falcon-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From venkat...@apache.org
Subject [2/3] git commit: FALCON-395 Falcon service does not start when _HOST is used in the spnego principal. Contributed by Venkatesh Seetharam
Date Thu, 24 Apr 2014 04:16:19 GMT
FALCON-395 Falcon service does not start when _HOST is used in the spnego principal. Contributed
by Venkatesh Seetharam


Project: http://git-wip-us.apache.org/repos/asf/incubator-falcon/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-falcon/commit/ae5d29b0
Tree: http://git-wip-us.apache.org/repos/asf/incubator-falcon/tree/ae5d29b0
Diff: http://git-wip-us.apache.org/repos/asf/incubator-falcon/diff/ae5d29b0

Branch: refs/heads/master
Commit: ae5d29b065e507bd2e13e6d04d6cf2c6c58e140a
Parents: 9dcbdf5
Author: Venkatesh Seetharam <venkatesh@hortonworks.com>
Authored: Wed Apr 23 12:41:14 2014 -0700
Committer: Venkatesh Seetharam <venkatesh@hortonworks.com>
Committed: Wed Apr 23 12:41:14 2014 -0700

----------------------------------------------------------------------
 CHANGES.txt                                     |  3 ++
 .../apache/falcon/security/BasicAuthFilter.java | 29 ++++++++++++-
 .../falcon/security/BasicAuthFilterTest.java    | 45 ++++++++++++++++++++
 3 files changed, 76 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/ae5d29b0/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 625de9e..57e8beb 100755
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -101,6 +101,9 @@ Trunk (Unreleased)
     FALCON-393 Display error messages when the web UI fails to get the data from the server
     (Haohui Mai via Venkatesh Seetharam)
 
+    FALCON-395 Falcon service does not start when _HOST is used in the spnego principal
+    (Venkatesh Seetharam)
+
   OPTIMIZATIONS
     FALCON-123 Improve build speeds in falcon. (Srikanth Sundarrajan via Shwetha GS)
 

http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/ae5d29b0/prism/src/main/java/org/apache/falcon/security/BasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/prism/src/main/java/org/apache/falcon/security/BasicAuthFilter.java b/prism/src/main/java/org/apache/falcon/security/BasicAuthFilter.java
index b4b544c..52ede1d 100644
--- a/prism/src/main/java/org/apache/falcon/security/BasicAuthFilter.java
+++ b/prism/src/main/java/org/apache/falcon/security/BasicAuthFilter.java
@@ -20,7 +20,9 @@ package org.apache.falcon.security;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.falcon.util.StartupProperties;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.log4j.Logger;
 import org.apache.log4j.NDC;
 
@@ -52,7 +54,8 @@ public class BasicAuthFilter extends AuthenticationFilter {
     /**
      * Constant for the configuration property that indicates the prefix.
      */
-    private static final String FALCON_PREFIX = "falcon.http.authentication.";
+    protected static final String FALCON_PREFIX = "falcon.http.authentication.";
+    protected static final String KERBEROS_PRINCIPAL = FALCON_PREFIX + KerberosAuthenticationHandler.PRINCIPAL;
 
     /**
      * Constant for the configuration property that indicates the blacklisted super users
for falcon.
@@ -121,9 +124,33 @@ public class BasicAuthFilter extends AuthenticationFilter {
             }
         }
 
+        if (UserGroupInformation.isSecurityEnabled()) { // replace _HOST in principal
+            String principal = getKerberosPrincipalWithSubstitutedHost(configProperties);
+            // principal cannot be null in secure mode, is validated in submission
+            authProperties.setProperty(KerberosAuthenticationHandler.PRINCIPAL, principal);
+        }
+
         return authProperties;
     }
 
+    /**
+     * Replaces _HOST in the principal with the actual hostname.
+     *
+     * @param configProperties Falcon config properties
+     * @return principal with _HOST substituted
+     */
+    private String getKerberosPrincipalWithSubstitutedHost(Properties configProperties) {
+        String principal = configProperties.getProperty(KERBEROS_PRINCIPAL);
+        try {
+            principal = org.apache.hadoop.security.SecurityUtil.getServerPrincipal(
+                    principal, SecurityUtil.getLocalHostName());
+        } catch (IOException ignored) {
+            // do nothing
+        }
+
+        return principal;
+    }
+
     @Override
     public void doFilter(final ServletRequest request, final ServletResponse response,
                          final FilterChain filterChain) throws IOException, ServletException
{

http://git-wip-us.apache.org/repos/asf/incubator-falcon/blob/ae5d29b0/webapp/src/test/java/org/apache/falcon/security/BasicAuthFilterTest.java
----------------------------------------------------------------------
diff --git a/webapp/src/test/java/org/apache/falcon/security/BasicAuthFilterTest.java b/webapp/src/test/java/org/apache/falcon/security/BasicAuthFilterTest.java
index 1caf914..74073d0 100644
--- a/webapp/src/test/java/org/apache/falcon/security/BasicAuthFilterTest.java
+++ b/webapp/src/test/java/org/apache/falcon/security/BasicAuthFilterTest.java
@@ -19,6 +19,10 @@
 package org.apache.falcon.security;
 
 import org.apache.falcon.util.StartupProperties;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
@@ -33,6 +37,7 @@ import javax.servlet.FilterConfig;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.Map;
+import java.util.Properties;
 import java.util.concurrent.ConcurrentHashMap;
 
 
@@ -53,6 +58,9 @@ public class BasicAuthFilterTest {
     @Mock
     private FilterConfig mockConfig;
 
+    @Mock
+    private UserGroupInformation mockUgi;
+
     @BeforeClass
     public void init() {
         MockitoAnnotations.initMocks(this);
@@ -169,4 +177,41 @@ public class BasicAuthFilterTest {
             StartupProperties.get().setProperty("falcon.http.authentication.type", httpAuthType);
         }
     }
+
+    @Test
+    public void testGetKerberosPrincipalWithSubstitutedHostSecure() throws Exception {
+        String principal = StartupProperties.get().getProperty(BasicAuthFilter.KERBEROS_PRINCIPAL);
+
+        String expectedPrincipal = "falcon/" + SecurityUtil.getLocalHostName() + "@Example.com";
+        try {
+            Configuration conf = new Configuration(false);
+            conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
+                    UserGroupInformation.AuthenticationMethod.KERBEROS.name());
+            UserGroupInformation.setConfiguration(conf);
+            Assert.assertTrue(UserGroupInformation.isSecurityEnabled());
+
+            StartupProperties.get().setProperty(
+                    BasicAuthFilter.KERBEROS_PRINCIPAL, "falcon/_HOST@Example.com");
+            BasicAuthFilter filter = new BasicAuthFilter();
+            Properties properties = filter.getConfiguration(BasicAuthFilter.FALCON_PREFIX,
null);
+            Assert.assertEquals(
+                    properties.get(KerberosAuthenticationHandler.PRINCIPAL), expectedPrincipal);
+        } finally {
+            StartupProperties.get().setProperty(BasicAuthFilter.KERBEROS_PRINCIPAL, principal);
+        }
+    }
+
+    @Test
+    public void testGetKerberosPrincipalWithSubstitutedHostNonSecure() throws Exception {
+        String principal = StartupProperties.get().getProperty(BasicAuthFilter.KERBEROS_PRINCIPAL);
+        Configuration conf = new Configuration(false);
+        conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
+                UserGroupInformation.AuthenticationMethod.SIMPLE.name());
+        UserGroupInformation.setConfiguration(conf);
+        Assert.assertFalse(UserGroupInformation.isSecurityEnabled());
+
+        BasicAuthFilter filter = new BasicAuthFilter();
+        Properties properties = filter.getConfiguration(BasicAuthFilter.FALCON_PREFIX, null);
+        Assert.assertEquals(properties.get(KerberosAuthenticationHandler.PRINCIPAL), principal);
+    }
 }


Mime
View raw message