private void initSpnego(Configuration conf, String hostName, String usernameConfKey, String keytabConfKey) throws IOException { Map<String, String> params = new HashMap<>(); String principalInConf = conf.get(usernameConfKey); if (principalInConf != null && !principalInConf.isEmpty()) { params.put("kerberos.principal", SecurityUtil.getServerPrincipal( principalInConf, hostName)); } String httpKeytab = conf.get(keytabConfKey); if (httpKeytab != null && !httpKeytab.isEmpty()) { params.put("kerberos.keytab", httpKeytab); } params.put(AuthenticationFilter.AUTH_TYPE, "kerberos"); defineFilter(webAppContext, SPNEGO_FILTER, AuthenticationFilter.class.getName(), params, null); }
@Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException { Properties props = new Properties(); Enumeration<?> names = filterConfig.getInitParameterNames(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); if (name.startsWith(configPrefix)) { String value = filterConfig.getInitParameter(name); props.put(name.substring(configPrefix.length()), value); } } props.put(AuthenticationFilter.AUTH_TYPE, "simple"); props.put(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "false"); return props; }
protected void initSpnego(Configuration conf, String usernameConfKey, String keytabConfKey) throws IOException { Map<String, String> params = new HashMap<String, String>(); String principalInConf = conf.get(usernameConfKey); if (principalInConf != null && !principalInConf.isEmpty()) { params.put("kerberos.principal", SecurityUtil.getServerPrincipal(principalInConf, listener.getHost())); } String httpKeytab = conf.get(keytabConfKey); if (httpKeytab != null && !httpKeytab.isEmpty()) { params.put("kerberos.keytab", httpKeytab); } params.put(AuthenticationFilter.AUTH_TYPE, "kerberos"); defineFilter(webAppContext, SPNEGO_FILTER, AuthenticationFilter.class.getName(), params, null); }
@Test public void testGetSecrets() throws Exception { File testDir = new File(System.getProperty("test.build.data", "target/test-dir")); testDir.mkdirs(); String secretValue = "hadoop"; File secretFile = new File(testDir, "http-secret.txt"); Writer writer = new FileWriter(secretFile); writer.write(secretValue); writer.close(); FileSignerSecretProvider secretProvider = new FileSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET_FILE, secretFile.getAbsolutePath()); secretProvider.init(secretProviderProps, null, -1); Assert.assertArrayEquals(secretValue.getBytes(), secretProvider.getCurrentSecret()); byte[][] allSecrets = secretProvider.getAllSecrets(); Assert.assertEquals(1, allSecrets.length); Assert.assertArrayEquals(secretValue.getBytes(), allSecrets[0]); }
private void initSpnego(Configuration conf, String hostName, String usernameConfKey, String keytabConfKey) throws IOException { Map<String, String> params = new HashMap<String, String>(); String principalInConf = conf.get(usernameConfKey); if (principalInConf != null && !principalInConf.isEmpty()) { params.put("kerberos.principal", SecurityUtil.getServerPrincipal( principalInConf, hostName)); } String httpKeytab = conf.get(keytabConfKey); if (httpKeytab != null && !httpKeytab.isEmpty()) { params.put("kerberos.keytab", httpKeytab); } params.put(AuthenticationFilter.AUTH_TYPE, "kerberos"); defineFilter(webAppContext, SPNEGO_FILTER, AuthenticationFilter.class.getName(), params, null); }
@Override public void initializeSecretProvider(FilterConfig filterConfig) throws ServletException { LOG.debug("AtlasAuthenticationFilter :: initializeSecretProvider {}", filterConfig); secretProvider = (SignerSecretProvider) filterConfig.getServletContext(). getAttribute(AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE); if (secretProvider == null) { // As tomcat cannot specify the provider object in the configuration. // It'll go into this path String configPrefix = filterConfig.getInitParameter(CONFIG_PREFIX); configPrefix = (configPrefix != null) ? configPrefix + "." : ""; try { secretProvider = AuthenticationFilter.constructSecretProvider( filterConfig.getServletContext(), super.getConfiguration(configPrefix, filterConfig), false); this.isInitializedByTomcat = true; } catch (Exception ex) { throw new ServletException(ex); } } signer = new Signer(secretProvider); }
/** * Initializes Alfredo AuthenticationFilter. * <p/> * Propagates to Alfredo AuthenticationFilter configuration all Hadoop * configuration properties prefixed with "hadoop.http.authentication." * * @param container The filter container * @param conf Configuration for run-time parameters */ @Override public void initFilter(FilterContainer container, Configuration conf) { Map<String, String> filterConfig = new HashMap<String, String>(); //setting the cookie path to root '/' so it is used for all resources. filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); if (name.startsWith(PREFIX)) { String value = conf.get(name); name = name.substring(PREFIX.length()); filterConfig.put(name, value); } } container.addFilter("authentication", AuthenticationFilter.class.getName(), filterConfig); }
private static Map<String, String> loadWebAuthenticationConf(Configuration conf) { Map<String,String> prop = new HashMap<String, String>(); prop.put(AuthenticationFilter.CONFIG_PREFIX, ServerConfig.SENTRY_WEB_SECURITY_PREFIX); String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS); if (allowUsers == null || allowUsers.equals("")) { allowUsers = conf.get(ServerConfig.ALLOW_CONNECT); conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowUsers); } validateConf(conf); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); if (name.startsWith(ServerConfig.SENTRY_WEB_SECURITY_PREFIX)) { String value = conf.get(name); prop.put(name, value); } } return prop; }
public static Map<String, String> getFilterConfigMap(Configuration conf, String prefix) { Map<String, String> filterConfig = new HashMap<String, String>(); //setting the cookie path to root '/' so it is used for all resources. filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); if (name.startsWith(prefix)) { String value = conf.get(name); name = name.substring(prefix.length()); filterConfig.put(name, value); } } //Resolve _HOST into bind address String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); String principal = filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); if (principal != null) { try { principal = SecurityUtil.getServerPrincipal(principal, bindAddress); } catch (IOException ex) { throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.toString(), ex); } filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal); } return filterConfig; }
private static SignerSecretProvider constructSecretProvider(final Builder b, ServletContext ctx) throws Exception { final Configuration conf = b.conf; Properties config = getFilterProperties(conf, b.authFilterConfigurationPrefix); return AuthenticationFilter.constructSecretProvider( ctx, config, b.disallowFallbackToRandomSignerSecretProvider); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse resp = (HttpServletResponse) response; AuthenticationFilter.createAuthCookie(resp, "token", null, null, expires, isCookiePersistent, true); chain.doFilter(request, resp); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse resp = (HttpServletResponse) response; boolean isHttps = "https".equals(request.getScheme()); AuthenticationFilter.createAuthCookie(resp, "token", null, null, -1, true, isHttps); chain.doFilter(request, resp); }
private static void setupAndStartRM() throws Exception { Configuration rmconf = new Configuration(); rmconf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, YarnConfiguration.DEFAULT_RM_AM_MAX_ATTEMPTS); rmconf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class, ResourceScheduler.class); rmconf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); String httpPrefix = "hadoop.http.authentication."; rmconf.setStrings(httpPrefix + "type", "kerberos"); rmconf.set(httpPrefix + KerberosAuthenticationHandler.PRINCIPAL, httpSpnegoPrincipal); rmconf.set(httpPrefix + KerberosAuthenticationHandler.KEYTAB, httpSpnegoKeytabFile.getAbsolutePath()); // use any file for signature secret rmconf.set(httpPrefix + AuthenticationFilter.SIGNATURE_SECRET + ".file", httpSpnegoKeytabFile.getAbsolutePath()); rmconf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); rmconf.setBoolean(YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER, true); rmconf.set("hadoop.http.filter.initializers", AuthenticationFilterInitializer.class.getName()); rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY, httpSpnegoPrincipal); rmconf.set(YarnConfiguration.RM_KEYTAB, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_USER_NAME_KEY, httpSpnegoPrincipal); rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.setBoolean("mockrm.webapp.enabled", true); rmconf.set("yarn.resourcemanager.proxyuser.client.hosts", "*"); rmconf.set("yarn.resourcemanager.proxyuser.client.groups", "*"); UserGroupInformation.setConfiguration(rmconf); rm = new MockRM(rmconf); rm.start(); }
