This is an automated email from the ASF dual-hosted git repository.
fjy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-druid.git
The following commit(s) were added to refs/heads/master by this push:
new ec4d09a Remove obsolete isExcluded config from Kerberos authenticator
(#7745)
ec4d09a is described below
commit ec4d09a02f81d312f677b0aa7c439a23891addef
Author: Jonathan Wei <jon-...@users.noreply.github.com>
AuthorDate: Thu May 23 16:00:05 2019 -0700
Remove obsolete isExcluded config from Kerberos authenticator (#7745)
---
.../development/extensions-core/druid-kerberos.md | 5 +++-
.../security/kerberos/KerberosAuthenticator.java | 30 ++--------------------
2 files changed, 6 insertions(+), 29 deletions(-)
diff --git a/docs/content/development/extensions-core/druid-kerberos.md
b/docs/content/development/extensions-core/druid-kerberos.md
index 46af7f4..99d6e45 100644
--- a/docs/content/development/extensions-core/druid-kerberos.md
+++ b/docs/content/development/extensions-core/druid-kerberos.md
@@ -54,13 +54,16 @@ The configuration examples in the rest of this document
will use "kerberos" as t
|`druid.auth.authenticator.kerberos.serverPrincipal`|`HTTP/_h...@example.com`|
SPNego service principal used by druid processes|empty|Yes|
|`druid.auth.authenticator.kerberos.serverKeytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego
service keytab used by druid processes|empty|Yes|
|`druid.auth.authenticator.kerberos.authToLocal`|`RULE:[1:$1@$0](dr...@example.com)s/.*/druid
DEFAULT`|It allows you to set a general rule for mapping principal names to
local user names. It will be used if there is not an explicit mapping for the
principal name that is being translated.|DEFAULT|No|
-|`druid.auth.authenticator.kerberos.excludedPaths`|`['/status','/health']`|
Array of HTTP paths which which does NOT need to be authenticated.|None|No|
|`druid.auth.authenticator.kerberos.cookieSignatureSecret`|`secretString`|
Secret used to sign authentication cookies. It is advisable to explicitly set
it, if you have multiple druid ndoes running on same machine with different
ports as the Cookie Specification does not guarantee isolation by port.|<Random
value>|No|
|`druid.auth.authenticator.kerberos.authorizerName`|Depends on available
authorizers|Authorizer that requests should be directed to|Empty|Yes|
As a note, it is required that the SPNego principal in use by the druid
processes must start with HTTP (This specified by
[RFC-4559](https://tools.ietf.org/html/rfc4559)) and must be of the form
"HTTP/_HOST@REALM".
The special string _HOST will be replaced automatically with the value of
config `druid.host`
+### `druid.auth.authenticator.kerberos.excludedPaths`
+
+In older releases, the Kerberos authenticator had an `excludedPaths` property
that allowed the user to specify a list of paths where authentication checks
should be skipped. This property has been removed from the Kerberos
authenticator because the path exclusion functionality is now handled across
all authenticators/authorizers by setting `druid.auth.unsecuredPaths`, as
described in the [main auth documentation](../../design/auth.html).
+
### Auth to Local Syntax
`druid.auth.authenticator.kerberos.authToLocal` allows you to set a general
rules for mapping principal names to local user names.
The syntax for mapping rules is
`RULE:\[n:string](regexp)s/pattern/replacement/g`. The integer n indicates how
many components the target principal should have. If this matches, then a
string will be formed from string, substituting the realm of the principal for
$0 and the n‘th component of the principal for $n. e.g. if the principal was
druid/admin then `\[2:$2$1suffix]` would result in the string
`admindruidsuffix`.
diff --git
a/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
b/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
index 801d394..a58c799 100644
---
a/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
+++
b/extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java
@@ -66,19 +66,16 @@ import java.io.IOException;
import java.net.HttpCookie;
import java.security.Principal;
import java.text.SimpleDateFormat;
-import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
-import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.TimeZone;
import java.util.concurrent.ThreadLocalRandom;
-import java.util.regex.Pattern;
import java.util.stream.Collectors;
@@ -86,15 +83,11 @@ import java.util.stream.Collectors;
public class KerberosAuthenticator implements Authenticator
{
private static final Logger log = new Logger(KerberosAuthenticator.class);
- private static final Pattern HADOOP_AUTH_COOKIE_REGEX =
Pattern.compile(".*p=(\\S+)&t=.*");
- public static final List<String> DEFAULT_EXCLUDED_PATHS =
Collections.emptyList();
public static final String SIGNED_TOKEN_ATTRIBUTE = "signedToken";
- private final DruidNode node;
private final String serverPrincipal;
private final String serverKeytab;
private final String authToLocal;
- private final List<String> excludedPaths;
private final String cookieSignatureSecret;
private final String authorizerName;
private final String name;
@@ -105,17 +98,14 @@ public class KerberosAuthenticator implements Authenticator
@JsonProperty("serverPrincipal") String serverPrincipal,
@JsonProperty("serverKeytab") String serverKeytab,
@JsonProperty("authToLocal") String authToLocal,
- @JsonProperty("excludedPaths") List<String> excludedPaths,
@JsonProperty("cookieSignatureSecret") String cookieSignatureSecret,
@JsonProperty("authorizerName") String authorizerName,
@JsonProperty("name") String name,
@JacksonInject @Self DruidNode node
)
{
- this.node = node;
this.serverKeytab = serverKeytab;
this.authToLocal = authToLocal == null ? "DEFAULT" : authToLocal;
- this.excludedPaths = excludedPaths == null ? DEFAULT_EXCLUDED_PATHS :
excludedPaths;
this.cookieSignatureSecret = cookieSignatureSecret;
this.authorizerName = authorizerName;
this.name = Preconditions.checkNotNull(name);
@@ -232,14 +222,8 @@ public class KerberosAuthenticator implements Authenticator
initializeKerberosLogin();
}
- // Checking for excluded paths is Druid-specific, not from hadoop-auth
- String path = ((HttpServletRequest) request).getRequestURI();
- if (isExcluded(path)) {
- filterChain.doFilter(request, response);
- } else {
- // Run the original doFilter method, but with modifications to error
handling
- doFilterSuper(request, response, filterChain);
- }
+ // Run the original doFilter method, but with modifications to error
handling
+ doFilterSuper(request, response, filterChain);
}
@@ -427,16 +411,6 @@ public class KerberosAuthenticator implements Authenticator
throw new UnsupportedOperationException("JDBC Kerberos auth not supported
yet");
}
- private boolean isExcluded(String path)
- {
- for (String excluded : excludedPaths) {
- if (path.startsWith(excluded)) {
- return true;
- }
- }
- return false;
- }
-
@Override
public void decorateProxyRequest(
HttpServletRequest clientRequest,
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org
For additional commands, e-mail: commits-h...@druid.apache.org
