/** * Set AUTH_TYPE property to the name of the corresponding authentication * handler class based on the input properties. * @param props input properties. */ protected void setAuthHandlerClass(Properties props) throws ServletException { String authType = props.getProperty(AUTH_TYPE); if (authType == null) { throw new ServletException("Config property " + AUTH_TYPE + " doesn't exist"); } if (authType.equals(PseudoAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); } else if (authType.equals(KerberosAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); } }
@Override public void init(FilterConfig filterConfig) throws ServletException { super.init(filterConfig); AuthenticationHandler handler = getAuthenticationHandler(); AbstractDelegationTokenSecretManager dtSecretManager = (AbstractDelegationTokenSecretManager) filterConfig.getServletContext(). getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR); if (dtSecretManager != null && handler instanceof DelegationTokenAuthenticationHandler) { DelegationTokenAuthenticationHandler dtHandler = (DelegationTokenAuthenticationHandler) getAuthenticationHandler(); dtHandler.setExternalDelegationTokenSecretManager(dtSecretManager); } if (handler instanceof PseudoAuthenticationHandler || handler instanceof PseudoDelegationTokenAuthenticationHandler) { setHandlerAuthMethod(SaslRpcServer.AuthMethod.SIMPLE); } if (handler instanceof KerberosAuthenticationHandler || handler instanceof KerberosDelegationTokenAuthenticationHandler) { setHandlerAuthMethod(SaslRpcServer.AuthMethod.KERBEROS); } // proxyuser configuration Configuration conf = getProxyuserConfiguration(filterConfig); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX); }
@Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) { Properties props = new Properties(); Configuration conf = KMSWebApp.getConfiguration(); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); if (name.startsWith(CONFIG_PREFIX)) { String value = conf.get(name); name = name.substring(CONFIG_PREFIX.length()); props.setProperty(name, value); } } String authType = props.getProperty(AUTH_TYPE); if (authType.equals(PseudoAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); } else if (authType.equals(KerberosAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); } props.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, KMSClientProvider.TOKEN_KIND); return props; }
/** * Returns the filter configuration properties, * including the ones prefixed with {@link #CONF_PREFIX}. * The prefix is removed from the returned property names. * * @param prefix parameter not used. * @param config parameter contains the initialization values. * @return Hadoop-Auth configuration properties. * @throws ServletException */ @Override protected Properties getConfiguration(String prefix, FilterConfig config) throws ServletException { final Properties p = super.getConfiguration(CONF_PREFIX, config); // set authentication type p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()? KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE); // if not set, enable anonymous for pseudo authentication if (p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED) == null) { p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true"); } //set cookie path p.setProperty(COOKIE_PATH, "/"); return p; }
/** * Set AUTH_TYPE property to the name of the corresponding authentication * handler class based on the input properties. * @param props input properties. */ protected void setAuthHandlerClass(Properties props) throws ServletException { String authType = props.getProperty(AUTH_TYPE); if (authType == null) { throw new ServletException("Config property " + AUTH_TYPE + " doesn't exist"); } if (authType.equals(PseudoAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); } else if (authType.equals(KerberosAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); } else if (authType.equals(MultiSchemeAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, MultiSchemeDelegationTokenAuthenticationHandler.class.getName()); } }
@Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) { Properties props = new Properties(); Configuration conf = KMSWebApp.getConfiguration(); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); if (name.startsWith(CONFIG_PREFIX)) { String value = conf.get(name); name = name.substring(CONFIG_PREFIX.length()); props.setProperty(name, value); } } String authType = props.getProperty(AUTH_TYPE); if (authType.equals(PseudoAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); } else if (authType.equals(KerberosAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); } props.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, KMSDelegationToken.TOKEN_KIND_STR); return props; }
public static Map<String, String> getFilterConfigMap(Configuration conf, String prefix) { Map<String, String> filterConfig = new HashMap<String, String>(); //setting the cookie path to root '/' so it is used for all resources. filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); if (name.startsWith(prefix)) { String value = conf.get(name); name = name.substring(prefix.length()); filterConfig.put(name, value); } } //Resolve _HOST into bind address String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); String principal = filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); if (principal != null) { try { principal = SecurityUtil.getServerPrincipal(principal, bindAddress); } catch (IOException ex) { throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.toString(), ex); } filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal); } return filterConfig; }
@Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) { Properties conf = new Properties(); conf.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); conf.setProperty(KerberosAuthenticationHandler.KEYTAB, keytabFile); conf.setProperty(KerberosAuthenticationHandler.PRINCIPAL, "HTTP/localhost"); conf.setProperty(KerberosDelegationTokenAuthenticationHandler.TOKEN_KIND, "token-kind"); return conf; }
private static void setupAndStartRM() throws Exception { Configuration rmconf = new Configuration(); rmconf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, YarnConfiguration.DEFAULT_RM_AM_MAX_ATTEMPTS); rmconf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class, ResourceScheduler.class); rmconf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); String httpPrefix = "hadoop.http.authentication."; rmconf.setStrings(httpPrefix + "type", "kerberos"); rmconf.set(httpPrefix + KerberosAuthenticationHandler.PRINCIPAL, httpSpnegoPrincipal); rmconf.set(httpPrefix + KerberosAuthenticationHandler.KEYTAB, httpSpnegoKeytabFile.getAbsolutePath()); // use any file for signature secret rmconf.set(httpPrefix + AuthenticationFilter.SIGNATURE_SECRET + ".file", httpSpnegoKeytabFile.getAbsolutePath()); rmconf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); rmconf.setBoolean(YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER, true); rmconf.set("hadoop.http.filter.initializers", AuthenticationFilterInitializer.class.getName()); rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY, httpSpnegoPrincipal); rmconf.set(YarnConfiguration.RM_KEYTAB, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_USER_NAME_KEY, httpSpnegoPrincipal); rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.setBoolean("mockrm.webapp.enabled", true); rmconf.set("yarn.resourcemanager.proxyuser.client.hosts", "*"); rmconf.set("yarn.resourcemanager.proxyuser.client.groups", "*"); UserGroupInformation.setConfiguration(rmconf); rm = new MockRM(rmconf); rm.start(); }
@Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException { Properties properties = super.getConfiguration(configPrefix, filterConfig); properties.put(KerberosAuthenticationHandler.PRINCIPAL, httpSpnegoPrincipal); properties.put(KerberosAuthenticationHandler.KEYTAB, httpSpnegoKeytabFile.getAbsolutePath()); properties.put(AuthenticationFilter.AUTH_TYPE, "kerberos"); return properties; }
@Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException { Properties properties = super.getConfiguration(configPrefix, filterConfig); properties.put(KerberosAuthenticationHandler.PRINCIPAL, httpSpnegoPrincipal); properties.put(KerberosAuthenticationHandler.KEYTAB, httpSpnegoKeytabFile.getAbsolutePath()); properties.put(AuthenticationFilter.AUTH_TYPE, "simple"); properties.put(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "false"); return properties; }
