HDDS-643. Parse Authorization header in a separate filter. Contributed by Bharat Viswanadham.

This commit is contained in:
Márton Elek 2018-10-25 12:45:53 +02:00
parent 97bd49fc36
commit 23887129cd
7 changed files with 115 additions and 52 deletions

View File

@ -34,6 +34,7 @@
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.fs.InvalidRequestException; import org.apache.hadoop.fs.InvalidRequestException;
import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -52,11 +53,18 @@ public class VirtualHostStyleFilter implements ContainerRequestFilter {
@Inject @Inject
private OzoneConfiguration conf; private OzoneConfiguration conf;
@Inject
private AuthenticationHeaderParser authenticationHeaderParser;
private String[] domains; private String[] domains;
@Override @Override
public void filter(ContainerRequestContext requestContext) throws public void filter(ContainerRequestContext requestContext) throws
IOException { IOException {
authenticationHeaderParser.setAuthHeader(requestContext.getHeaderString(
HttpHeaders.AUTHORIZATION));
domains = conf.getTrimmedStrings(OZONE_S3G_DOMAIN_NAME); domains = conf.getTrimmedStrings(OZONE_S3G_DOMAIN_NAME);
if (domains.length == 0) { if (domains.length == 0) {
@ -140,4 +148,9 @@ private String getDomainName(String host) {
return match; return match;
} }
@VisibleForTesting
public void setAuthenticationHeaderParser(AuthenticationHeaderParser parser) {
this.authenticationHeaderParser = parser;
}
} }

View File

@ -36,7 +36,6 @@
import java.io.InputStream; import java.io.InputStream;
import java.time.Instant; import java.time.Instant;
import java.util.Iterator; import java.util.Iterator;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response.ResponseBuilder; import javax.ws.rs.core.Response.ResponseBuilder;
import org.apache.hadoop.ozone.client.OzoneBucket; import org.apache.hadoop.ozone.client.OzoneBucket;
@ -151,7 +150,7 @@ public Response list(
public Response put(@PathParam("bucket") String bucketName, @Context public Response put(@PathParam("bucket") String bucketName, @Context
HttpHeaders httpHeaders) throws IOException, OS3Exception { HttpHeaders httpHeaders) throws IOException, OS3Exception {
String userName = parseUsername(httpHeaders); String userName = getAuthenticationHeaderParser().getAccessKeyID();
String location = createS3Bucket(userName, bucketName); String location = createS3Bucket(userName, bucketName);

View File

@ -19,8 +19,6 @@
import javax.inject.Inject; import javax.inject.Inject;
import javax.ws.rs.NotFoundException; import javax.ws.rs.NotFoundException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import java.io.IOException; import java.io.IOException;
import org.apache.hadoop.ozone.client.OzoneBucket; import org.apache.hadoop.ozone.client.OzoneBucket;
@ -28,8 +26,7 @@
import org.apache.hadoop.ozone.client.OzoneVolume; import org.apache.hadoop.ozone.client.OzoneVolume;
import org.apache.hadoop.ozone.s3.exception.OS3Exception; import org.apache.hadoop.ozone.s3.exception.OS3Exception;
import org.apache.hadoop.ozone.s3.exception.S3ErrorTable; import org.apache.hadoop.ozone.s3.exception.S3ErrorTable;
import org.apache.hadoop.ozone.s3.header.AuthorizationHeaderV2; import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.apache.hadoop.ozone.s3.header.AuthorizationHeaderV4;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import org.slf4j.Logger; import org.slf4j.Logger;
@ -46,6 +43,9 @@ public class EndpointBase {
@Inject @Inject
private OzoneClient client; private OzoneClient client;
@Inject
private AuthenticationHeaderParser authenticationHeaderParser;
protected OzoneBucket getBucket(String volumeName, String bucketName) protected OzoneBucket getBucket(String volumeName, String bucketName)
throws IOException { throws IOException {
return getVolume(volumeName).getBucket(bucketName); return getVolume(volumeName).getBucket(bucketName);
@ -172,43 +172,17 @@ public String getOzoneBucketName(String s3BucketName) throws IOException {
return client.getObjectStore().getOzoneBucketName(s3BucketName); return client.getObjectStore().getOzoneBucketName(s3BucketName);
} }
/** public AuthenticationHeaderParser getAuthenticationHeaderParser() {
* Retrieve the username based on the authorization header. return authenticationHeaderParser;
* }
* @param httpHeaders
* @return Identified username
* @throws OS3Exception
*/
public String parseUsername(
@Context HttpHeaders httpHeaders) throws OS3Exception {
String auth = httpHeaders.getHeaderString("Authorization");
LOG.info("Auth header string {}", auth);
if (auth == null) { @VisibleForTesting
// In this case, adding resource as Authorization, need to revisit in public void setAuthenticationHeaderParser(AuthenticationHeaderParser parser) {
// future if it needs to be changed. this.authenticationHeaderParser = parser;
throw S3ErrorTable
.newError(S3ErrorTable.MALFORMED_HEADER, "Authorization");
}
String userName;
if (auth.startsWith("AWS4")) {
LOG.info("V4 Header {}", auth);
AuthorizationHeaderV4 authorizationHeader = new AuthorizationHeaderV4(
auth);
userName = authorizationHeader.getAccessKeyID().toLowerCase();
} else {
LOG.info("V2 Header {}", auth);
AuthorizationHeaderV2 authorizationHeader = new AuthorizationHeaderV2(
auth);
userName = authorizationHeader.getAccessKeyID().toLowerCase();
}
return userName;
} }
@VisibleForTesting @VisibleForTesting
public void setClient(OzoneClient ozoneClient) { public void setClient(OzoneClient ozoneClient) {
this.client = ozoneClient; this.client = ozoneClient;
} }
} }

View File

@ -20,8 +20,6 @@
import javax.ws.rs.GET; import javax.ws.rs.GET;
import javax.ws.rs.NotFoundException; import javax.ws.rs.NotFoundException;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import java.io.IOException; import java.io.IOException;
import java.time.Instant; import java.time.Instant;
import java.util.Iterator; import java.util.Iterator;
@ -50,12 +48,12 @@ public class RootEndpoint extends EndpointBase {
* for more details. * for more details.
*/ */
@GET @GET
public ListBucketResponse get(@Context HttpHeaders headers) public ListBucketResponse get()
throws OS3Exception, IOException { throws OS3Exception, IOException {
OzoneVolume volume; OzoneVolume volume;
ListBucketResponse response = new ListBucketResponse(); ListBucketResponse response = new ListBucketResponse();
String volumeName = "s3" + parseUsername(headers).toLowerCase(); String volumeName = "s3" + getAuthenticationHeaderParser().getAccessKeyID();
try { try {
//TODO: we need a specific s3bucketlist endpoint instead //TODO: we need a specific s3bucketlist endpoint instead
// of reimplement the naming convention here // of reimplement the naming convention here

View File

@ -0,0 +1,61 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.s3.header;
import org.apache.hadoop.ozone.s3.exception.OS3Exception;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.enterprise.context.RequestScoped;
/**
* Authentication Header parser to parse HttpHeader Authentication.
*/
@RequestScoped
public class AuthenticationHeaderParser {
private final static Logger LOG = LoggerFactory.getLogger(
AuthenticationHeaderParser.class);
private String authHeader;
private String accessKeyID;
public void parse() throws OS3Exception {
if (authHeader.startsWith("AWS4")) {
LOG.debug("V4 Header {}", authHeader);
AuthorizationHeaderV4 authorizationHeader = new AuthorizationHeaderV4(
authHeader);
accessKeyID = authorizationHeader.getAccessKeyID().toLowerCase();
} else {
LOG.debug("V2 Header {}", authHeader);
AuthorizationHeaderV2 authorizationHeader = new AuthorizationHeaderV2(
authHeader);
accessKeyID = authorizationHeader.getAccessKeyID().toLowerCase();
}
}
public String getAccessKeyID() throws OS3Exception {
parse();
return accessKeyID;
}
public void setAuthHeader(String header) {
this.authHeader = header;
}
}

View File

@ -19,6 +19,7 @@
import org.apache.hadoop.fs.InvalidRequestException; import org.apache.hadoop.fs.InvalidRequestException;
import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.apache.hadoop.test.GenericTestUtils; import org.apache.hadoop.test.GenericTestUtils;
import org.glassfish.jersey.internal.PropertiesDelegate; import org.glassfish.jersey.internal.PropertiesDelegate;
import org.glassfish.jersey.server.ContainerRequest; import org.glassfish.jersey.server.ContainerRequest;
@ -41,6 +42,7 @@ public class TestVirtualHostStyleFilter {
private static OzoneConfiguration conf; private static OzoneConfiguration conf;
private static String s3HttpAddr; private static String s3HttpAddr;
private AuthenticationHeaderParser authenticationHeaderParser;
@Before @Before
public void setup() { public void setup() {
@ -48,6 +50,8 @@ public void setup() {
s3HttpAddr = "localhost:9878"; s3HttpAddr = "localhost:9878";
conf.set(S3GatewayConfigKeys.OZONE_S3G_HTTP_ADDRESS_KEY, s3HttpAddr); conf.set(S3GatewayConfigKeys.OZONE_S3G_HTTP_ADDRESS_KEY, s3HttpAddr);
conf.set(S3GatewayConfigKeys.OZONE_S3G_DOMAIN_NAME, s3HttpAddr); conf.set(S3GatewayConfigKeys.OZONE_S3G_DOMAIN_NAME, s3HttpAddr);
authenticationHeaderParser = new AuthenticationHeaderParser();
authenticationHeaderParser.setAuthHeader("AWS ozone:scret");
} }
/** /**
@ -99,6 +103,8 @@ public void testVirtualHostStyle() throws Exception {
VirtualHostStyleFilter virtualHostStyleFilter = VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter(); new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf); virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" + ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9878", "/myfile", null, true); ".localhost:9878", "/myfile", null, true);
@ -114,6 +120,8 @@ public void testPathStyle() throws Exception {
VirtualHostStyleFilter virtualHostStyleFilter = VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter(); new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf); virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest(s3HttpAddr, ContainerRequest containerRequest = createContainerRequest(s3HttpAddr,
"/mybucket/myfile", null, false); "/mybucket/myfile", null, false);
@ -130,6 +138,8 @@ public void testVirtualHostStyleWithCreateBucketRequest() throws Exception {
VirtualHostStyleFilter virtualHostStyleFilter = VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter(); new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf); virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" + ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9878", null, null, true); ".localhost:9878", null, null, true);
@ -145,6 +155,8 @@ public void testVirtualHostStyleWithQueryParams() throws Exception {
VirtualHostStyleFilter virtualHostStyleFilter = VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter(); new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf); virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" + ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9878", null, "?prefix=bh", true); ".localhost:9878", null, "?prefix=bh", true);
@ -169,6 +181,8 @@ public void testVirtualHostStyleWithNoMatchingDomain() throws Exception {
VirtualHostStyleFilter virtualHostStyleFilter = VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter(); new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf); virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" + ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9999", null, null, true); ".localhost:9999", null, null, true);
@ -187,6 +201,8 @@ public void testIncorrectVirtualHostStyle() throws
VirtualHostStyleFilter virtualHostStyleFilter = VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter(); new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf); virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" + ContainerRequest containerRequest = createContainerRequest("mybucket" +
"localhost:9878", null, null, true); "localhost:9878", null, null, true);

View File

@ -20,7 +20,6 @@
package org.apache.hadoop.ozone.s3.endpoint; package org.apache.hadoop.ozone.s3.endpoint;
import javax.ws.rs.core.HttpHeaders;
import org.apache.hadoop.ozone.client.ObjectStore; import org.apache.hadoop.ozone.client.ObjectStore;
import org.apache.hadoop.ozone.client.OzoneClientStub; import org.apache.hadoop.ozone.client.OzoneClientStub;
@ -28,21 +27,21 @@
import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.RandomStringUtils;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.Mockito;
import static org.mockito.Mockito.when;
/** /**
* This class test HeadBucket functionality. * This class test HeadBucket functionality.
*/ */
public class TestRootList { public class TestRootList {
private String volumeName = "vol1";
private OzoneClientStub clientStub; private OzoneClientStub clientStub;
private ObjectStore objectStoreStub; private ObjectStore objectStoreStub;
private OzoneVolume volumeStub; private OzoneVolume volumeStub;
private RootEndpoint rootEndpoint; private RootEndpoint rootEndpoint;
private String userName = "ozone";
@Before @Before
public void setup() throws Exception { public void setup() throws Exception {
@ -50,21 +49,24 @@ public void setup() throws Exception {
//Create client stub and object store stub. //Create client stub and object store stub.
clientStub = new OzoneClientStub(); clientStub = new OzoneClientStub();
objectStoreStub = clientStub.getObjectStore(); objectStoreStub = clientStub.getObjectStore();
objectStoreStub.createVolume("s3key"); String volumeName = "s3" + userName;
volumeStub = objectStoreStub.getVolume("s3key"); objectStoreStub.createVolume(volumeName);
volumeStub = objectStoreStub.getVolume(volumeName);
// Create HeadBucket and setClient to OzoneClientStub // Create HeadBucket and setClient to OzoneClientStub
rootEndpoint = new RootEndpoint(); rootEndpoint = new RootEndpoint();
rootEndpoint.setClient(clientStub); rootEndpoint.setClient(clientStub);
AuthenticationHeaderParser parser = new AuthenticationHeaderParser();
parser.setAuthHeader("AWS " + userName +":secret");
rootEndpoint.setAuthenticationHeaderParser(parser);
} }
@Test @Test
public void testListBucket() throws Exception { public void testListBucket() throws Exception {
HttpHeaders headers = Mockito.mock(HttpHeaders.class);
when(headers.getHeaderString("Authorization")).thenReturn("AWS key:secret");
// List operation should success even there is no bucket. // List operation should success even there is no bucket.
ListBucketResponse response = rootEndpoint.get(headers); ListBucketResponse response = rootEndpoint.get();
assertEquals(0, response.getBucketsNum()); assertEquals(0, response.getBucketsNum());
String bucketBaseName = "bucket-"; String bucketBaseName = "bucket-";
@ -72,7 +74,7 @@ public void testListBucket() throws Exception {
volumeStub.createBucket( volumeStub.createBucket(
bucketBaseName + RandomStringUtils.randomNumeric(3)); bucketBaseName + RandomStringUtils.randomNumeric(3));
} }
response = rootEndpoint.get(headers); response = rootEndpoint.get();
assertEquals(10, response.getBucketsNum()); assertEquals(10, response.getBucketsNum());
} }