knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject [13/64] [partial] knox git commit: KNOX-998 - Refactoring save 1
Date Fri, 01 Sep 2017 13:17:11 GMT
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java b/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java
new file mode 100644
index 0000000..c1d8fcb
--- /dev/null
+++ b/gateway-provider-security-authc-anon/src/test/java/org/apache/knox/gateway/deploy/AnonymousAuthDeploymentContributorTest.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy;
+
+import org.junit.Test;
+
+import java.util.Iterator;
+import java.util.ServiceLoader;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.fail;
+
+public class AnonymousAuthDeploymentContributorTest {
+
+  @Test
+  public void testServiceLoader() throws Exception {
+    ServiceLoader loader = ServiceLoader.load( ProviderDeploymentContributor.class );
+    Iterator iterator = loader.iterator();
+    assertThat( "Service iterator empty.", iterator.hasNext() );
+    while( iterator.hasNext() ) {
+      Object object = iterator.next();
+      if( object instanceof AnonymousAuthDeploymentContributor ) {
+        return;
+      }
+    }
+    fail( "Failed to find " + AnonymousAuthDeploymentContributor.class.getName() + " via service loader." );
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
deleted file mode 100644
index 2c150e3..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.deploy.impl;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.services.security.KeystoreService;
-import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-public class AclsAuthzDeploymentContributor extends ProviderDeploymentContributorBase {
-
-  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.AclsAuthorizationFilter";
-
-  @Override
-  public String getRole() {
-    return "authorization";
-  }
-
-  @Override
-  public String getName() {
-    return "AclsAuthz";
-  }
-
-  @Override
-  public void initializeContribution(DeploymentContext context) {
-    super.initializeContribution(context);
-  }
-
-  @Override
-  public void contributeProvider( DeploymentContext context, Provider provider ) {
-  }
-
-  @Override
-  public void contributeFilter( DeploymentContext context, Provider provider, Service service, 
-      ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
-    if (params == null) {
-      params = new ArrayList<FilterParamDescriptor>();
-    }
-    // add resource role to params so that we can determine the acls to enforce at runtime
-    params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
-
-    // blindly add all the provider params as filter init params
-    // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
-    Map<String, String> providerParams = provider.getParams();
-    for(Entry<String, String> entry : providerParams.entrySet()) {
-      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
-    }
-
-    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
deleted file mode 100644
index 13499c3..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import java.util.ArrayList;
-import java.util.Collections;
-
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.util.IpAddressValidator;
-
-/**
- */
-public class AclParser {
-  private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
-
-  public String resourceRole;
-  public ArrayList<String> users;
-  public ArrayList<String> groups;
-  public boolean anyUser = true;
-  public boolean anyGroup = true;
-  public IpAddressValidator ipv;
-
-
-  public AclParser() {
-  }
-  
-  public void parseAcls(String resourceRole, String acls) throws InvalidACLException {
-    if (acls != null) {
-      String[] parts = acls.split(";");
-      if (parts.length != 3) {
-        log.invalidAclsFoundForResource(resourceRole);
-        throw new InvalidACLException("Invalid ACLs specified for requested resource: " + resourceRole);
-      }
-      else {
-        log.aclsFoundForResource(resourceRole);
-      }
-      parseUserAcls(parts);
-      
-      parseGroupAcls(parts);
-
-      parseIpAddressAcls(parts);
-    }
-    else {
-      log.noAclsFoundForResource(resourceRole);
-      users = new ArrayList<String>();
-      groups = new ArrayList<String>();
-      ipv = new IpAddressValidator(null);
-    }
-  }
-
-  private void parseUserAcls(String[] parts) {
-    users = new ArrayList<String>();
-    Collections.addAll(users, parts[0].split(","));
-    if (!users.contains("*")) {
-      anyUser = false;
-    }
-  }
-
-  private void parseGroupAcls(String[] parts) {
-    groups = new ArrayList<String>();
-    Collections.addAll(groups, parts[1].split(","));
-    if (!groups.contains("*")) {
-      anyGroup = false;
-    }
-  }
-
-  private void parseIpAddressAcls(String[] parts) {
-    ipv = new IpAddressValidator(parts[2]);
-  }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
deleted file mode 100644
index 343d87f..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ /dev/null
@@ -1,216 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.gateway.audit.api.Action;
-import org.apache.hadoop.gateway.audit.api.ActionOutcome;
-import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
-import org.apache.hadoop.gateway.audit.api.Auditor;
-import org.apache.hadoop.gateway.audit.api.ResourceType;
-import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.security.GroupPrincipal;
-import org.apache.hadoop.gateway.security.ImpersonatedPrincipal;
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-import org.apache.hadoop.gateway.util.IpAddressValidator;
-import org.apache.hadoop.gateway.util.urltemplate.Template;
-
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-
-public class AclsAuthorizationFilter implements Filter {
-  private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
-  private static Auditor auditor = AuditServiceFactory.getAuditService().getAuditor( AuditConstants.DEFAULT_AUDITOR_NAME,
-          AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME );
-
-  private String resourceRole = null;
-  private String aclProcessingMode = null;
-  private AclParser parser = new AclParser();
-
-  
-  @Override
-  public void init(FilterConfig filterConfig) throws ServletException {
-    resourceRole = getInitParameter(filterConfig, "resource.role");
-    log.initializingForResourceRole(resourceRole);
-    aclProcessingMode = getInitParameter(filterConfig, resourceRole + ".acl.mode");
-    if (aclProcessingMode == null) {
-      aclProcessingMode = getInitParameter(filterConfig, "acl.mode");
-      if (aclProcessingMode == null) {
-        aclProcessingMode = "AND";
-      }
-    }
-    log.aclProcessingMode(aclProcessingMode);
-    String acls = getInitParameter(filterConfig, resourceRole + ".acl");
-    parser.parseAcls(resourceRole, acls);
-  }
-
-  private String getInitParameter(FilterConfig filterConfig, String paramName) {
-    return filterConfig.getInitParameter(paramName.toLowerCase());
-  }
-
-  public void destroy() {
-  }
-
-  public void doFilter(ServletRequest request, ServletResponse response,
-      FilterChain chain) throws IOException, ServletException {
-    boolean accessGranted = enforceAclAuthorizationPolicy(request, response, chain);
-    log.accessGranted(accessGranted);
-    String sourceUrl = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
-    if (accessGranted) {
-      auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.SUCCESS );
-      chain.doFilter(request, response);
-    }
-    else {
-      auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.FAILURE );
-      sendForbidden((HttpServletResponse) response);
-    }
-  }
-
-  private boolean enforceAclAuthorizationPolicy(ServletRequest request,
-      ServletResponse response, FilterChain chain) {
-    HttpServletRequest req = (HttpServletRequest) request;
-    
-    // before enforcing acls check whether there are no acls defined 
-    // which would mean that there are no restrictions
-    if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
-      return true;
-    }
-
-    boolean userAccess = false;
-    boolean groupAccess = false;
-    boolean ipAddrAccess = false;
-    
-    Subject subject = Subject.getSubject(AccessController.getContext());
-    Principal primaryPrincipal = (Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
-    log.primaryPrincipal(primaryPrincipal.getName());
-    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
-    if (impersonations.length > 0) {
-      log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
-      userAccess = checkUserAcls((Principal)impersonations[0]);
-      log.impersonatedPrincipalHasAccess(userAccess);
-    }
-    else {
-      userAccess = checkUserAcls(primaryPrincipal);
-      log.primaryPrincipalHasAccess(userAccess);
-    }
-    Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
-    if (groups.length > 0) {
-//      System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
-      groupAccess = checkGroupAcls(groups);
-      log.groupPrincipalHasAccess(groupAccess);
-    }
-    else {
-      // if we have no groups in the subject then make
-      // it true if there is an anyGroup acl
-      // for AND mode and acls like *;*;127.0.0.* we need to
-      // make it pass
-      if (parser.anyGroup && aclProcessingMode.equals("AND")) {
-        groupAccess = true;
-      }
-    }
-    log.remoteIPAddress(req.getRemoteAddr());
-    ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
-    log.remoteIPAddressHasAccess(ipAddrAccess);
-    
-    if (aclProcessingMode.equals("OR")) {
-      // need to interpret '*' as excluded for OR semantics
-      // to make sense and not grant access to everyone by mistake.
-      // exclusion in OR is equivalent to denied
-      // so, let's set each one that contains '*' to false.
-      if (parser.anyUser) userAccess = false;
-      if (parser.anyGroup) groupAccess = false;
-      if (parser.ipv.allowsAnyIP()) ipAddrAccess = false;
-      
-      return (userAccess || groupAccess || ipAddrAccess);
-    }
-    else if (aclProcessingMode.equals("AND")) {
-      return (userAccess && groupAccess && ipAddrAccess);
-    }
-    return false;
-  }
-
-  private boolean checkRemoteIpAcls(String remoteAddr) {
-    boolean allowed = false;
-    if (remoteAddr == null) {
-      return false;
-    }
-    allowed = parser.ipv.validateIpAddress(remoteAddr);
-    return allowed;
-  }
-
-  private boolean checkUserAcls(Principal user) {
-    boolean allowed = false;
-    if (user == null) {
-      return false;
-    }
-    if (parser.anyUser) {
-      allowed = true;
-    }
-    else {
-      if (parser.users.contains(user.getName())) {
-        allowed = true;
-      }
-    }
-    return allowed;
-  }
-
-  private boolean checkGroupAcls(Object[] userGroups) {
-    boolean allowed = false;
-    if (userGroups == null) {
-      return false;
-    }
-    if (parser.anyGroup) {
-      allowed = true;
-    }
-    else {
-      for (int i = 0; i < userGroups.length; i++) {
-        if (parser.groups.contains(((Principal)userGroups[i]).getName())) {
-          allowed = true;
-          break;
-        }
-      }
-    }
-    return allowed;
-  }
-
-  private void sendForbidden(HttpServletResponse res) {
-    sendErrorCode(res, 403);
-  }
-
-  private void sendErrorCode(HttpServletResponse res, int code) {
-    try {
-      res.sendError(code);
-    } catch (IOException e) {
-      // TODO: log appropriately
-      e.printStackTrace();
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java
deleted file mode 100644
index 071375d..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationMessages.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-import org.apache.hadoop.gateway.i18n.messages.StackTrace;
-
-@Messages(logger="org.apache.hadoop.gateway")
-public interface AclsAuthorizationMessages {
-
-  @Message( level = MessageLevel.INFO, text = "Initializing AclsAuthz Provider for: {0}" )
-  void initializingForResourceRole(String resourceRole);
-
-  @Message( level = MessageLevel.DEBUG, text = "ACL Processing Mode is: {0}" )
-  void aclProcessingMode(String aclProcessingMode);
-
-  @Message( level = MessageLevel.WARN, text = "Invalid ACLs found for: {0}" )
-  void invalidAclsFoundForResource(String resourceRole);
-
-  @Message( level = MessageLevel.INFO, text = "ACLs found for: {0}" )
-  void aclsFoundForResource(String resourceRole);
-
-  @Message( level = MessageLevel.DEBUG, text = "No ACLs found for: {0}" )
-  void noAclsFoundForResource(String resourceRole);
-
-  @Message( level = MessageLevel.INFO, text = "Access Granted: {0}" )
-  void accessGranted(boolean accessGranted);
-
-  @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal: {0}" )
-  void primaryPrincipal(String name);
-
-  @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal: {0}" )
-  void impersonatedPrincipal(String name);
-
-  @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal has access: {0}" )
-  void impersonatedPrincipalHasAccess(boolean userAccess);
-
-  @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal has access: {0}" )
-  void primaryPrincipalHasAccess(boolean userAccess);
-
-  @Message( level = MessageLevel.DEBUG, text = "GroupPrincipal has access: {0}" )
-  void groupPrincipalHasAccess(boolean groupAccess);
-
-  @Message( level = MessageLevel.DEBUG, text = "Remote IP Address: {0}" )
-  void remoteIPAddress(String remoteAddr);
-
-  @Message( level = MessageLevel.DEBUG, text = "Remote IP Address has access: {0}" )
-  void remoteIPAddressHasAccess(boolean remoteIpAccess);
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java
deleted file mode 100644
index 370336b..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationResources.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import org.apache.hadoop.gateway.i18n.resources.Resource;
-import org.apache.hadoop.gateway.i18n.resources.Resources;
-
-@Resources
-public interface AclsAuthorizationResources {
-  @Resource( text = "Response status: {0}" )
-  String responseStatus( int status );
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java
deleted file mode 100644
index 34a4ba1..0000000
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/InvalidACLException.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-/**
- * invalid ACL configuration item
- */
-public class InvalidACLException extends RuntimeException {
-
-  private static final long serialVersionUID = -4284269372393774095L;
-
-  public InvalidACLException(String message) {
-    super(message);
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
new file mode 100644
index 0000000..fc5e549
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/deploy/impl/AclsAuthzDeploymentContributor.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class AclsAuthzDeploymentContributor extends ProviderDeploymentContributorBase {
+
+  private static final String FILTER_CLASSNAME = "AclsAuthorizationFilter";
+
+  @Override
+  public String getRole() {
+    return "authorization";
+  }
+
+  @Override
+  public String getName() {
+    return "AclsAuthz";
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeProvider( DeploymentContext context, Provider provider ) {
+  }
+
+  @Override
+  public void contributeFilter( DeploymentContext context, Provider provider, Service service, 
+      ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    // add resource role to params so that we can determine the acls to enforce at runtime
+    params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
+
+    // blindly add all the provider params as filter init params
+    // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+    }
+
+    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java
new file mode 100644
index 0000000..ceac18e
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclParser.java
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import java.util.ArrayList;
+import java.util.Collections;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.IpAddressValidator;
+
+/**
+ */
+public class AclParser {
+  private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
+
+  public String resourceRole;
+  public ArrayList<String> users;
+  public ArrayList<String> groups;
+  public boolean anyUser = true;
+  public boolean anyGroup = true;
+  public IpAddressValidator ipv;
+
+
+  public AclParser() {
+  }
+  
+  public void parseAcls(String resourceRole, String acls) throws InvalidACLException {
+    if (acls != null) {
+      String[] parts = acls.split(";");
+      if (parts.length != 3) {
+        log.invalidAclsFoundForResource(resourceRole);
+        throw new InvalidACLException("Invalid ACLs specified for requested resource: " + resourceRole);
+      }
+      else {
+        log.aclsFoundForResource(resourceRole);
+      }
+      parseUserAcls(parts);
+      
+      parseGroupAcls(parts);
+
+      parseIpAddressAcls(parts);
+    }
+    else {
+      log.noAclsFoundForResource(resourceRole);
+      users = new ArrayList<String>();
+      groups = new ArrayList<String>();
+      ipv = new IpAddressValidator(null);
+    }
+  }
+
+  private void parseUserAcls(String[] parts) {
+    users = new ArrayList<String>();
+    Collections.addAll(users, parts[0].split(","));
+    if (!users.contains("*")) {
+      anyUser = false;
+    }
+  }
+
+  private void parseGroupAcls(String[] parts) {
+    groups = new ArrayList<String>();
+    Collections.addAll(groups, parts[1].split(","));
+    if (!groups.contains("*")) {
+      anyGroup = false;
+    }
+  }
+
+  private void parseIpAddressAcls(String[] parts) {
+    ipv = new IpAddressValidator(parts[2]);
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java
new file mode 100644
index 0000000..0002974
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java
@@ -0,0 +1,212 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.security.GroupPrincipal;
+import org.apache.knox.gateway.security.ImpersonatedPrincipal;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.Principal;
+
+public class AclsAuthorizationFilter implements Filter {
+  private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
+  private static Auditor auditor = AuditServiceFactory.getAuditService().getAuditor( AuditConstants.DEFAULT_AUDITOR_NAME,
+          AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME );
+
+  private String resourceRole = null;
+  private String aclProcessingMode = null;
+  private AclParser parser = new AclParser();
+
+  
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    resourceRole = getInitParameter(filterConfig, "resource.role");
+    log.initializingForResourceRole(resourceRole);
+    aclProcessingMode = getInitParameter(filterConfig, resourceRole + ".acl.mode");
+    if (aclProcessingMode == null) {
+      aclProcessingMode = getInitParameter(filterConfig, "acl.mode");
+      if (aclProcessingMode == null) {
+        aclProcessingMode = "AND";
+      }
+    }
+    log.aclProcessingMode(aclProcessingMode);
+    String acls = getInitParameter(filterConfig, resourceRole + ".acl");
+    parser.parseAcls(resourceRole, acls);
+  }
+
+  private String getInitParameter(FilterConfig filterConfig, String paramName) {
+    return filterConfig.getInitParameter(paramName.toLowerCase());
+  }
+
+  public void destroy() {
+  }
+
+  public void doFilter(ServletRequest request, ServletResponse response,
+      FilterChain chain) throws IOException, ServletException {
+    boolean accessGranted = enforceAclAuthorizationPolicy(request, response, chain);
+    log.accessGranted(accessGranted);
+    String sourceUrl = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
+    if (accessGranted) {
+      auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.SUCCESS );
+      chain.doFilter(request, response);
+    }
+    else {
+      auditor.audit( Action.AUTHORIZATION, sourceUrl, ResourceType.URI, ActionOutcome.FAILURE );
+      sendForbidden((HttpServletResponse) response);
+    }
+  }
+
+  private boolean enforceAclAuthorizationPolicy(ServletRequest request,
+      ServletResponse response, FilterChain chain) {
+    HttpServletRequest req = (HttpServletRequest) request;
+    
+    // before enforcing acls check whether there are no acls defined 
+    // which would mean that there are no restrictions
+    if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
+      return true;
+    }
+
+    boolean userAccess = false;
+    boolean groupAccess = false;
+    boolean ipAddrAccess = false;
+    
+    Subject subject = Subject.getSubject(AccessController.getContext());
+    Principal primaryPrincipal = (Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
+    log.primaryPrincipal(primaryPrincipal.getName());
+    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
+    if (impersonations.length > 0) {
+      log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
+      userAccess = checkUserAcls((Principal)impersonations[0]);
+      log.impersonatedPrincipalHasAccess(userAccess);
+    }
+    else {
+      userAccess = checkUserAcls(primaryPrincipal);
+      log.primaryPrincipalHasAccess(userAccess);
+    }
+    Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
+    if (groups.length > 0) {
+//      System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
+      groupAccess = checkGroupAcls(groups);
+      log.groupPrincipalHasAccess(groupAccess);
+    }
+    else {
+      // if we have no groups in the subject then make
+      // it true if there is an anyGroup acl
+      // for AND mode and acls like *;*;127.0.0.* we need to
+      // make it pass
+      if (parser.anyGroup && aclProcessingMode.equals("AND")) {
+        groupAccess = true;
+      }
+    }
+    log.remoteIPAddress(req.getRemoteAddr());
+    ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
+    log.remoteIPAddressHasAccess(ipAddrAccess);
+    
+    if (aclProcessingMode.equals("OR")) {
+      // need to interpret '*' as excluded for OR semantics
+      // to make sense and not grant access to everyone by mistake.
+      // exclusion in OR is equivalent to denied
+      // so, let's set each one that contains '*' to false.
+      if (parser.anyUser) userAccess = false;
+      if (parser.anyGroup) groupAccess = false;
+      if (parser.ipv.allowsAnyIP()) ipAddrAccess = false;
+      
+      return (userAccess || groupAccess || ipAddrAccess);
+    }
+    else if (aclProcessingMode.equals("AND")) {
+      return (userAccess && groupAccess && ipAddrAccess);
+    }
+    return false;
+  }
+
+  private boolean checkRemoteIpAcls(String remoteAddr) {
+    boolean allowed = false;
+    if (remoteAddr == null) {
+      return false;
+    }
+    allowed = parser.ipv.validateIpAddress(remoteAddr);
+    return allowed;
+  }
+
+  private boolean checkUserAcls(Principal user) {
+    boolean allowed = false;
+    if (user == null) {
+      return false;
+    }
+    if (parser.anyUser) {
+      allowed = true;
+    }
+    else {
+      if (parser.users.contains(user.getName())) {
+        allowed = true;
+      }
+    }
+    return allowed;
+  }
+
+  private boolean checkGroupAcls(Object[] userGroups) {
+    boolean allowed = false;
+    if (userGroups == null) {
+      return false;
+    }
+    if (parser.anyGroup) {
+      allowed = true;
+    }
+    else {
+      for (int i = 0; i < userGroups.length; i++) {
+        if (parser.groups.contains(((Principal)userGroups[i]).getName())) {
+          allowed = true;
+          break;
+        }
+      }
+    }
+    return allowed;
+  }
+
+  private void sendForbidden(HttpServletResponse res) {
+    sendErrorCode(res, 403);
+  }
+
+  private void sendErrorCode(HttpServletResponse res, int code) {
+    try {
+      res.sendError(code);
+    } catch (IOException e) {
+      // TODO: log appropriately
+      e.printStackTrace();
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java
new file mode 100644
index 0000000..206348d
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationMessages.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import org.apache.knox.gateway.i18n.messages.Message;
+import org.apache.knox.gateway.i18n.messages.MessageLevel;
+import org.apache.knox.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway")
+public interface AclsAuthorizationMessages {
+
+  @Message( level = MessageLevel.INFO, text = "Initializing AclsAuthz Provider for: {0}" )
+  void initializingForResourceRole(String resourceRole);
+
+  @Message( level = MessageLevel.DEBUG, text = "ACL Processing Mode is: {0}" )
+  void aclProcessingMode(String aclProcessingMode);
+
+  @Message( level = MessageLevel.WARN, text = "Invalid ACLs found for: {0}" )
+  void invalidAclsFoundForResource(String resourceRole);
+
+  @Message( level = MessageLevel.INFO, text = "ACLs found for: {0}" )
+  void aclsFoundForResource(String resourceRole);
+
+  @Message( level = MessageLevel.DEBUG, text = "No ACLs found for: {0}" )
+  void noAclsFoundForResource(String resourceRole);
+
+  @Message( level = MessageLevel.INFO, text = "Access Granted: {0}" )
+  void accessGranted(boolean accessGranted);
+
+  @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal: {0}" )
+  void primaryPrincipal(String name);
+
+  @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal: {0}" )
+  void impersonatedPrincipal(String name);
+
+  @Message( level = MessageLevel.DEBUG, text = "ImpersonatedPrincipal has access: {0}" )
+  void impersonatedPrincipalHasAccess(boolean userAccess);
+
+  @Message( level = MessageLevel.DEBUG, text = "PrimaryPrincipal has access: {0}" )
+  void primaryPrincipalHasAccess(boolean userAccess);
+
+  @Message( level = MessageLevel.DEBUG, text = "GroupPrincipal has access: {0}" )
+  void groupPrincipalHasAccess(boolean groupAccess);
+
+  @Message( level = MessageLevel.DEBUG, text = "Remote IP Address: {0}" )
+  void remoteIPAddress(String remoteAddr);
+
+  @Message( level = MessageLevel.DEBUG, text = "Remote IP Address has access: {0}" )
+  void remoteIPAddressHasAccess(boolean remoteIpAccess);
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java
new file mode 100644
index 0000000..fcacd11
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import org.apache.knox.gateway.i18n.resources.Resource;
+import org.apache.knox.gateway.i18n.resources.Resources;
+
+@Resources
+public interface AclsAuthorizationResources {
+  @Resource( text = "Response status: {0}" )
+  String responseStatus( int status );
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java
new file mode 100644
index 0000000..d9d38dc
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+/**
+ * invalid ACL configuration item
+ */
+public class InvalidACLException extends RuntimeException {
+
+  private static final long serialVersionUID = -4284269372393774095L;
+
+  public InvalidACLException(String message) {
+    super(message);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
deleted file mode 100644
index 11e2f6f..0000000
--- a/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ /dev/null
@@ -1,18 +0,0 @@
-##########################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-##########################################################################
-org.apache.hadoop.gateway.deploy.impl.AclsAuthzDeploymentContributor

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..5bb3f5f
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,18 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+org.apache.knox.gateway.deploy.impl.AclsAuthzDeploymentContributor

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java b/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
deleted file mode 100644
index 3a2e746..0000000
--- a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
+++ /dev/null
@@ -1,212 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import static org.junit.Assert.*;
-
-import org.junit.Test;
-
-/**
- * @author larry
- *
- */
-public class AclParserTest {
-  @Test
-  public void testValidAcls() throws Exception {
-    AclParser p = new AclParser();
-    p.parseAcls("test", "guest;*;*");
-    assertTrue(p.users.contains("guest"));
-    assertTrue(p.anyGroup);
-    assertTrue(p.ipv.allowsAnyIP());
-
-    p = new AclParser();
-    p.parseAcls("test", "*;admins;*");
-    assertFalse(p.users.contains("guest"));
-    assertTrue(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertTrue(p.ipv.allowsAnyIP());
-
-    p = new AclParser();
-    p.parseAcls("test", "*;*;127.0.0.1");
-    assertFalse(p.users.contains("guest"));
-    assertTrue(p.anyUser);
-    assertTrue(p.anyGroup);
-    assertFalse(p.groups.contains("admins"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
-    p = new AclParser();
-    p.parseAcls("test", "*;admins;127.0.0.1");
-    assertFalse(p.users.contains("guest"));
-    assertTrue(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
-    p = new AclParser();
-    p.parseAcls("test", "guest;admins;127.0.0.1");
-    assertTrue(p.users.contains("guest"));
-    assertFalse(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
-    p = new AclParser();
-    p.parseAcls("test", "guest;*;127.0.0.1");
-    assertTrue(p.users.contains("guest"));
-    assertFalse(p.anyUser);
-    assertTrue(p.anyGroup);
-    assertFalse(p.groups.contains("admins"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-
-    p = new AclParser();
-    p.parseAcls("test", "*;admins;127.0.0.1");
-    assertFalse(p.users.contains("guest"));
-    assertTrue(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-  }
-    
-
-  @Test
-  public void testValidMultiValuedAcls() throws Exception {
-    AclParser p = new AclParser();
-    p.parseAcls("test", "*;admins;127.0.0.1,127.0.0.2");
-    assertFalse(p.users.contains("guest"));
-    assertTrue(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
-    assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
-
-    p = new AclParser();
-    p.parseAcls("test", "*;admins,users;127.0.0.1,127.0.0.2");
-    assertFalse(p.users.contains("guest"));
-    assertTrue(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertTrue(p.groups.contains("users"));
-    assertFalse(p.groups.contains("hackers"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
-    assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
-
-    p = new AclParser();
-    p.parseAcls("test", "guest,visitor;admins,users;127.0.0.1,127.0.0.2");
-    assertTrue(p.users.contains("guest"));
-    assertTrue(p.users.contains("visitor"));
-    assertFalse(p.users.contains("missing-guy"));
-    assertFalse(p.anyUser);
-    assertFalse(p.anyGroup);
-    assertTrue(p.groups.contains("admins"));
-    assertTrue(p.groups.contains("users"));
-    assertFalse(p.groups.contains("hackers"));
-    assertFalse(p.ipv.allowsAnyIP());
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
-    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
-    assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));  
-  }
-  
-  @Test 
-  public void testNullACL() throws Exception {
-    AclParser p = new AclParser();
-    try {
-      p.parseAcls("test", null);
-    }
-    catch (InvalidACLException sle) {
-      // expected
-      fail("NULL acl should NOT have thrown InvalidACLException.");
-    }
-  }
-  
-  @Test
-  public void testInvalidAcls() throws Exception {
-    AclParser p = new AclParser();
-    try {
-      p.parseAcls("test", "guest");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-
-    p = new AclParser();
-    try {
-      p.parseAcls("test", "guest;;");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-  
-    p = new AclParser();
-    try {
-      p.parseAcls("test", ";;");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-
-    p = new AclParser();
-    try {
-      p.parseAcls("test", ";");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-
-    p = new AclParser();
-    try {
-      p.parseAcls("test", "guest;");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-
-    p = new AclParser();
-    try {
-      p.parseAcls("test", ";admins");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-
-    p = new AclParser();
-    try {
-      p.parseAcls("test", "");
-      fail("Invalid acl should have thrown InvalidACLException.");
-    }
-    catch (InvalidACLException sle) {
-      // expected
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java b/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java
new file mode 100644
index 0000000..c377a89
--- /dev/null
+++ b/gateway-provider-security-authz-acls/src/test/java/org/apache/knox/gateway/filter/AclParserTest.java
@@ -0,0 +1,212 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+/**
+ * @author larry
+ *
+ */
+public class AclParserTest {
+  @Test
+  public void testValidAcls() throws Exception {
+    AclParser p = new AclParser();
+    p.parseAcls("test", "guest;*;*");
+    assertTrue(p.users.contains("guest"));
+    assertTrue(p.anyGroup);
+    assertTrue(p.ipv.allowsAnyIP());
+
+    p = new AclParser();
+    p.parseAcls("test", "*;admins;*");
+    assertFalse(p.users.contains("guest"));
+    assertTrue(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertTrue(p.ipv.allowsAnyIP());
+
+    p = new AclParser();
+    p.parseAcls("test", "*;*;127.0.0.1");
+    assertFalse(p.users.contains("guest"));
+    assertTrue(p.anyUser);
+    assertTrue(p.anyGroup);
+    assertFalse(p.groups.contains("admins"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+    p = new AclParser();
+    p.parseAcls("test", "*;admins;127.0.0.1");
+    assertFalse(p.users.contains("guest"));
+    assertTrue(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+    p = new AclParser();
+    p.parseAcls("test", "guest;admins;127.0.0.1");
+    assertTrue(p.users.contains("guest"));
+    assertFalse(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+    p = new AclParser();
+    p.parseAcls("test", "guest;*;127.0.0.1");
+    assertTrue(p.users.contains("guest"));
+    assertFalse(p.anyUser);
+    assertTrue(p.anyGroup);
+    assertFalse(p.groups.contains("admins"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+
+    p = new AclParser();
+    p.parseAcls("test", "*;admins;127.0.0.1");
+    assertFalse(p.users.contains("guest"));
+    assertTrue(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+  }
+    
+
+  @Test
+  public void testValidMultiValuedAcls() throws Exception {
+    AclParser p = new AclParser();
+    p.parseAcls("test", "*;admins;127.0.0.1,127.0.0.2");
+    assertFalse(p.users.contains("guest"));
+    assertTrue(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
+    assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
+
+    p = new AclParser();
+    p.parseAcls("test", "*;admins,users;127.0.0.1,127.0.0.2");
+    assertFalse(p.users.contains("guest"));
+    assertTrue(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertTrue(p.groups.contains("users"));
+    assertFalse(p.groups.contains("hackers"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
+    assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
+
+    p = new AclParser();
+    p.parseAcls("test", "guest,visitor;admins,users;127.0.0.1,127.0.0.2");
+    assertTrue(p.users.contains("guest"));
+    assertTrue(p.users.contains("visitor"));
+    assertFalse(p.users.contains("missing-guy"));
+    assertFalse(p.anyUser);
+    assertFalse(p.anyGroup);
+    assertTrue(p.groups.contains("admins"));
+    assertTrue(p.groups.contains("users"));
+    assertFalse(p.groups.contains("hackers"));
+    assertFalse(p.ipv.allowsAnyIP());
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
+    assertTrue(p.ipv.getIPAddresses().contains("127.0.0.2"));
+    assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));  
+  }
+  
+  @Test 
+  public void testNullACL() throws Exception {
+    AclParser p = new AclParser();
+    try {
+      p.parseAcls("test", null);
+    }
+    catch (InvalidACLException sle) {
+      // expected
+      fail("NULL acl should NOT have thrown InvalidACLException.");
+    }
+  }
+  
+  @Test
+  public void testInvalidAcls() throws Exception {
+    AclParser p = new AclParser();
+    try {
+      p.parseAcls("test", "guest");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+
+    p = new AclParser();
+    try {
+      p.parseAcls("test", "guest;;");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+  
+    p = new AclParser();
+    try {
+      p.parseAcls("test", ";;");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+
+    p = new AclParser();
+    try {
+      p.parseAcls("test", ";");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+
+    p = new AclParser();
+    try {
+      p.parseAcls("test", "guest;");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+
+    p = new AclParser();
+    try {
+      p.parseAcls("test", ";admins");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+
+    p = new AclParser();
+    try {
+      p.parseAcls("test", "");
+      fail("Invalid acl should have thrown InvalidACLException.");
+    }
+    catch (InvalidACLException sle) {
+      // expected
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java
deleted file mode 100755
index b7609c8..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/HadoopAuthMessages.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-
-@Messages(logger="org.apache.hadoop.gateway.provider.global.hadoopauth")
-public interface HadoopAuthMessages {
-  
-  @Message( level = MessageLevel.INFO, text = "Initializing Hadoop Auth Property, name: {0},  value: {1}" )
-  void initializingHadoopAuthProperty(String name, String value);
-  
-  @Message( level = MessageLevel.DEBUG, text = "Hadoop Authentication Asserted Principal: {0}" )
-  void hadoopAuthAssertedPrincipal(String name);
-  
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
deleted file mode 100755
index 8404853..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth.deploy;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class HadoopAuthDeploymentContributor extends
-    ProviderDeploymentContributorBase {
-
-  private static final String ROLE = "authentication";
-  private static final String NAME = "HadoopAuth";
-
-  private static final String HADOOPAUTH_FILTER_CLASSNAME = "org.apache.hadoop.gateway.hadoopauth.filter.HadoopAuthFilter";
-  private static final String HADOOPAUTH_POSTFILTER_CLASSNAME = "org.apache.hadoop.gateway.hadoopauth.filter.HadoopAuthPostFilter";
-
-  @Override
-  public String getRole() {
-    return ROLE;
-  }
-
-  @Override
-  public String getName() {
-    return NAME;
-  }
-
-  @Override
-  public void initializeContribution(DeploymentContext context) {
-    super.initializeContribution(context);
-  }
-
-  @Override
-  public void contributeFilter(DeploymentContext context, Provider provider, Service service, 
-      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
-    // blindly add all the provider params as filter init params
-    if (params == null) {
-      params = new ArrayList<FilterParamDescriptor>();
-    }
-    Map<String, String> providerParams = provider.getParams();
-    for(Entry<String, String> entry : providerParams.entrySet()) {
-      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
-    }
-    resource.addFilter().name( getName() ).role( getRole() ).impl( HADOOPAUTH_FILTER_CLASSNAME ).params( params );
-    resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( HADOOPAUTH_POSTFILTER_CLASSNAME ).params( params );
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java
deleted file mode 100755
index 649601f..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthFilter.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth.filter;
-
-import java.util.Enumeration;
-import java.util.Properties;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-
-import org.apache.hadoop.gateway.hadoopauth.HadoopAuthMessages;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-
-/*
- * see http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
- *
- * CONFIG_PREFIX = "config.prefix
- * AUTH_TYPE = "type", AUTH_TOKEN_VALIDITY = "token.validity"
- * COOKIE_DOMAIN = "cookie.domain", COOKIE_PATH = "cookie.path"
- * SIGNATURE_SECRET = "signature.secret
- * TYPE = "kerberos", PRINCIPAL = TYPE + ".principal", KEYTAB = TYPE + ".keytab"
-
- * config.prefix=hadoop.auth.config (default: null)
- * hadoop.auth.config.signature.secret=SECRET (default: a simple random number)
- * hadoop.auth.config.type=simple|kerberos|CLASS (default: none, would throw exception)
- * hadoop.auth.config.token.validity=SECONDS (default: 3600 seconds)
- * hadoop.auth.config.cookie.domain=DOMAIN(default: null)
- * hadoop.auth.config.cookie.path=PATH (default: null)
- * hadoop.auth.config.kerberos.principal=HTTP/localhost@LOCALHOST (default: null)
- * hadoop.auth.config.kerberos.keytab=/etc/knox/conf/knox.service.keytab (default: null)
- */
-
-public class HadoopAuthFilter extends 
-    org.apache.hadoop.security.authentication.server.AuthenticationFilter {
-  
-  private static HadoopAuthMessages log = MessagesFactory.get( HadoopAuthMessages.class );
-  
-  @Override
-  protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException {
-    Properties props = new Properties();
-    Enumeration<?> names = filterConfig.getInitParameterNames();
-    while (names.hasMoreElements()) {
-      String name = (String) names.nextElement();
-      if (name.startsWith(configPrefix)) {
-        String value = filterConfig.getInitParameter(name);
-        log.initializingHadoopAuthProperty(name, value);
-        props.put(name.substring(configPrefix.length()), value);
-      }
-    }
-    return props;
-  }
-  
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
deleted file mode 100755
index 70db96c..0000000
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.hadoopauth.filter;
-
-import java.io.IOException;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-import org.apache.hadoop.gateway.audit.api.Action;
-import org.apache.hadoop.gateway.audit.api.ActionOutcome;
-import org.apache.hadoop.gateway.audit.api.AuditService;
-import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
-import org.apache.hadoop.gateway.audit.api.Auditor;
-import org.apache.hadoop.gateway.audit.api.ResourceType;
-import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
-import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
-import org.apache.hadoop.gateway.hadoopauth.HadoopAuthMessages;
-
-public class HadoopAuthPostFilter implements Filter {
-
-  private static HadoopAuthMessages log = MessagesFactory.get( HadoopAuthMessages.class );
-  private static AuditService auditService = AuditServiceFactory.getAuditService();
-  private static Auditor auditor = auditService.getAuditor(
-      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
-      AuditConstants.KNOX_COMPONENT_NAME );
-
-  @Override
-  public void init( FilterConfig filterConfig ) throws ServletException {
-  }
-
-  @Override
-  public void destroy() {
-  }
-  
-  @Override
-  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-      throws IOException, ServletException {
-    HttpServletRequest httpRequest = (HttpServletRequest)request;
-    String principal = httpRequest.getRemoteUser();
-    if (principal != null) {
-        Subject subject = new Subject();
-        subject.getPrincipals().add(new PrimaryPrincipal(principal));
-        log.hadoopAuthAssertedPrincipal(principal);
-        auditService.getContext().setUsername( principal ); //KM: Audit Fix
-        String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
-        auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
-        doAs(httpRequest, response, chain, subject);
-    } 
-    else {
-      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "User not authenticated");
-    }
-  }
-
-  private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
-      throws IOException, ServletException {
-      try {
-        Subject.doAs(
-            subject,
-            new PrivilegedExceptionAction<Object>() {
-              public Object run() throws Exception {
-                chain.doFilter(request, response);
-                return null;
-              }
-            }
-            );
-      }
-      catch (PrivilegedActionException e) {
-        Throwable t = e.getCause();
-        if (t instanceof IOException) {
-          throw (IOException) t;
-        }
-        else if (t instanceof ServletException) {
-          throw (ServletException) t;
-        }
-        else {
-          throw new ServletException(t);
-        }
-      }
-    }
-  
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
new file mode 100755
index 0000000..6141686
--- /dev/null
+++ b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.hadoopauth;
+
+import org.apache.knox.gateway.i18n.messages.Message;
+import org.apache.knox.gateway.i18n.messages.MessageLevel;
+import org.apache.knox.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.global.hadoopauth")
+public interface HadoopAuthMessages {
+  
+  @Message( level = MessageLevel.INFO, text = "Initializing Hadoop Auth Property, name: {0},  value: {1}" )
+  void initializingHadoopAuthProperty(String name, String value);
+  
+  @Message( level = MessageLevel.DEBUG, text = "Hadoop Authentication Asserted Principal: {0}" )
+  void hadoopAuthAssertedPrincipal(String name);
+  
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
new file mode 100755
index 0000000..5dc1c0c
--- /dev/null
+++ b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/deploy/HadoopAuthDeploymentContributor.java
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.hadoopauth.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+public class HadoopAuthDeploymentContributor extends
+    ProviderDeploymentContributorBase {
+
+  private static final String ROLE = "authentication";
+  private static final String NAME = "HadoopAuth";
+
+  private static final String HADOOPAUTH_FILTER_CLASSNAME = "HadoopAuthFilter";
+  private static final String HADOOPAUTH_POSTFILTER_CLASSNAME = "HadoopAuthPostFilter";
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    // blindly add all the provider params as filter init params
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+    }
+    resource.addFilter().name( getName() ).role( getRole() ).impl( HADOOPAUTH_FILTER_CLASSNAME ).params( params );
+    resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( HADOOPAUTH_POSTFILTER_CLASSNAME ).params( params );
+  }
+}


Mime
View raw message