From f71eb51ab8109c14e8e921751dd5de603bdf2bde Mon Sep 17 00:00:00 2001
From: Steve Loughran
* The authentication mechanisms supported by default are Hadoop Simple authentication
* (also known as pseudo authentication) and Kerberos SPNEGO authentication.
- *
* Additional authentication mechanisms can be supported via {@link Authenticator} implementations.
- *
* The default {@link Authenticator} is the {@link KerberosAuthenticator} class which supports
* automatic fallback from Kerberos SPNEGO to Hadoop Simple authentication.
- *
*
* The usage pattern of the {@link AuthenticatedURL} is:
- *
* This method is used by {@link Authenticator} implementations.
*
* @param conn connection to extract the authentication token from.
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java
index e7bae4a891..6828970fdb 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java
@@ -19,7 +19,7 @@
/**
* Interface for client authentication mechanisms.
- *
* Implementations are use-once instances, they don't need to be thread safe.
*/
public interface Authenticator {
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
index 928866c532..323b019eb8 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
@@ -43,9 +43,9 @@
/**
* The {@link KerberosAuthenticator} implements the Kerberos SPNEGO authentication sequence.
- *
* It uses the default principal for the Kerberos cache (normally set via kinit).
- *
* It falls back to the {@link PseudoAuthenticator} if the HTTP endpoint does not trigger an SPNEGO authentication
* sequence.
*/
@@ -162,9 +162,9 @@ public void setConnectionConfigurator(ConnectionConfigurator configurator) {
/**
* Performs SPNEGO authentication against the specified URL.
- *
* If a token is given it does a NOP and returns the given token.
- *
* If no token is given, it will perform the SPNEGO authentication sequence using an
* HTTP
* This implementation returns a {@link PseudoAuthenticator}.
*
* @return the fallback {@link Authenticator}.
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java
index f534be9b20..46d94b88de 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java
@@ -20,7 +20,7 @@
/**
* The {@link PseudoAuthenticator} implementation provides an authentication equivalent to Hadoop's
* Simple authentication, it trusts the value of the 'user.name' Java System property.
- *
* The 'user.name' value is propagated using an additional query string parameter {@link #USER_NAME} ('user.name').
*/
public class PseudoAuthenticator implements Authenticator {
@@ -47,13 +47,13 @@ public void setConnectionConfigurator(ConnectionConfigurator configurator) {
/**
* Performs simple authentication against the specified URL.
- *
* If a token is given it does a NOP and returns the given token.
- *
* If no token is given, it will perform an HTTP
* If the response is successful it will update the authentication token.
*
* @param url the URl to authenticate against.
@@ -79,7 +79,7 @@ public void authenticate(URL url, AuthenticatedURL.Token token) throws IOExcepti
/**
* Returns the current user name.
- *
* This implementation returns the value of the Java system property 'user.name'
*
* @return the current user name.
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java
index e786e37df8..987330fa0e 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java
@@ -28,7 +28,6 @@
* to allow a developer to implement their own custom authentication for browser
* access. The alternateAuthenticate method will be called whenever a request
* comes from a browser.
- *
* A User-Agent String is considered to be a browser if it does not contain
* any of the values from alt-kerberos.non-browser.user-agents; the default
* behavior is to consider everything a browser unless it contains one of:
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
index 0ac352ba2d..e891ed2623 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
@@ -44,18 +44,20 @@
import java.util.*;
/**
- * The {@link AuthenticationFilter} enables protecting web application resources with different (pluggable)
+ * The {@link AuthenticationFilter} enables protecting web application
+ * resources with different (pluggable)
* authentication mechanisms and signer secret providers.
- * AuthenticatedURL
instances are not thread-safe.
- *
*
* // establishing an initial connection
@@ -240,7 +239,7 @@ public static void injectToken(HttpURLConnection conn, Token token) {
/**
* Helper method that extracts an authentication token received from a connection.
- *
+ *
OPTIONS
request.
*
@@ -211,7 +211,7 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
/**
* If the specified URL does not support SPNEGO authentication, a fallback {@link Authenticator} will be used.
- * OPTIONS
request injecting an additional
* parameter {@link #USER_NAME} in the query string with the value returned by the {@link #getUserName()}
* method.
- *
* Out of the box it provides 2 authentication mechanisms: Pseudo and Kerberos SPNEGO. - *
+ * * Additional authentication mechanisms are supported via the {@link AuthenticationHandler} interface. - * + ** This filter delegates to the configured authentication handler for authentication and once it obtains an * {@link AuthenticationToken} from it, sets a signed HTTP cookie with the token. For client requests * that provide the signed HTTP cookie, it verifies the validity of the cookie, extracts the user information * and lets the request proceed to the target resource. - *
+ * * The supported configuration properties are: ** The rest of the configuration properties are specific to the {@link AuthenticationHandler} implementation and the * {@link AuthenticationFilter} will take all the properties that start with the prefix #PREFIX#, it will remove * the prefix from it and it will pass them to the the authentication handler for initialization. Properties that do * not start with the prefix will not be passed to the authentication handler initialization. - *
+ * + ** Out of the box it provides 3 signer secret provider implementations: * "string", "random", and "zookeeper" - *
+ * * Additional signer secret providers are supported via the * {@link SignerSecretProvider} class. - * + ** For the HTTP cookies mentioned above, the SignerSecretProvider is used to * determine the secret to use for signing the cookies. Different * implementations can have different behaviors. The "string" implementation @@ -94,7 +97,7 @@ * [#PREFIX#.]token.validity mentioned above. The "zookeeper" implementation * is like the "random" one, except that it synchronizes the random secret * and rollovers between multiple servers; it's meant for HA services. - *
+ * * The relevant configuration properties are: ** The "zookeeper" implementation has additional configuration properties that * must be specified; see {@link ZKSignerSecretProvider} for details. - *
+ * * For subclasses of AuthenticationFilter that want additional control over the * SignerSecretProvider, they can use the following attribute set in the * ServletContext: @@ -190,10 +193,9 @@ public class AuthenticationFilter implements Filter { private String cookiePath; /** - * Initializes the authentication filter and signer secret provider. - * - * It instantiates and initializes the specified {@link AuthenticationHandler}. - * + *Initializes the authentication filter and signer secret provider.
+ * It instantiates and initializes the specified {@link + * AuthenticationHandler}. * * @param filterConfig filter configuration. * @@ -375,7 +377,7 @@ protected String getCookiePath() { /** * Destroys the filter. - * + ** It invokes the {@link AuthenticationHandler#destroy()} method to release any resources it may hold. */ @Override @@ -393,7 +395,7 @@ public void destroy() { * Returns the filtered configuration (only properties starting with the specified prefix). The property keys * are also trimmed from the prefix. The returned {@link Properties} object is used to initialized the * {@link AuthenticationHandler}. - *
+ ** This method can be overriden by subclasses to obtain the configuration from other configuration source than * the web.xml file. * @@ -419,7 +421,7 @@ protected Properties getConfiguration(String configPrefix, FilterConfig filterCo /** * Returns the full URL of the request including the query string. - *
+ ** Used as a convenience method for logging purposes. * * @param request the request object. @@ -436,11 +438,11 @@ protected String getRequestURL(HttpServletRequest request) { /** * Returns the {@link AuthenticationToken} for the request. - *
+ ** It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE} * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns * it. - *
+ *
* If this method returns null
the filter will invoke the configured {@link AuthenticationHandler}
* to perform user authentication.
*
@@ -597,7 +599,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
*
* @param token authentication token for the cookie.
* @param expires UNIX timestamp that indicates the expire date of the
- * cookie. It has no effect if its value < 0.
+ * cookie. It has no effect if its value < 0.
*
* XXX the following code duplicate some logic in Jetty / Servlet API,
* because of the fact that Hadoop is stuck at servlet 2.5 and jetty 6
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
index 04984be5a7..797e95a689 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
@@ -24,9 +24,7 @@
/**
* Interface for server authentication mechanisms.
- *
* This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. @@ -56,21 +53,21 @@ public interface AuthenticationHandler { /** * Destroys the authentication handler instance. - *
+ ** This method is invoked by the {@link AuthenticationFilter#destroy} method. */ public void destroy(); /** * Performs an authentication management operation. - *
+ ** This is useful for handling operations like get/renew/cancel * delegation tokens which are being handled as operations of the * service end-point. - *
+ *
* If the method returns TRUE
the request will continue normal
* processing, this means the method has not produced any HTTP response.
- *
* If the method returns FALSE
the request will end, this means
* the method has produced the corresponding HTTP response.
*
@@ -91,17 +88,17 @@ public boolean managementOperation(AuthenticationToken token,
/**
* Performs an authentication step for the given HTTP client request.
- *
* This method is invoked by the {@link AuthenticationFilter} only if the HTTP client request is * not yet authenticated. - *
+ ** Depending upon the authentication mechanism being implemented, a particular HTTP client may * end up making a sequence of invocations before authentication is successfully established (this is * the case of Kerberos SPNEGO). - *
+ ** This method must return an {@link AuthenticationToken} only if the the HTTP client request has * been successfully and fully authenticated. - *
+ *
* If the HTTP client request has not been completely authenticated, this method must take over
* the corresponding HTTP response and it must return null
.
*
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java
index ff68847c8a..bb3e71da61 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java
@@ -29,7 +29,7 @@
* The {@link AuthenticationToken} contains information about an authenticated
* HTTP client and doubles as the {@link Principal} to be returned by
* authenticated {@link HttpServletRequest}s
- *
* The token can be serialized/deserialized to and from a string as it is sent * and received in HTTP client responses and requests as a HTTP cookie (this is * done by the {@link AuthenticationFilter}). @@ -170,7 +170,7 @@ public boolean isExpired() { /** * Returns the string representation of the token. - *
+ ** This string representation is parseable by the {@link #parse} method. * * @return the string representation of the token. diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java index 92bc57c413..846541b162 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java @@ -51,7 +51,7 @@ /** * The {@link KerberosAuthenticationHandler} implements the Kerberos SPNEGO authentication mechanism for HTTP. - *
+ ** The supported configuration properties are: *
* It creates a Kerberos context using the principal and keytab specified in the configuration. - *
+ ** This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. @@ -243,7 +243,7 @@ public GSSManager run() throws Exception { /** * Releases any resources initialized by the authentication handler. - *
+ ** It destroys the Kerberos context. */ @Override @@ -262,7 +262,7 @@ public void destroy() { /** * Returns the authentication type of the authentication handler, 'kerberos'. - *
+ ** * @return the authentication type of the authentication handler, 'kerberos'. */ @@ -313,7 +313,6 @@ public boolean managementOperation(AuthenticationToken token, /** * It enforces the the Kerberos SPNEGO authentication sequence returning an {@link AuthenticationToken} only * after the Kerberos SPNEGO sequence has completed successfully. - *
* * @param request the HTTP client request. * @param response the HTTP client response. diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java index 2c7db8898f..50f0cf11fe 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java @@ -30,12 +30,12 @@ /** * ThePseudoAuthenticationHandler
provides a pseudo authentication mechanism that accepts
* the user name specified as a query string parameter.
- *
+ * * This mimics the model of Hadoop Simple authentication which trust the 'user.name' property provided in * the configuration object. - *
+ ** This handler can be configured to support anonymous users. - *
+ ** The only supported configuration property is: *
true|false
, default value is false
* This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. @@ -103,7 +103,7 @@ protected boolean getAcceptAnonymous() { /** * Releases any resources initialized by the authentication handler. - *
+ ** This implementation does a NOP. */ @Override @@ -112,7 +112,6 @@ public void destroy() { /** * Returns the authentication type of the authentication handler, 'simple'. - *
* * @return the authentication type of the authentication handler, 'simple'. */ @@ -156,14 +155,14 @@ private String getUserName(HttpServletRequest request) { /** * Authenticates an HTTP client request. - * + ** It extracts the {@link PseudoAuthenticator#USER_NAME} parameter from the query string and creates * an {@link AuthenticationToken} with it. - *
+ ** If the HTTP client request does not contain the {@link PseudoAuthenticator#USER_NAME} parameter and * the handler is configured to allow anonymous users it returns the {@link AuthenticationToken#ANONYMOUS} * token. - *
+ ** If the HTTP client request does not contain the {@link PseudoAuthenticator#USER_NAME} parameter and * the handler is configured to disallow anonymous users it throws an {@link AuthenticationException}. * diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java index 62bb00acab..7ae8ab2672 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java @@ -92,7 +92,7 @@ public class KerberosName { /** * Create a name from the full Kerberos principal name. - * @param name + * @param name full Kerberos principal name. */ public KerberosName(String name) { Matcher match = nameParser.matcher(name); @@ -367,7 +367,7 @@ public static class NoMatchingRule extends IOException { * Get the translation of the principal name into an operating system * user name. * @return the short name - * @throws IOException + * @throws IOException throws if something is wrong with the rules */ public String getShortName() throws IOException { String[] params; diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java index ca0fce2251..0e8d8db8ea 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java @@ -135,12 +135,10 @@ static final String[] getPrincipalNames(String keytabFileName) throws IOExceptio /** * Get all the unique principals from keytabfile which matches a pattern. * - * @param keytab - * Name of the keytab file to be read. - * @param pattern - * pattern to be matched. + * @param keytab Name of the keytab file to be read. + * @param pattern pattern to be matched. * @return list of unique principals which matches the pattern. - * @throws IOException + * @throws IOException if cannot get the principal name */ public static final String[] getPrincipalNames(String keytab, Pattern pattern) throws IOException { diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java index e29301bc4b..f639503bd6 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/Signer.java @@ -41,8 +41,6 @@ public Signer(SignerSecretProvider secretProvider) { /** * Returns a signed string. - *
- * The signature '&s=SIGNATURE' is appended at the end of the string. * * @param str string to sign. * diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.java index 6c0fbbb0a2..f8db2ee743 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.java @@ -44,7 +44,7 @@ /** * A SignerSecretProvider that synchronizes a rolling random secret between * multiple servers using ZooKeeper. - * + ** It works by storing the secrets and next rollover time in a ZooKeeper znode. * All ZKSignerSecretProviders looking at that znode will use those * secrets and next rollover time to ensure they are synchronized. There is no @@ -55,7 +55,7 @@ * your own Curator client, you can pass it to ZKSignerSecretProvider; see * {@link org.apache.hadoop.security.authentication.server.AuthenticationFilter} * for more details. - *
+ ** The supported configuration properties are: *
* From within testcases: - *
+ ** MiniKdc sets 2 System properties when started and un-sets them when stopped: *
* MiniKdc default configuration values are: *
* The returned configuration is a copy, it can be customized before using
* it to create a MiniKdc.
* @return a MiniKdc default configuration.
@@ -484,7 +483,6 @@ private void initKDCServer() throws Exception {
/**
* Stops the MiniKdc
- * @throws Exception
*/
public synchronized void stop() {
if (kdc != null) {
diff --git a/hadoop-maven-plugins/src/main/java/org/apache/hadoop/maven/plugin/util/Exec.java b/hadoop-maven-plugins/src/main/java/org/apache/hadoop/maven/plugin/util/Exec.java
index 45b40c2126..141ab5afc3 100644
--- a/hadoop-maven-plugins/src/main/java/org/apache/hadoop/maven/plugin/util/Exec.java
+++ b/hadoop-maven-plugins/src/main/java/org/apache/hadoop/maven/plugin/util/Exec.java
@@ -42,8 +42,8 @@ public Exec(Mojo mojo) {
* Runs the specified command and saves each line of the command's output to
* the given list.
*
- * @param command List