knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kris...@apache.org
Subject [knox] branch master updated: KNOX-2026 - Accept Impala's authentication cookies (#161)
Date Wed, 09 Oct 2019 15:58:36 GMT
This is an automated email from the ASF dual-hosted git repository.

krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new f7acac9  KNOX-2026 - Accept Impala's authentication cookies (#161)
f7acac9 is described below

commit f7acac99b10064f6f992f3352d2446d6661fe373
Author: Thomas Tauber-Marshall <tmarshall@cloudera.com>
AuthorDate: Wed Oct 9 08:58:32 2019 -0700

    KNOX-2026 - Accept Impala's authentication cookies (#161)
    
    This patch modifies HadoopAuthCookieStore to accept cookies with
    Impala's cookie name, "impala.auth".
    
    It also updates a check that is used to ensure the cookie belongs to
    Knox - previously, this check parsed the cookie according to the
    specific format that Hadoop uses for its cookies and ensures that the
    Knox principal appears in the expected location.
    
    Impala uses a similar cookie format, but with a few changes such as
    fields being in a different order. The check is made more permissive
    such that it will accept any cookie that contains the Knox principal
    anywhere in it.
    
    Testing:
    - Deployed in a cluster and verified that Knox accepts and returns
      Impala's cookies as expected.
---
 .../gateway/dispatch/HadoopAuthCookieStore.java    | 24 ++++++++--------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
index bd85617..522019b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
@@ -38,6 +38,7 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
 
   private static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth";
   private static final String HIVE_SERVER2_AUTH_COOKIE_NAME = "hive.server2.auth";
+  private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth";
 
   private static String knoxPrincipal;
 
@@ -73,28 +74,21 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
 
   private boolean isAuthCookie(Cookie cookie) {
     return HADOOP_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
-               HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName());
+        HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
+        IMPALA_AUTH_COOKIE_NAME.equals(cookie.getName());
   }
 
   private boolean isKnoxCookie(Cookie cookie) {
     boolean result = false;
 
+    // We expect cookies to be some delimited list of parameters, eg. username, principal,
+    // timestamp, random number, etc. along with an HMAC signature. To ensure we only
+    // store cookies that are relevant to Knox, we check that the Knox principal appears
+    // somewhere in the cookie value.
     if (cookie != null) {
       String value = cookie.getValue();
-      if (value != null && !value.isEmpty()) {
-        String principal = null;
-
-        String[] cookieParts = value.split("&");
-        if (cookieParts.length > 1) {
-          String[] elementParts = cookieParts[1].split("=");
-          if (elementParts.length == 2) {
-            principal = elementParts[1];
-          }
-
-          if (principal != null) {
-            result = principal.equals(knoxPrincipal);
-          }
-        }
+      if (value != null && value.contains(knoxPrincipal)) {
+        result = true;
       }
     }
 


Mime
View raw message