knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmin...@apache.org
Subject git commit: KNOX-27: Access Kerberos secured Hadoop cluster via gateway using basic auth credentials git add gateway-release/home/templates/krb5.conf git add gateway-release/home/templates/krb5JAASLogin.conf rm gateway-server/src/main/resources/conf/krb
Date Mon, 03 Jun 2013 21:24:43 GMT
Updated Branches:
  refs/heads/master f68377ecc -> 1ce6e367b


KNOX-27:  Access Kerberos secured Hadoop cluster via gateway using basic auth credentials
git add gateway-release/home/templates/krb5.conf
git add gateway-release/home/templates/krb5JAASLogin.conf
rm gateway-server/src/main/resources/conf/krb5.conf gateway-server/src/main/resources/conf/krb5JAASLogin.conf
Note: WebHCat does not support trusted proxies so that functionality does not work at this
time.  HIVE-4601 has been filed for this issue.


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/1ce6e367
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/1ce6e367
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/1ce6e367

Branch: refs/heads/master
Commit: 1ce6e367bbfa0f49eaee19bba19a5fe1b1bf3bdd
Parents: f68377e
Author: Kevin Minder <kevin.minder@hortonworks.com>
Authored: Mon Jun 3 17:24:36 2013 -0400
Committer: Kevin Minder <kevin.minder@hortonworks.com>
Committed: Mon Jun 3 17:24:36 2013 -0400

----------------------------------------------------------------------
 ...IdentityAssertionHttpServletRequestWrapper.java |   10 +-
 gateway-release/home/conf/gateway-site.xml         |   24 +++
 gateway-release/home/conf/users.ldif               |   13 ++-
 gateway-release/home/templates/krb5.conf           |   40 +++++
 gateway-release/home/templates/krb5JAASLogin.conf  |   60 ++++++++
 gateway-release/home/templates/users.ldif          |   13 ++-
 .../org/apache/hadoop/gateway/GatewayServer.java   |   12 ++
 .../gateway/config/impl/GatewayConfigImpl.java     |   24 +++-
 .../gateway/dispatch/HttpClientDispatch.java       |  111 ++++++++++++---
 .../src/main/resources/conf/gateway-site.xml       |    2 +-
 .../hadoop/gateway/config/GatewayConfig.java       |   14 ++
 .../apache/hadoop/gateway/GatewayTestConfig.java   |   40 +++++
 12 files changed, 340 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionHttpServletRequestWrapper.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionHttpServletRequestWrapper.java
b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionHttpServletRequestWrapper.java
index 526a344..8a819cc 100644
--- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionHttpServletRequestWrapper.java
+++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionHttpServletRequestWrapper.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.gateway.filter;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.hadoop.gateway.PseudoIdentityAsserterMessages;
+import org.apache.hadoop.gateway.config.GatewayConfig;
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 
 import javax.servlet.ServletInputStream;
@@ -42,6 +43,7 @@ public class IdentityAssertionHttpServletRequestWrapper extends HttpServletReque
   private static PseudoIdentityAsserterMessages log = MessagesFactory.get( PseudoIdentityAsserterMessages.class
);
 
   private static final String PRINCIPAL_PARAM = "user.name";
+  private static final String DOAS_PRINCIPAL_PARAM = "doas";
   
   String username = null;
 
@@ -101,8 +103,12 @@ public class IdentityAssertionHttpServletRequestWrapper extends HttpServletReque
     ArrayList<String> al = new ArrayList<String>();
     al.add(username);
     String[] a = {""};
-    params.put(PRINCIPAL_PARAM, al.toArray(a));
-
+    
+    if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
+      params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
+    } else {
+      params.put(PRINCIPAL_PARAM, al.toArray(a));
+    }
     return params;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-release/home/conf/gateway-site.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/conf/gateway-site.xml b/gateway-release/home/conf/gateway-site.xml
index 76eaedc..d9ba16c 100644
--- a/gateway-release/home/conf/gateway-site.xml
+++ b/gateway-release/home/conf/gateway-site.xml
@@ -36,4 +36,28 @@ limitations under the License.
         <description>The directory within GATEWAY_HOME that contains gateway topology
files and deployments.</description>
     </property>
 
+    <property>
+        <name>gateway.hadoop.kerberos.secured</name>
+        <value>false</value>
+        <description>Boolean flag indicating whether the Hadoop cluster protected by
Gateway is secured with Kerberos</description>
+    </property>
+
+    <property>
+        <name>java.security.krb5.conf</name>
+        <value>/etc/knox/conf/krb5.conf</value>
+        <description>Absolute path to krb5.conf file</description>
+    </property>
+
+    <property>
+        <name>java.security.auth.login.config</name>
+        <value>/etc/knox/conf/krb5JAASLogin.conf</value>
+        <description>Absolute path to JASS login config file</description>
+    </property>
+
+    <property>
+        <name>sun.security.krb5.debug</name>
+        <value>true</value>
+        <description>Boolean flag indicating whether to enable debug messages for krb5
authentication</description>
+    </property>
+
 </configuration>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-release/home/conf/users.ldif
----------------------------------------------------------------------
diff --git a/gateway-release/home/conf/users.ldif b/gateway-release/home/conf/users.ldif
index 5b4b772..66eac6d 100644
--- a/gateway-release/home/conf/users.ldif
+++ b/gateway-release/home/conf/users.ldif
@@ -59,4 +59,15 @@ objectclass:inetOrgPerson
 cn: HCat
 sn: HCat
 uid: hcat
-userPassword:hcat-password
\ No newline at end of file
+userPassword:hcat-password
+
+# entry for a sample user
+#dn: uid=bob,ou=people,dc=hadoop,dc=apache,dc=org
+#objectclass:top
+#objectclass:person
+#objectclass:organizationalPerson
+#objectclass:inetOrgPerson
+#cn: Bob
+#sn: Smith
+#uid: bob
+#userPassword:bob-password

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-release/home/templates/krb5.conf
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/krb5.conf b/gateway-release/home/templates/krb5.conf
new file mode 100644
index 0000000..3420b13
--- /dev/null
+++ b/gateway-release/home/templates/krb5.conf
@@ -0,0 +1,40 @@
+; Licensed to the Apache Software Foundation (ASF) under one
+; or more contributor license agreements.  See the NOTICE file
+; distributed with this work for additional information
+; regarding copyright ownership.  The ASF licenses this file
+; to you under the Apache License, Version 2.0 (the
+; "License"); you may not use this file except in compliance
+; with the License.  You may obtain a copy of the License at
+; 
+; http://www.apache.org/licenses/LICENSE-2.0
+; 
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+
+; IMPORTANT: REPLACE  sample.com, kerberos.sample.com and SAMPLE.COM with your site specific
values
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = SAMPLE.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+ SAMPLE.COM = {
+  kdc = kerberos.sample.com
+  admin_server = kerberos.sample.com
+ }
+
+[domain_realm]
+ .sample.com = SAMPLE.COM
+ sample.com = SAMPLE.COM

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-release/home/templates/krb5JAASLogin.conf
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/krb5JAASLogin.conf b/gateway-release/home/templates/krb5JAASLogin.conf
new file mode 100644
index 0000000..41d6344
--- /dev/null
+++ b/gateway-release/home/templates/krb5JAASLogin.conf
@@ -0,0 +1,60 @@
+/**
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+* 
+* http://www.apache.org/licenses/LICENSE-2.0
+* 
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* IMPORTANT: REPLACE SAMPLE.COM and keyTab file location with your site specific values
+*/
+com.sun.security.jgss.login {
+    com.sun.security.auth.module.Krb5LoginModule required 
+    renewTGT=true
+    doNotPrompt=true
+    useKeyTab=true
+    keyTab="/etc/knox/conf/knox.keytab"
+    principal="knox@SAMPLE.COM"
+    isInitiator=true
+    storeKey=true
+    useTicketCache=true
+    client=true 
+    debug=true;
+};
+ 
+com.sun.security.jgss.initiate {
+    com.sun.security.auth.module.Krb5LoginModule required 
+    renewTGT=true
+    doNotPrompt=true
+    useKeyTab=true
+    keyTab="/etc/knox/conf/knox.keytab"
+    principal="knox@SAMPLE.COM"
+    isInitiator=true
+    storeKey=true
+    useTicketCache=true
+    client=true 
+    debug=true;
+};
+
+com.sun.security.jgss.accept {
+    com.sun.security.auth.module.Krb5LoginModule required 
+    renewTGT=true
+    doNotPrompt=true
+    useKeyTab=true
+    keyTab="/etc/knox/conf/knox.keytab"
+    principal="knox@SAMPLE.COM"
+    isInitiator=true
+    storeKey=true
+    useTicketCache=true
+    client=true 
+    debug=true;
+};

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-release/home/templates/users.ldif
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/users.ldif b/gateway-release/home/templates/users.ldif
index 571f261..c8b4370 100644
--- a/gateway-release/home/templates/users.ldif
+++ b/gateway-release/home/templates/users.ldif
@@ -59,4 +59,15 @@ objectclass:inetOrgPerson
 cn: HCat
 sn: HCat
 uid: hcat
-userPassword:hcat-password
\ No newline at end of file
+userPassword:hcat-password
+
+# entry for sample user
+#dn: uid=bob,ou=people,dc=hadoop,dc=apache,dc=org
+#objectclass:top
+#objectclass:person
+#objectclass:organizationalPerson
+#objectclass:inetOrgPerson
+#cn: Bob
+#sn: Smith
+#uid: bob
+#userPassword:bob-password

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
index 677fb8f..5242e4e 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
@@ -87,6 +87,9 @@ public class GatewayServer {
         services = new DefaultGatewayServices();
         GatewayConfig config = new GatewayConfigImpl();
         configureLogging( config );
+        if (config.isHadoopKerberosSecured()) {
+          configureKerberosSecurity( config );
+        }
         Map<String,String> options = new HashMap<String,String>();
         options.put(GatewayCommandLine.PERSIST_LONG, Boolean.toString(cmd.hasOption(GatewayCommandLine.PERSIST_LONG)));
         services.init(config, options);
@@ -122,6 +125,15 @@ public class GatewayServer {
     }
   }
 
+  private static void configureKerberosSecurity( GatewayConfig config ) {
+    System.setProperty(GatewayConfig.HADOOP_KERBEROS_SECURED, "true");
+    System.setProperty(GatewayConfig.KRB5_CONFIG, config.getKerberosConfig());
+    System.setProperty(GatewayConfig.KRB5_DEBUG, 
+        Boolean.toString(config.isKerberosDebugEnabled()));
+    System.setProperty(GatewayConfig.KRB5_LOGIN_CONFIG, config.getKerberosLoginConfig());
+    System.setProperty(GatewayConfig.KRB5_USE_SUBJECT_CREDS_ONLY,  "false");
+  }
+  
   private static Properties loadBuildProperties() {
     Properties properties = new Properties();
     InputStream inputStream = GatewayServer.class.getClassLoader().getResourceAsStream( "build.properties"
);

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index d38c8dc..8f55328 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -101,7 +101,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig
{
   public static final String DEFAULT_DEPLOYMENT_DIR = "deployments";
   private static final String SSL_ENABLED = "ssl.enabled";
 //  public static final String DEFAULT_SHIRO_CONFIG_FILE = "shiro.ini";
-
+  
   public GatewayConfigImpl() {
     init();
   }
@@ -261,4 +261,26 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig
{
     return "true".equals(enabled);
   }
 
+  @Override
+  public boolean isHadoopKerberosSecured() {
+    String hadoopKerberosSecured = get( HADOOP_KERBEROS_SECURED, "false" );
+    return "true".equals(hadoopKerberosSecured);
+  }
+
+  @Override
+  public String getKerberosConfig() {
+    return get( KRB5_CONFIG ) ;
+  }
+
+  @Override
+  public boolean isKerberosDebugEnabled() {
+    String kerberosDebugEnabled = get( KRB5_DEBUG, "false" );
+    return "true".equals(kerberosDebugEnabled);
+  }
+  
+  @Override
+  public String getKerberosLoginConfig() {
+    return get( KRB5_LOGIN_CONFIG );
+  }
+  
 }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/HttpClientDispatch.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/HttpClientDispatch.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/HttpClientDispatch.java
index a755a90..c92bcee 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/HttpClientDispatch.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/dispatch/HttpClientDispatch.java
@@ -17,37 +17,52 @@
  */
 package org.apache.hadoop.gateway.dispatch;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.charset.Charset;
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.io.IOUtils;
 import org.apache.hadoop.gateway.GatewayMessages;
 import org.apache.hadoop.gateway.GatewayResources;
+import org.apache.hadoop.gateway.config.GatewayConfig;
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 import org.apache.hadoop.gateway.i18n.resources.ResourcesFactory;
 import org.apache.http.Header;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;
-import org.apache.http.client.HttpClient;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.Credentials;
 import org.apache.http.client.methods.HttpDelete;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpOptions;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.params.AuthPolicy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.entity.ContentType;
 import org.apache.http.entity.InputStreamEntity;
+import org.apache.http.impl.auth.SPNegoSchemeFactory;
 import org.apache.http.impl.client.DefaultHttpClient;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
+import org.apache.http.protocol.BasicHttpContext;
+import org.apache.http.protocol.HttpContext;
 
 /**
  *
  */
 public class HttpClientDispatch extends AbstractGatewayDispatch {
 
+  private static final String CT_APP_WWW_FORM_URL_ENCODED = "application/x-www-form-urlencoded";
+
   private static GatewayMessages LOG = MessagesFactory.get( GatewayMessages.class );
   private static GatewayResources RES = ResourcesFactory.get( GatewayResources.class );
+  private static final EmptyJaasCredentials EMPTY_JAAS_CREDENTIALS = new EmptyJaasCredentials();
 
   protected void executeRequest(
       HttpUriRequest outboundRequest,
@@ -55,10 +70,23 @@ public class HttpClientDispatch extends AbstractGatewayDispatch {
       HttpServletResponse outboundResponse )
           throws IOException {
     LOG.dispatchRequest( outboundRequest.getMethod(), outboundRequest.getURI() );
-    HttpClient client = new DefaultHttpClient();
+    DefaultHttpClient client = new DefaultHttpClient();
+    
+    if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
+      SPNegoSchemeFactory nsf = new SPNegoSchemeFactory(/* stripPort */ true);
+      // nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
+      client.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
+
+      client.getCredentialsProvider().setCredentials(
+          new AuthScope(/* host */ null, /* port */ -1, /* realm */ null),
+          EMPTY_JAAS_CREDENTIALS);
+    }
+
+    HttpContext localContext = new BasicHttpContext();
+    
     HttpResponse inboundResponse;
     try {
-      inboundResponse = client.execute( outboundRequest );
+      inboundResponse = client.execute(outboundRequest, localContext);
     } catch (IOException e) {
       // we do not want to expose back end host. port end points to clients, see JIRA KNOX-58
       LOG.dispatchServiceConnectionException( outboundRequest.getURI(), e );
@@ -91,17 +119,34 @@ public class HttpClientDispatch extends AbstractGatewayDispatch {
     }
   }
 
-  protected HttpEntity createRequestEntity( HttpServletRequest request ) throws IOException
{
+  protected HttpEntity createRequestEntity(HttpServletRequest request)
+      throws IOException {
     InputStream contentStream = request.getInputStream();
     int contentLength = request.getContentLength();
     String contentType = request.getContentType();
     String contentEncoding = request.getCharacterEncoding();
-    InputStreamEntity entity = new InputStreamEntity( contentStream, contentLength );
-    if( contentType != null ) {
-      entity.setContentType( contentType );
-    }
-    if( contentEncoding != null ) {
-      entity.setContentEncoding( contentEncoding );
+    HttpEntity entity = null;
+    if ((contentType != null)
+        && contentType.startsWith(CT_APP_WWW_FORM_URL_ENCODED)) {
+      if (contentEncoding == null) {
+        contentEncoding = Charset.defaultCharset().name();
+      }
+      String body = IOUtils.toString(contentStream, contentEncoding);
+      // ASCII is OK here because the urlEncode about should have already
+      // escaped
+      byte[] bodyBytes = body.getBytes("US-ASCII");
+      entity = new ByteArrayEntity(bodyBytes,
+          ContentType.APPLICATION_FORM_URLENCODED);
+    } else {
+      InputStreamEntity streamEntity = new RepeatableInputStreamEntity(
+          contentStream, contentLength); // DILLI
+      if (contentType != null) {
+        streamEntity.setContentType(contentType);
+      }
+      if (contentEncoding != null) {
+        streamEntity.setContentEncoding(contentEncoding);
+      }
+      entity = streamEntity;
     }
     return entity;
   }
@@ -144,5 +189,37 @@ public class HttpClientDispatch extends AbstractGatewayDispatch {
     HttpDelete method = new HttpDelete( url );
     executeRequest( method, request, response );
   }
+  
+  private static class RepeatableInputStreamEntity extends InputStreamEntity {
+
+    public RepeatableInputStreamEntity(InputStream contentStream,
+        int contentLength) {
+      super(contentStream, contentLength);
+    }
+
+    @Override
+    public boolean isRepeatable() {
+      return true;
+    }
+
+    @Override
+    public InputStream getContent() throws IOException {
+      return super.getContent();
+    }
+
+  }
+  
+  private static class EmptyJaasCredentials implements Credentials {
+
+    public String getPassword() {
+      return null;
+    }
+
+    public Principal getUserPrincipal() {
+      return null;
+    }
+
+  }
+  
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-server/src/main/resources/conf/gateway-site.xml
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/resources/conf/gateway-site.xml b/gateway-server/src/main/resources/conf/gateway-site.xml
index 77b34df..ff5293b 100644
--- a/gateway-server/src/main/resources/conf/gateway-site.xml
+++ b/gateway-server/src/main/resources/conf/gateway-site.xml
@@ -37,4 +37,4 @@ limitations under the License.
         <description>The directory within GATEWAY_HOME that contains gateway topology
files and deployments.</description>
     </property>
 
-</configuration>
+</configuration>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index bbb9edb..9a621bc 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -23,6 +23,12 @@ import java.net.UnknownHostException;
 public interface GatewayConfig {
 
   static final String GATEWAY_HOME_VAR = "GATEWAY_HOME";
+  
+  public static final String HADOOP_KERBEROS_SECURED = "gateway.hadoop.kerberos.secured";
+  public static final String KRB5_CONFIG = "java.security.krb5.conf";
+  public static final String KRB5_DEBUG = "sun.security.krb5.debug";
+  public static final String KRB5_LOGIN_CONFIG = "java.security.auth.login.config";
+  public static final String KRB5_USE_SUBJECT_CREDS_ONLY = "javax.security.auth.useSubjectCredsOnly";
 
   String getGatewayHomeDir();
 
@@ -39,5 +45,13 @@ public interface GatewayConfig {
   InetSocketAddress getGatewayAddress() throws UnknownHostException;
   
   boolean isSSLEnabled();
+  
+  boolean isHadoopKerberosSecured();
+  
+  String getKerberosConfig();
+  
+  boolean isKerberosDebugEnabled();
+  
+  String getKerberosLoginConfig();
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/1ce6e367/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 812f449..09b2f82 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -30,6 +30,10 @@ public class GatewayTestConfig implements GatewayConfig {
   private int gatewayPort = 0;
   private String gatewayPath = "gateway";
   private String deployDir = "clusters";
+  private boolean hadoopKerberosSecured = false;
+  private String kerberosConfig = "/etc/knox/conf/krb5.conf";
+  private boolean kerberosDebugEnabled = false;
+  private String kerberosLoginConfig = "/etc/knox/conf/krb5JAASLogin.conf";
 
   @Override
   public String getGatewayHomeDir() {
@@ -96,4 +100,40 @@ public class GatewayTestConfig implements GatewayConfig {
     return false;
   }
 
+  @Override
+  public boolean isHadoopKerberosSecured() {
+    return hadoopKerberosSecured;
+  }
+
+  public void setHadoopKerberosSecured(boolean hadoopKerberosSecured) {
+    this.hadoopKerberosSecured = hadoopKerberosSecured;
+  }
+  
+  @Override
+  public String getKerberosConfig() {
+    return kerberosConfig;
+  }
+  
+  public void setKerberosConfig(String kerberosConfig) {
+    this.kerberosConfig = kerberosConfig;
+  }
+
+  @Override
+  public boolean isKerberosDebugEnabled() {
+    return kerberosDebugEnabled;
+  }
+  
+  public void setKerberosDebugEnabled(boolean kerberosConfigEnabled) {
+    this.kerberosDebugEnabled = kerberosDebugEnabled;
+  }
+  
+  @Override
+  public String getKerberosLoginConfig() {
+    return kerberosLoginConfig;
+  }
+  
+  public void setKerberosLoginConfig(String kerberosLoginConfig) {
+   this.kerberosLoginConfig = kerberosLoginConfig;
+  }
+  
 }


Mime
View raw message