big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

YARN-8217. RmAuthenticationFilterInitializer and TimelineAuthenticationFilterInitializer should use Configuration.getPropsWithPrefix instead of iterator. Contributed by Suma Shivaprasad.

Browse Source
This commit is contained in:
Rohith Sharma K S 2018-05-03 10:01:02 +05:30
parent 85381c7b60
commit ee2ce923a9
3 changed files with 98 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java
View File

@ -18,23 +18,13 @@
package org.apache.hadoop.yarn.server.security.http; package org.apache.hadoop.yarn.server.security.http;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Reader;
import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.classification.InterfaceStability.Unstable; import org.apache.hadoop.classification.InterfaceStability.Unstable;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.FilterInitializer;
import org.apache.hadoop.http.HttpServer2; import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
@ -43,48 +33,23 @@
public class RMAuthenticationFilterInitializer extends FilterInitializer { public class RMAuthenticationFilterInitializer extends FilterInitializer {
String configPrefix; String configPrefix;
String kerberosPrincipalProperty;
String cookiePath;
public RMAuthenticationFilterInitializer() { public RMAuthenticationFilterInitializer() {
this.configPrefix = "hadoop.http.authentication."; this.configPrefix = "hadoop.http.authentication.";
this.kerberosPrincipalProperty = KerberosAuthenticationHandler.PRINCIPAL;
this.cookiePath = "/";
} }
protected Map<String, String> createFilterConfig(Configuration conf) { protected Map<String, String> createFilterConfig(Configuration conf) {
Map<String, String> filterConfig = new HashMap<String, String>(); Map<String, String> filterConfig = AuthenticationFilterInitializer
.getFilterConfigMap(conf, configPrefix);
// setting the cookie path to root '/' so it is used for all resources.
filterConfig.put(AuthenticationFilter.COOKIE_PATH, cookiePath);
// Before conf object is passed in, RM has already processed it and used RM // Before conf object is passed in, RM has already processed it and used RM
// specific configs to overwrite hadoop common ones. Hence we just need to // specific configs to overwrite hadoop common ones. Hence we just need to
// source hadoop.proxyuser configs here. // source hadoop.proxyuser configs here.
for (Map.Entry<String, String> entry : conf) {
String propName = entry.getKey();
if (propName.startsWith(configPrefix)) {
String value = conf.get(propName);
String name = propName.substring(configPrefix.length());
filterConfig.put(name, value);
} else if (propName.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) {
String value = conf.get(propName);
String name = propName.substring("hadoop.".length());
filterConfig.put(name, value);
}
}
// Resolve _HOST into bind address //Add proxy user configs
String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); for (Map.Entry<String, String> entry : conf.
String principal = filterConfig.get(kerberosPrincipalProperty); getPropsWithPrefix(ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
if (principal != null) { filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
try {
principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
} catch (IOException ex) {
throw new RuntimeException(
"Could not resolve Kerberos principal name: " + ex.toString(), ex);
}
filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
} }
filterConfig.put(DelegationTokenAuthenticationHandler.TOKEN_KIND, filterConfig.put(DelegationTokenAuthenticationHandler.TOKEN_KIND,
@ -95,10 +60,8 @@ protected Map<String, String> createFilterConfig(Configuration conf) {
@Override @Override
public void initFilter(FilterContainer container, Configuration conf) { public void initFilter(FilterContainer container, Configuration conf) {
Map<String, String> filterConfig = createFilterConfig(conf); Map<String, String> filterConfig = createFilterConfig(conf);
container.addFilter("RMAuthenticationFilter", container.addFilter("RMAuthenticationFilter",
RMAuthenticationFilter.class.getName(), filterConfig); RMAuthenticationFilter.class.getName(), filterConfig);
} }
} }

47
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/timeline/security/TimelineAuthenticationFilterInitializer.java
View File

@ -22,8 +22,7 @@
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.FilterInitializer;
import org.apache.hadoop.http.HttpServer2; import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
@ -33,7 +32,6 @@
import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler;
import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier; import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier;
import java.io.IOException;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
@ -62,42 +60,17 @@ public class TimelineAuthenticationFilterInitializer extends FilterInitializer {
protected void setAuthFilterConfig(Configuration conf) { protected void setAuthFilterConfig(Configuration conf) {
filterConfig = new HashMap<String, String>(); filterConfig = new HashMap<String, String>();
// setting the cookie path to root '/' so it is used for all resources. for (Map.Entry<String, String> entry : conf
filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); .getPropsWithPrefix(ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
for (Map.Entry<String, String> entry : conf) {
String name = entry.getKey();
if (name.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) {
String value = conf.get(name);
name = name.substring("hadoop.".length());
filterConfig.put(name, value);
}
}
for (Map.Entry<String, String> entry : conf) {
String name = entry.getKey();
if (name.startsWith(PREFIX)) {
// yarn.timeline-service.http-authentication.proxyuser will override
// hadoop.proxyuser
String value = conf.get(name);
name = name.substring(PREFIX.length());
filterConfig.put(name, value);
}
} }
// Resolve _HOST into bind address // yarn.timeline-service.http-authentication.proxyuser will override
String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); // hadoop.proxyuser
String principal = Map<String, String> timelineAuthProps =
filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); AuthenticationFilterInitializer.getFilterConfigMap(conf, PREFIX);
if (principal != null) {
try { filterConfig.putAll(timelineAuthProps);
principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
} catch (IOException ex) {
throw new RuntimeException("Could not resolve Kerberos principal " +
"name: " + ex.toString(), ex);
}
filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
principal);
}
} }
protected Map<String, String> getFilterConfig() { protected Map<String, String> getFilterConfig() {

81
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMAuthenticationFilter.java Normal file
View File

@ -0,0 +1,81 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.yarn.server.resourcemanager.security;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter;
import org.apache.hadoop.yarn.server.security.http
.RMAuthenticationFilterInitializer;
import org.junit.Test;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
import java.util.Map;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
/**
* Test RM Auth filter.
*/
public class TestRMAuthenticationFilter {
@SuppressWarnings("unchecked")
@Test
public void testConfiguration() throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.http.authentication.foo", "bar");
conf.set("hadoop.proxyuser.user.foo", "bar1");
conf.set(HttpServer2.BIND_ADDRESS, "barhost");
FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer(new Answer() {
@Override
public Object answer(InvocationOnMock invocationOnMock) throws Throwable {
Object[] args = invocationOnMock.getArguments();
assertEquals("RMAuthenticationFilter", args[0]);
assertEquals(RMAuthenticationFilter.class.getName(), args[1]);
Map<String, String> conf = (Map<String, String>) args[2];
assertEquals("/", conf.get("cookie.path"));
assertEquals("simple", conf.get("type"));
assertEquals("36000", conf.get("token.validity"));
assertNull(conf.get("cookie.domain"));
assertEquals("true", conf.get("simple.anonymous.allowed"));
assertEquals("HTTP/barhost@LOCALHOST", conf.get("kerberos.principal"));
assertEquals(System.getProperty("user.home") + "/hadoop.keytab",
conf.get("kerberos.keytab"));
assertEquals("bar", conf.get("foo"));
assertEquals("bar1", conf.get("proxyuser.user.foo"));
return null;
}
}).when(container).addFilter(Mockito.<String>anyObject(),
Mockito.<String>anyObject(), Mockito.<Map<String, String>>anyObject());
new RMAuthenticationFilterInitializer().initFilter(container, conf);
}
}