YARN-8197. Fixed AM IP Filter and Webapp proxy to redirect app tracking-URLs correctly when UI is secure. Contributed by Sunil Govindan.

This commit is contained in:
Vinod Kumar Vavilapalli (I am also known as @tshooter.) 2018-05-31 16:48:33 -07:00
parent 32671d8713
commit 6b74f5d7fc
4 changed files with 220 additions and 4 deletions

View File

@ -51,6 +51,19 @@
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-auth</artifactId>
<type>test-jar</type>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-minikdc</artifactId>
<scope>provided</scope>
</dependency>
<dependency> <dependency>
<groupId>org.mockito</groupId> <groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId> <artifactId>mockito-all</artifactId>

View File

@ -20,6 +20,7 @@
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.classification.InterfaceAudience.Public; import org.apache.hadoop.classification.InterfaceAudience.Public;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.Time; import org.apache.hadoop.util.Time;
import org.apache.hadoop.yarn.server.webproxy.ProxyUtils; import org.apache.hadoop.yarn.server.webproxy.ProxyUtils;
import org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet; import org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet;
@ -216,15 +217,25 @@ public String findRedirectUrl() throws ServletException {
return addr; return addr;
} }
private boolean isValidUrl(String url) { @VisibleForTesting
public boolean isValidUrl(String url) {
boolean isValid = false; boolean isValid = false;
try { try {
HttpURLConnection conn = HttpURLConnection conn = (HttpURLConnection) new URL(url)
(HttpURLConnection) new URL(url).openConnection(); .openConnection();
conn.connect(); conn.connect();
isValid = conn.getResponseCode() == HttpURLConnection.HTTP_OK; isValid = conn.getResponseCode() == HttpURLConnection.HTTP_OK;
// If security is enabled, any valid RM which can give 401 Unauthorized is
// good enough to access. Since AM doesn't have enough credential, auth
// cannot be completed and hence 401 is fine in such case.
if (!isValid && UserGroupInformation.isSecurityEnabled()) {
isValid = (conn
.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED)
|| (conn.getResponseCode() == HttpURLConnection.HTTP_FORBIDDEN);
return isValid;
}
} catch (Exception e) { } catch (Exception e) {
LOG.debug("Failed to connect to " + url + ": " + e.toString()); LOG.warn("Failed to connect to " + url + ": " + e.toString());
} }
return isValid; return isValid;
} }

View File

@ -0,0 +1,159 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.yarn.server.webproxy.amfilter;
import java.io.File;
import java.net.URI;
import java.net.URL;
import java.util.Set;
import java.util.HashSet;
import java.util.HashMap;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilterInitializer;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Mockito;
/**
* Test AmIpFilter. Requests to a no declared hosts should has way through
* proxy. Another requests can be filtered with (without) user name.
*
*/
public class TestSecureAmFilter {
private String proxyHost = "localhost";
private static final File TEST_ROOT_DIR = new File("target",
TestSecureAmFilter.class.getName() + "-root");
private static File httpSpnegoKeytabFile = new File(
KerberosTestUtils.getKeytabFile());
private static Configuration rmconf = new Configuration();
private static String httpSpnegoPrincipal = KerberosTestUtils
.getServerPrincipal();
private static boolean miniKDCStarted = false;
private static MiniKdc testMiniKDC;
@BeforeClass
public static void setUp() {
rmconf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
rmconf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
"kerberos");
rmconf.setBoolean(YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER,
true);
rmconf.set("hadoop.http.filter.initializers",
RMAuthenticationFilterInitializer.class.getName());
rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY,
httpSpnegoPrincipal);
rmconf.set(YarnConfiguration.RM_KEYTAB,
httpSpnegoKeytabFile.getAbsolutePath());
rmconf.set(YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY,
httpSpnegoKeytabFile.getAbsolutePath());
UserGroupInformation.setConfiguration(rmconf);
try {
testMiniKDC = new MiniKdc(MiniKdc.createConf(), TEST_ROOT_DIR);
setupKDC();
} catch (Exception e) {
assertTrue("Couldn't create MiniKDC", false);
}
}
@AfterClass
public static void tearDown() {
if (testMiniKDC != null) {
testMiniKDC.stop();
}
}
private static void setupKDC() throws Exception {
if (!miniKDCStarted) {
testMiniKDC.start();
getKdc().createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost");
miniKDCStarted = true;
}
}
private static MiniKdc getKdc() {
return testMiniKDC;
}
private class TestAmIpFilter extends AmIpFilter {
private Set<String> proxyAddresses = null;
protected Set<String> getProxyAddresses() {
if (proxyAddresses == null) {
proxyAddresses = new HashSet<String>();
}
proxyAddresses.add(proxyHost);
return proxyAddresses;
}
}
@Test
public void testFindRedirectUrl() throws Exception {
final String rm1 = "rm1";
final String rm2 = "rm2";
// generate a valid URL
final String rm1Url = startSecureHttpServer();
// invalid url
final String rm2Url = "host2:8088";
TestAmIpFilter filter = new TestAmIpFilter();
TestAmIpFilter spy = Mockito.spy(filter);
// make sure findRedirectUrl() go to HA branch
spy.proxyUriBases = new HashMap<>();
spy.proxyUriBases.put(rm1, rm1Url);
spy.proxyUriBases.put(rm2, rm2Url);
spy.rmUrls = new String[] {rm1, rm2};
assertTrue(spy.isValidUrl(rm1Url));
assertFalse(spy.isValidUrl(rm2Url));
assertEquals(spy.findRedirectUrl(), rm1Url);
}
private String startSecureHttpServer() throws Exception {
HttpServer2.Builder builder = new HttpServer2.Builder()
.setName("test").setConf(rmconf)
.addEndpoint(new URI("http://localhost")).setACL(
new AccessControlList(rmconf.get(YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)));
builder.setUsernameConfKey(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY)
.setKeytabConfKey(YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
.setSecurityEnabled(UserGroupInformation.isSecurityEnabled());
HttpServer2 server = builder.build();
server.start();
URL baseUrl = new URL(
"http://" + NetUtils.getHostPortString(server.getConnectorAddress(0)));
return baseUrl.toString();
}
}

View File

@ -0,0 +1,33 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
[libdefaults]
default_realm = APACHE.ORG
extra_addresses = 127.0.0.1
kdc_realm = _REALM_
udp_preference_limit = _UDP_LIMIT_
#_KDC_TCP_PORT_
#_KDC_UDP_PORT_
[realms]
_REALM_ = {
admin_server = localhost:_KDC_PORT_
kdc = localhost:_KDC_PORT_
}
[domain_realm]
localhost = _REALM_