drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-5425) Support HTTP Kerberos auth using SPNEGO
Date Thu, 21 Dec 2017 22:11:03 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16300622#comment-16300622
] 

ASF GitHub Bot commented on DRILL-5425:
---------------------------------------

Github user sohami commented on a diff in the pull request:

    https://github.com/apache/drill/pull/1040#discussion_r158112439
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillHttpSecurityHandlerProvider.java
---
    @@ -0,0 +1,187 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + * <p>
    + * http://www.apache.org/licenses/LICENSE-2.0
    + * <p>
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +
    +package org.apache.drill.exec.server.rest.auth;
    +
    +import com.google.common.base.Preconditions;
    +import org.apache.drill.common.config.DrillConfig;
    +import org.apache.drill.common.exceptions.DrillException;
    +import org.apache.drill.common.map.CaseInsensitiveMap;
    +import org.apache.drill.common.scanner.persistence.ScanResult;
    +import org.apache.drill.exec.ExecConstants;
    +import org.apache.drill.exec.exception.DrillbitStartupException;
    +import org.apache.drill.exec.rpc.security.AuthStringUtil;
    +import org.apache.drill.exec.server.DrillbitContext;
    +import org.apache.drill.exec.server.rest.WebServerConstants;
    +import org.eclipse.jetty.security.ConstraintSecurityHandler;
    +import org.eclipse.jetty.security.authentication.SessionAuthentication;
    +import org.eclipse.jetty.server.Handler;
    +import org.eclipse.jetty.server.Request;
    +
    +import javax.servlet.ServletException;
    +import javax.servlet.http.HttpServletRequest;
    +import javax.servlet.http.HttpServletResponse;
    +import javax.servlet.http.HttpSession;
    +import java.io.IOException;
    +import java.lang.reflect.Constructor;
    +import java.lang.reflect.InvocationTargetException;
    +import java.util.Collection;
    +import java.util.HashSet;
    +import java.util.Map;
    +import java.util.Set;
    +
    +
    +public class DrillHttpSecurityHandlerProvider extends ConstraintSecurityHandler {
    +
    +  private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(DrillHttpSecurityHandlerProvider.class);
    +
    +  private final Map<String, DrillHttpConstraintSecurityHandler> securityHandlers
=
    +      CaseInsensitiveMap.newHashMapWithExpectedSize(5);
    +
    +  public DrillHttpSecurityHandlerProvider(DrillConfig config, DrillbitContext drillContext)
    +      throws DrillbitStartupException {
    +
    +    Preconditions.checkState(config.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED));
    +    final Set<String> configuredMechanisms = new HashSet<>();
    +
    +    if (config.hasPath(ExecConstants.HTTP_AUTHENTICATION_MECHANISMS)) {
    +      configuredMechanisms.addAll(AuthStringUtil.asSet(config.getStringList(ExecConstants.HTTP_AUTHENTICATION_MECHANISMS)));
    +    } else { // for backward compatibility
    +      configuredMechanisms.add(FORMSecurityHanlder.HANDLER_NAME);
    +    }
    +
    +      final ScanResult scan = drillContext.getClasspathScan();
    +      final Collection<Class<? extends DrillHttpConstraintSecurityHandler>>
factoryImpls =
    +          scan.getImplementations(DrillHttpConstraintSecurityHandler.class);
    +      logger.debug("Found DrillHttpConstraintSecurityHandler implementations: {}", factoryImpls);
    +      for (final Class<? extends DrillHttpConstraintSecurityHandler> clazz : factoryImpls)
{
    +
    +        // If all the configured mechanisms handler is added then break out of this loop
    +        if (configuredMechanisms.isEmpty()) {
    +          break;
    +        }
    +
    +        Constructor<? extends DrillHttpConstraintSecurityHandler> validConstructor
= null;
    +        for (final Constructor<?> c : clazz.getConstructors()) {
    +          final Class<?>[] params = c.getParameterTypes();
    +          if (params.length == 0) {
    +            validConstructor = (Constructor<? extends DrillHttpConstraintSecurityHandler>)
c; // unchecked
    +            break;
    +          }
    +        }
    +
    +        if (validConstructor == null) {
    +          logger.warn("Skipping DrillHttpConstraintSecurityHandler class {}. It must
implement at least one" +
    +              " constructor with signature [{}()]", clazz.getCanonicalName(), clazz.getName());
    +          continue;
    +        }
    +
    +        try {
    +          final DrillHttpConstraintSecurityHandler instance = validConstructor.newInstance();
    +          if (configuredMechanisms.remove(instance.getImplName())) {
    +            instance.doSetup(drillContext);
    +            securityHandlers.put(instance.getImplName(), instance);
    +          }
    +        } catch (IllegalArgumentException | IllegalAccessException |
    +            InstantiationException | InvocationTargetException | DrillException e) {
    +          logger.warn(String.format("Failed to create DrillHttpConstraintSecurityHandler
of type '%s'",
    +              clazz.getCanonicalName()), e);
    +        }
    +      }
    +
    +    if (securityHandlers.size() == 0) {
    +      throw new DrillbitStartupException("Authentication is enabled for WebServer but
none of the security mechanism " +
    +          "was configured properly. Please verify the configurations and try again.");
    +    }
    +
    +    logger.info("Configure auth mechanisms for WebServer are: {}", securityHandlers.keySet());
    +  }
    +
    +  @Override
    +  public void doStart() throws Exception {
    +    super.doStart();
    +    for (DrillHttpConstraintSecurityHandler securityHandler : securityHandlers.values())
{
    +      securityHandler.doStart();
    +    }
    +  }
    +
    +  @Override
    +  public void handle(String target, Request baseRequest, HttpServletRequest request,
HttpServletResponse response)
    +      throws IOException, ServletException {
    +
    +    Preconditions.checkState(securityHandlers.size() > 0);
    +
    +    HttpSession session = request.getSession(true);
    +    SessionAuthentication authentication =
    +        (SessionAuthentication) session.getAttribute("org.eclipse.jetty.security.UserIdentity");
    +    String uri = request.getRequestURI();
    +    final DrillHttpConstraintSecurityHandler securityHandler;
    +
    +    // Before authentication, all requests go through the FormAuthenticator if configured
except for /spnegoLogin
    +    // request. For SPNEGO authentication all request will enforce going via /spnegoLogin
before authentication is
    --- End diff --
    
    Done.


> Support HTTP Kerberos auth using SPNEGO
> ---------------------------------------
>
>                 Key: DRILL-5425
>                 URL: https://issues.apache.org/jira/browse/DRILL-5425
>             Project: Apache Drill
>          Issue Type: New Feature
>          Components: Web Server
>    Affects Versions: 1.12.0
>            Reporter: Sudheesh Katkam
>            Assignee: Sorabh Hamirwasia
>             Fix For: 1.13.0
>
>
> DRILL-4280 supports Kerberos through JDBC and ODBC API. This ticket requests to add Kerberos
(using [SPENGO|https://en.wikipedia.org/wiki/SPNEGO]) for HTTP connections.
> This requires creating "direct" web sessions; currently web sessions are sessions over
Java client sessions.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message