Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: common-issues@hadoop.apache.org
Date: Tue, 22 Jul 2014 16:06:39 +0000 (UTC)
From: "Alejandro Abdelnur (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12724799.1404242732280.20614.1406045199903@arcas>
In-Reply-To: <JIRA.12724799.1404242732280@arcas>
References: <JIRA.12724799.1404242732280@arcas>
Subject: [jira] [Updated] (HADOOP-10771) Refactor HTTP delegation support
 out of httpfs to common
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/HADOOP-10771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alejandro Abdelnur updated HADOOP-10771:
----------------------------------------

    Attachment: HADOOP-10771.patch
                HADOOP-10771.sh

Run the script first, using 'fs' parameter if in a GIT checkout or using 'svn' if in a SVN checkout.

Following some comments that may help the review.

*Moves:*

{code}
src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSKerberosAuthenticator.java 
dst: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java

NOTES: refactored client Delegation Token management logic (get/renew/cancel) into an auth 
       abstract authenticator. introduced a special auth-token subclass to encapsulate client
       side handling of the delegation token.

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSPseudoAuthenticator.java 
dst: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/PseudoDelegationTokenAuthenticator.java

NOTES: simple move, this is a simple authenticator that uses UGI instead of 
       System.getProperties("user.name") as in hadoop-auth

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSAuthenticationFilter.java 
dst: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java

NOTES: move and minor clean up of config loading for general use.

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/server/HttpFSKerberosAuthenticationHandler.java 
dst: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java

NOTES: simple move and minor tweaks. this is where the Delegation Token 
       management (get/renew/cancel) happens on the server sdie.

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/DelegationTokenIdentifier.java
dst: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenIdentifier.java

NOTES: simple move

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/lib/service/security/DelegationTokenManagerService.java 
dst: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java

NOTES: move and code simplification, and generalization to be able to use an 
       existing secret manager if provided in the servlet context.

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/lib/service/security/TestDelegationTokenManagerService.java 
dst: hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenManager.java

NOTES: simple move

src: hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/fs/http/server/TestHttpFSKerberosAuthenticationHandler.java 
dst: hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java


NOTES: move, adding more tests.
{code}

*New code:*

* DelegationTokenAuthenticatedURL.java: AuthenticatedURL subclass providing public API to do delegation token management.
* KerberosDelegationTokenAuthenticator.java: client subclass that composes the existing Kerberos authenticator with the delegation token management one.
* PseudoDelegationTokenAuthenticator.java: client subclass that composes the existing simple authenticator with the delegation token management one.
* PseudoDelegationTokenAuthenticationHandler.java: server subclass that provides pseudo auth with delegation token support, simply setting the auth-token type to be 'simple-dt'.
* KerberosDelegationTokenAuthenticationHandler.java: server subclass that provides kerberos auth with delegation token support, simply setting the auth-token type to be 'kerberos-dt'.


> Refactor HTTP delegation support out of httpfs to common
> --------------------------------------------------------
>
>                 Key: HADOOP-10771
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10771
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-10771.patch, HADOOP-10771.sh
>
>
> HttpFS implements delegation token support in {{AuthenticationFilter}} & {{AuthenticationHandler}} subclasses.
> For HADOOP-10770 we need similar functionality for KMS.
> Not to duplicate code, we should refactor existing code to common.


--
This message was sent by Atlassian JIRA
(v6.2#6252)