100644
---
a/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/dispatch/**HttpClientDispatch.java
+++
b/gateway-server/src/main/**java/org/apache/hadoop/**
gateway/dispatch/**HttpClientDispatch.java
@@ -17,7 +17,15 @@
*/
package org.apache.hadoop.gateway.**dispatch;
-import org.apache.commons.io.IOUtils;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.Principal;
+
+import javax.servlet.http.**HttpServletRequest;
+import javax.servlet.http.**HttpServletResponse;
+
import org.apache.hadoop.gateway.**GatewayMessages;
import org.apache.hadoop.gateway.**GatewayResources;
import org.apache.hadoop.gateway.**config.GatewayConfig;
@@ -26,7 +34,7 @@ import
org.apache.hadoop.gateway.**i18n.resources.**ResourcesFactory;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
-import org.apache.http.auth.**AuthScope;
+import org.apache.http.HttpStatus;
import org.apache.http.auth.**Credentials;
import org.apache.http.client.**methods.HttpDelete;
import org.apache.http.client.**methods.HttpGet;
@@ -34,39 +42,32 @@ import org.apache.http.client.**
methods.HttpOptions;
import org.apache.http.client.**methods.HttpPost;
import org.apache.http.client.**methods.HttpPut;
import org.apache.http.client.**methods.HttpUriRequest;
-import org.apache.http.client.params.**AuthPolicy;
import org.apache.http.entity.**BufferedHttpEntity;
-import org.apache.http.entity.**ByteArrayEntity;
import org.apache.http.entity.**ContentType;
import org.apache.http.entity.**InputStreamEntity;
-import org.apache.http.impl.auth.**SPNegoSchemeFactory;
import org.apache.http.impl.client.**DefaultHttpClient;
-import org.apache.http.protocol.**BasicHttpContext;
-import org.apache.http.protocol.**HttpContext;
-
-import javax.activation.MimeType;
-import javax.servlet.http.**HttpServletRequest;
-import javax.servlet.http.**HttpServletResponse;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.nio.charset.Charset;
-import java.security.Principal;
+import org.apache.http.message.**BasicHeader;
/**
*
*/
public class HttpClientDispatch extends
AbstractGatewayDispatch {
-
- private static final String CT_APP_WWW_FORM_URL_ENCODED =
"application/x-www-form-**urlencoded";
- private static final String CT_APP_XML = "application/xml";
+
+ // private static final String CT_APP_WWW_FORM_URL_ENCODED =
"application/x-www-form-**urlencoded";
+ // private static final String CT_APP_XML = "application/xml";
+ private static final String Q_DELEGATION_EQ = "?delegation=";
+ private static final String AMP_DELEGATION_EQ = "&delegation=";
+ private static final String COOKIE = "Cookie";
+ private static final String SET_COOKIE = "Set-Cookie";
+ private static final String WWW_AUTHENTICATE =
"WWW-Authenticate";
+ private static final String NEGOTIATE = "Negotiate";
private static GatewayMessages LOG = MessagesFactory.get(
GatewayMessages.class );
private static GatewayResources RES = ResourcesFactory.get(
GatewayResources.class );
- private static final EmptyJaasCredentials
EMPTY_JAAS_CREDENTIALS =
new
EmptyJaasCredentials();
private static final int REPLAY_BUFFER_MAX_SIZE = 1024 *
1024; //
limit
to 1MB
+ private AppCookieManager appCookieManager = new
AppCookieManager();;
+
protected void executeRequest(
HttpUriRequest outboundRequest,
HttpServletRequest inboundRequest,
@@ -74,22 +75,46 @@ public class HttpClientDispatch extends
AbstractGatewayDispatch {
throws IOException {
LOG.dispatchRequest( outboundRequest.getMethod(),
outboundRequest.getURI() );
DefaultHttpClient client = new DefaultHttpClient();
-
- if
("true".equals(System.**getProperty(GatewayConfig.**HADOOP_KERBEROS_SECURED)))
{
- SPNegoSchemeFactory nsf = new SPNegoSchemeFactory(/*
stripPort
*/
true);
- // nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
- client.getAuthSchemes().**register(AuthPolicy.SPNEGO, nsf);
- client.getCredentialsProvider(**).setCredentials(
- new AuthScope(/* host */ null, /* port */ -1, /*
realm */
null),
- EMPTY_JAAS_CREDENTIALS);
- }
-
- HttpContext localContext = new BasicHttpContext();
-
HttpResponse inboundResponse;
try {
- inboundResponse = client.execute(**outboundRequest,
localContext);
+ String query = outboundRequest.getURI().**getQuery();
+ if
(!"true".equals(System.**getProperty(GatewayConfig.**
HADOOP_KERBEROS_SECURED)))
{
+ // Hadoop cluster not Kerberos enabled
+ inboundResponse = client.execute(**outboundRequest);
+ } else if (query.contains(Q_DELEGATION_**EQ) ||
+ // query string carries delegation token
+ query.contains(AMP_DELEGATION_**EQ)) {
+ inboundResponse = client.execute(**outboundRequest);
+ } else {
+ // Kerberos secured, no delegation token in query string
+ outboundRequest.removeHeaders(**COOKIE);
+ String appCookie = appCookieManager.**
getCachedKnoxAppCookie();
+ if (appCookie != null) {
+ outboundRequest.addHeader(new BasicHeader(COOKIE,
appCookie));
+ }
+ inboundResponse = client.execute(**outboundRequest);
+ // if inBoundResponse has status 401 and header
WWW-Authenticate:
Negoitate
+ // refresh hadoop.auth.cookie and attempt one more time
+ int statusCode =
inboundResponse.getStatusLine(**).getStatusCode();
+ if (statusCode == HttpStatus.SC_UNAUTHORIZED ) {
+ Header[] wwwAuthHeaders =
inboundResponse.getHeaders(**WWW_AUTHENTICATE) ;
+ if (wwwAuthHeaders != null && wwwAuthHeaders.length
!= 0 &&
+
wwwAuthHeaders[0].getValue().**trim().startsWith(NEGOTIATE)) {
+ appCookie = appCookieManager.getAppCookie(**
outboundRequest,
true);
+ outboundRequest.removeHeaders(**COOKIE);
+ outboundRequest.addHeader(new BasicHeader(COOKIE,
appCookie));
+ client = new DefaultHttpClient();
+ inboundResponse = client.execute(**outboundRequest);
+ } else {
+ // no supported authentication type found
+ // we would let the original response propogate
+ }
+ } else {
+ // not a 401 Unauthorized status code
+ // we would let the original response propogate
+ }
+ }
} catch (IOException e) {
// we do not want to expose back end host. port end
points to
clients, see JIRA KNOX-58
LOG.**dispatchServiceConnectionExcep**tion(
outboundRequest.getURI(),
e
);
@@ -101,6 +126,9 @@ public class HttpClientDispatch extends
AbstractGatewayDispatch {
Header[] headers = inboundResponse.getAllHeaders(**);
for( Header header : headers ) {
String name = header.getName();
+ if (name.equals(SET_COOKIE) ||
name.equals(WWW_AUTHENTICATE)) {
+ continue;
+ }
String value = header.getValue();
outboundResponse.addHeader( name, value );
}
@@ -239,18 +267,5 @@ public class HttpClientDispatch extends
AbstractGatewayDispatch {
// }
//
// }
-
- private static class EmptyJaasCredentials implements
Credentials {
-
- public String getPassword() {
- return null;
- }
-
- public Principal getUserPrincipal() {
- return null;
- }
-
- }
-
}
http://git-wip-us.apache.org/**repos/asf/incubator-knox/blob/**
e36fc4a3/gateway-server/src/**test/java/org/apache/hadoop/**
gateway/dispatch/**AppCookieManagerTest.java<http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/e36fc4a3/gateway-server/src/test/java/org/apache/hadoop/gateway/dispatch/AppCookieManagerTest.java>
------------------------------**------------------------------**
----------
diff --git
a/gateway-server/src/test/**java/org/apache/hadoop/**
gateway/dispatch/**AppCookieManagerTest.java
b/gateway-server/src/test/**java/org/apache/hadoop/**gateway/dispatch/*
*AppCookieManagerTest.java
new file mode 100644
index 0000000..704c41c
--- /dev/null
+++
b/gateway-server/src/test/**java/org/apache/hadoop/**
gateway/dispatch/**AppCookieManagerTest.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ *
http://www.apache.org/**licenses/LICENSE-2.0<http://www.apache.org/licenses/LICENSE-2.0>
+ *
+ * Unless required by applicable law or agreed to in writing,
software
+ * distributed under the License is distributed on an "AS IS"
BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
+ * See the License for the specific language governing
permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.**dispatch;
+
+
+import static org.junit.Assert.**assertNotNull;
+import static org.junit.Assert.assertNull;
+
+import org.apache.http.Header;
+import org.apache.http.message.**BasicHeader;
+import org.junit.Test;
+
+public class AppCookieManagerTest {
+
+ @Test
+ public void getCachedKnoxAppCookie() {
+ assertNull(new AppCookieManager().**getCachedKnoxAppCookie());
+ }
+
+ @Test
+ public void getHadoopAuthCookieValueWithNu**llHeaders() {
+ assertNull(AppCookieManager.**getHadoopAuthCookieValue(null)**);
+ }
+
+ @Test
+ public void getHadoopAuthCookieValueWitEmp**tylHeaders() {
+ assertNull(AppCookieManager.**getHadoopAuthCookieValue(new
Header[0]));
+ }
+
+ @Test
+ public void getHadoopAuthCookieValueWithVa**lidlHeaders() {
+ Header[] headers = new Header[1];
+ headers[0] = new BasicHeader("Set-Cookie",
AppCookieManager.HADOOP_AUTH + "=dummyvalue");
+ assertNotNull(**AppCookieManager.**getHadoopAuthCookieValue(**
headers));
+ }
+
+}
+
