knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmin...@apache.org
Subject knox git commit: KNOX-598: Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP 401 error (due to Kerberos Replay attack error)
Date Mon, 14 Sep 2015 14:43:21 GMT
Repository: knox
Updated Branches:
  refs/heads/master 31bb1e029 -> e20e5b06e


KNOX-598: Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP 401 error
(due to Kerberos Replay attack error)


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/e20e5b06
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/e20e5b06
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/e20e5b06

Branch: refs/heads/master
Commit: e20e5b06e3d8184376ab7a53835f3405433e9ee9
Parents: 31bb1e0
Author: Kevin Minder <kevin.minder@hortonworks.com>
Authored: Mon Sep 14 10:43:12 2015 -0400
Committer: Kevin Minder <kevin.minder@hortonworks.com>
Committed: Mon Sep 14 10:43:12 2015 -0400

----------------------------------------------------------------------
 CHANGES                                         |  1 +
 .../dispatch/DefaultHttpClientFactory.java      |  2 +-
 .../gateway/dispatch/KnoxSpnegoAuthScheme.java  | 54 ++++++++++++++++++++
 .../dispatch/KnoxSpnegoAuthSchemeFactory.java   | 38 ++++++++++++++
 4 files changed, 94 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/e20e5b06/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index dc44187..c91d83d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -20,6 +20,7 @@ Release Notes - Apache Knox - Version 0.7.0
 ** Bug
     * [KNOX-554] - Fixed support for gateway.path change + added support for X-Forward-*
headers in admin topology API.
     * [KNOX-581] - Hive dispatch not propagating effective principal name
+    * [KNOX-598] - Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP
401 error (due to Kerberos Replay attack error)
 
 ------------------------------------------------------------------------------
 Release Notes - Apache Knox - Version 0.6.0

http://git-wip-us.apache.org/repos/asf/knox/blob/e20e5b06/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/DefaultHttpClientFactory.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/DefaultHttpClientFactory.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/DefaultHttpClientFactory.java
index afbd00c..704e2b0 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/DefaultHttpClientFactory.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/DefaultHttpClientFactory.java
@@ -58,7 +58,7 @@ public class DefaultHttpClientFactory implements HttpClientFactory {
       credentialsProvider.setCredentials(AuthScope.ANY, new UseJaasCredentials());
 
       Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
-          .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true))
+          .register(AuthSchemes.SPNEGO, new KnoxSpnegoAuthSchemeFactory(true))
           .build();
 
       builder = builder.setDefaultAuthSchemeRegistry(authSchemeRegistry)

http://git-wip-us.apache.org/repos/asf/knox/blob/e20e5b06/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthScheme.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthScheme.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthScheme.java
new file mode 100644
index 0000000..b050428
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthScheme.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.dispatch;
+
+import org.apache.http.impl.auth.SPNegoScheme;
+import org.ietf.jgss.GSSException;
+
+public class KnoxSpnegoAuthScheme extends SPNegoScheme {
+
+  private static long nano = Long.MIN_VALUE;
+
+  public KnoxSpnegoAuthScheme( boolean stripPort ) {
+    super( stripPort );
+  }
+
+  public KnoxSpnegoAuthScheme() {
+    super();
+  }
+
+  @Override
+  protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException
{
+    // This is done to avoid issues with Keberos service ticket replay detection on the service
side.
+    synchronized( KnoxSpnegoAuthScheme.class ) {
+      long now;
+      // This just insures that the system clock has advanced to a different nanosecond.
+      // Kerberos uses microsecond resolution and 1ms=1000ns.
+      while( ( now = System.nanoTime() ) == nano ) {
+        try {
+          Thread.sleep( 0 );
+        } catch( InterruptedException e ) {
+          // Ignore it.
+        }
+      }
+      nano = now;
+      return super.generateToken( input, authServer );
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/e20e5b06/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthSchemeFactory.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthSchemeFactory.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthSchemeFactory.java
new file mode 100644
index 0000000..b3b1fa2
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/dispatch/KnoxSpnegoAuthSchemeFactory.java
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.dispatch;
+
+import org.apache.http.auth.AuthScheme;
+import org.apache.http.impl.auth.SPNegoSchemeFactory;
+import org.apache.http.params.HttpParams;
+
+public class KnoxSpnegoAuthSchemeFactory extends SPNegoSchemeFactory {
+
+  public KnoxSpnegoAuthSchemeFactory( boolean stripPort ) {
+    super( stripPort );
+  }
+
+  public KnoxSpnegoAuthSchemeFactory() {
+    super();
+  }
+
+  public AuthScheme newInstance( final HttpParams params ) {
+    return new KnoxSpnegoAuthScheme( isStripPort() );
+  }
+
+}


Mime
View raw message