knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: KNOX-217 : enhance KnoxLdapGroupRealm to accept password alias in place of plain text password
Date Tue, 10 Dec 2013 21:50:01 GMT
Updated Branches:
  refs/heads/master c00792125 -> 395de9bc5


KNOX-217 : enhance KnoxLdapGroupRealm to accept password alias in place of plain text password


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/395de9bc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/395de9bc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/395de9bc

Branch: refs/heads/master
Commit: 395de9bc5a8ee18a223d864196b59106234e7898
Parents: c007921
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Tue Dec 10 13:46:15 2013 -0800
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Tue Dec 10 13:46:30 2013 -0800

----------------------------------------------------------------------
 gateway-provider-security-shiro/pom.xml         |   7 +-
 .../hadoop/gateway/deploy/impl/ShiroConfig.java |  15 +-
 .../deploy/impl/ShiroDeploymentContributor.java |   7 +-
 .../shirorealm/KnoxLdapContextFactory.java      |  51 ++++++
 .../home/templates/sandbox.knoxrealm1.xml       |   2 +-
 .../home/templates/sandbox.knoxrealm2.xml       |   2 +-
 .../home/templates/sandbox.ldapgroups1.xml      | 182 -------------------
 .../gateway/GatewayLdapGroupFuncTest.java       |   4 +-
 8 files changed, 78 insertions(+), 192 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-provider-security-shiro/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/pom.xml b/gateway-provider-security-shiro/pom.xml
index aa3783e..932a6e2 100644
--- a/gateway-provider-security-shiro/pom.xml
+++ b/gateway-provider-security-shiro/pom.xml
@@ -43,6 +43,11 @@
         </dependency>
 
         <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-server</artifactId>
+        </dependency>
+
+        <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-web</artifactId>
         </dependency>
@@ -72,4 +77,4 @@
 
     </dependencies>
 
-</project>
\ No newline at end of file
+</project>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroConfig.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroConfig.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroConfig.java
index 802d499..8659760 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroConfig.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroConfig.java
@@ -24,18 +24,27 @@ import java.util.Map;
 import java.util.Map.Entry;
 
 public class ShiroConfig {
-  private Map<String, Map<String, String>> sections = new LinkedHashMap<String,
Map<String, String>>();
   
-  public ShiroConfig(Provider provider) {
+  private Map<String, Map<String, String>> sections = new LinkedHashMap<String,
Map<String, String>>();
+ 
+  public ShiroConfig(Provider provider, String clusterName) {
     Map<String, String> params = provider.getParams();
     String name = null;
     String sectionName = null;
+    String value = null;
     for(Entry<String, String> entry : params.entrySet()) {
       int sectionDot = entry.getKey().indexOf('.');
       if (sectionDot > 0) {
         sectionName = entry.getKey().substring(0, sectionDot);
         name = entry.getKey().substring(sectionDot + 1);
-        addNameValueToSection(name, entry.getValue(), sectionName);
+        value = entry.getValue().trim();
+        if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
+          String baseName = name.substring(0, name.lastIndexOf("."));
+          addNameValueToSection(baseName + ".clusterName", clusterName, sectionName);
+          addNameValueToSection(name, "S" + value.substring(1), sectionName);
+        } else {
+          addNameValueToSection(name, value, sectionName);
+        }
       }
     }
   }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
index d65d1f2..1591968 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
@@ -73,9 +73,10 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
     sessionConfig.sessionTimeout(st);
 
     // Writing provider specific config out to the war for cluster specific config can be
-	// accomplished through the DeploymentContext as well. The JBoss shrinkwrap API can be
-	// used to write the asset to the war.
-    String config = new ShiroConfig( provider ).toString();
+	  // accomplished through the DeploymentContext as well. The JBoss shrinkwrap API can be
+	  // used to write the asset to the war.
+    String clusterName = context.getTopology().getName();
+    String config = new ShiroConfig( provider, clusterName ).toString();
     if( config != null ) {
       context.getWebArchive().addAsWebInfResource( new StringAsset( config ), "shiro.ini"
);
     }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java
index bc74be0..86a6fb9 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapContextFactory.java
@@ -24,6 +24,9 @@ import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.naming.ldap.LdapContext;
 
+import org.apache.hadoop.gateway.GatewayServer;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.security.AliasService;
 import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
 
 /**
@@ -37,6 +40,7 @@ import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
 public class KnoxLdapContextFactory extends JndiLdapContextFactory {
 
     private String systemAuthenticationMechanism;
+    private String clusterName = "";
 
     /**
      * HACK
@@ -53,9 +57,56 @@ public class KnoxLdapContextFactory extends JndiLdapContextFactory {
     public String getSystemAuthenticationMechanism() {
         return systemAuthenticationMechanism != null? systemAuthenticationMechanism: getAuthenticationMechanism();
     }
+    
     public void setSystemAuthenticationMechanism(String systemAuthenticationMechanism) {
         this.systemAuthenticationMechanism = systemAuthenticationMechanism;
     }
     
+    @Override
+    public void setSystemPassword(String systemPass) {
+      
+      if ( systemPass == null ) {
+        return;
+      }
+      
+      systemPass = systemPass.trim();
+      if (systemPass.length() == 0) {
+        return;
+      }
+      
+      if (!systemPass.startsWith("S{ALIAS=")) {
+        super.setSystemPassword( systemPass );
+        return;
+      }
+      
+      systemPass= systemPass.substring( "S{ALIAS=".length(), systemPass.length() - 1 );
+      String aliasName = systemPass;
+      
+      GatewayServices services = GatewayServer.getGatewayServices();
+      AliasService aliasService = (AliasService)services.getService(GatewayServices.ALIAS_SERVICE);
+      
+      String clusterName = getClusterName();
+      String systemPassword = System.getProperty(clusterName + "." + aliasName);
+      if (systemPassword != null) {
+        super.setSystemPassword( systemPassword );
+        aliasService.addAliasForCluster(clusterName, aliasName, systemPassword);
+      } else {
+        char[] password = aliasService.getPasswordFromAliasForCluster(clusterName, systemPass);
+        if ( password != null ) {
+          super.setSystemPassword( new String(password) );
+        }
+      }
+      
+    }
+    
+    public String getClusterName() {
+      return clusterName;
+    }
+
+    public void setClusterName(String clusterName) {
+      if (clusterName != null) {
+        this.clusterName = clusterName.trim();
+      }
+    }
     
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-release/home/templates/sandbox.knoxrealm1.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/sandbox.knoxrealm1.xml b/gateway-release/home/templates/sandbox.knoxrealm1.xml
index b4bf71a..645e36f 100644
--- a/gateway-release/home/templates/sandbox.knoxrealm1.xml
+++ b/gateway-release/home/templates/sandbox.knoxrealm1.xml
@@ -91,7 +91,7 @@
             </param>
             <param>
               <name>main.ldapRealm.contextFactory.systemPassword</name>
-              <value>guest-password</value>
+              <value>${ALIAS=ldcSystemPassword}</value>
             </param>
 
             <param>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-release/home/templates/sandbox.knoxrealm2.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/sandbox.knoxrealm2.xml b/gateway-release/home/templates/sandbox.knoxrealm2.xml
index 57ff2ee..6db35ef 100644
--- a/gateway-release/home/templates/sandbox.knoxrealm2.xml
+++ b/gateway-release/home/templates/sandbox.knoxrealm2.xml
@@ -119,7 +119,7 @@
             </param>
             <param>
               <name>main.ldapGroupRealm.contextFactory.systemPassword</name>
-              <value>guest-password</value>
+              <value>${ALIAS=ldcSystemPassword}</value>
             </param>
 
             <param>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-release/home/templates/sandbox.ldapgroups1.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/sandbox.ldapgroups1.xml b/gateway-release/home/templates/sandbox.ldapgroups1.xml
deleted file mode 100644
index 5edb2ea..0000000
--- a/gateway-release/home/templates/sandbox.ldapgroups1.xml
+++ /dev/null
@@ -1,182 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<topology>
-
-    <gateway>
-
-        <provider>
-            <role>authentication</role>
-            <name>ShiroProvider</name>
-            <enabled>true</enabled>
-            <param>
-                <!-- 
-                session timeout in minutes,  this is really idle timeout,
-                defaults to 30mins, if the property value is not defined,, 
-                current client authentication would expire if client idles contiuosly for
more than this value
-                -->
-                <name>sessionTimeout</name>
-                <value>30</value>
-            </param>
-
-            <param>
-              <name>main.ldapRealm</name>
-              <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
-            </param>
-            <param>
-              <name>main.ldapGroupContextFactory</name>
-              <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.contextFactory</name>
-              <value>$ldapGroupContextFactory</value>
-            </param>
-            <param>
-            <param>
-              <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
-              <value>simple</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.contextFactory.url</name>
-              <value>ldap://localhost:33389</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.userDnTemplate</name>
-              <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
-            </param>
-
-            <param>
-              <name>main.ldapRealm.authorizationEnabled</name>
-              <value>true</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.contextFactory.systemAuthenticationMechanism</name>
-              <value>simple</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.searchBase</name>
-              <value>ou=groups,dc=hadoop,dc=apache,dc=org</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.groupObjectClass</name>
-              <value>groupofnames</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.uniqueMemberAttribute</name>
-              <value>member</value>
-            </param>
-            <param>
-              <name>main.ldapRealm.uniqueMemberAttributeValueTemplate</name>
-              <value>cn={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
-            </param>
-            <param>
-              <name>main.ldapContextFactory.systemUsername</name>
-              <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
-            </param>
-            <param>
-              <name>main.ldapContextFactory.systemPassword</name>
-              <value>guest-password</value>
-            </param>
-
-            <param>
-              <name>urls./**</name> 
-              <value>authcBasic</value>
-            </param>
-
-        </provider>
-
-        <provider>
-            <role>identity-assertion</role>
-            <name>Pseudo</name>
-            <enabled>true</enabled>
-            <param>
-                <name>group.principal.mapping</name>
-                <value>*=users</value>
-            </param>
-        </provider>
-
-        <provider>
-          <role>authorization</role>
-          <name>AclsAuthz</name>
-          <enabled>true</enabled>
-          <param>
-            <name>webhdfs.acl</name>
-            <value>*;analyst;*</value>
-          </param>
-        </provider>
-
-        <!--
-        Defines rules for mapping host names internal to a Hadoop cluster to externally accessible
host names.
-        For example, a hadoop service running in AWS may return a response that includes
URLs containing the
-        some AWS internal host name.  If the client needs to make a subsequent request to
the host identified
-        in those URLs they need to be mapped to external host names that the client Knox
can use to connect.
-
-        If the external hostname and internal host names are same turn of this provider by
setting the value of
-        enabled parameter as false.
-
-        The name parameter specifies the external host names in a comma separated list.
-        The value parameter specifies corresponding internal host names in a comma separated
list.
-
-        Note that when you are using Sandbox, the external hostname needs to be localhost,
as seen in out
-        of box sandbox.xml.  This is because Sandbox uses port mapping to allow clients to
connect to the
-        Hadoop services using localhost.  In real clusters, external host names would almost
never be localhost.
-        -->
-        <provider>
-            <role>hostmap</role>
-            <name>static</name>
-            <enabled>true</enabled>
-            <param><name>localhost</name><value>sandbox,sandbox.hortonworks.com</value></param>
-        </provider>
-
-    </gateway>
-
-    <service>
-        <role>NAMENODE</role>
-        <url>hdfs://localhost:8020</url>
-    </service>
-
-    <service>
-        <role>JOBTRACKER</role>
-        <url>rpc://localhost:8050</url>
-    </service>
-
-    <service>
-        <role>WEBHDFS</role>
-        <url>http://localhost:50070/webhdfs</url>
-    </service>
-
-    <service>
-        <role>WEBHCAT</role>
-        <url>http://localhost:50111/templeton</url>
-    </service>
-
-    <service>
-        <role>OOZIE</role>
-        <url>http://localhost:11000/oozie</url>
-    </service>
-
-    <service>
-        <role>WEBHBASE</role>
-        <url>http://localhost:60080</url>
-    </service>
-
-    <service>
-        <role>HIVE</role>
-        <url>http://localhost:10000</url>
-    </service>
-
-</topology>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/395de9bc/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapGroupFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapGroupFuncTest.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapGroupFuncTest.java
index edfab66..f6afae8 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapGroupFuncTest.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapGroupFuncTest.java
@@ -96,6 +96,8 @@ public class GatewayLdapGroupFuncTest {
 
   public static void setupGateway(int ldapPort) throws IOException {
 
+    System.setProperty("test-cluster.ldcSystemPassword", "guest-password");
+    
     File targetDir = new File( System.getProperty( "user.dir" ), "target" );
     File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
     gatewayDir.mkdirs();
@@ -181,7 +183,7 @@ public class GatewayLdapGroupFuncTest {
         .addTag( "value" ).addText( "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" )
         .gotoParent().addTag( "param" )
         .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemPassword" )
-        .addTag( "value" ).addText( "guest-password" )
+        .addTag( "value" ).addText( "${ALIAS=ldcSystemPassword}" )
         .gotoParent().addTag( "param" )
         .addTag( "name" ).addText( "urls./**" )
         .addTag( "value" ).addText( "authcBasic" )


Mime
View raw message