knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject git commit: added authenticate server and token granting services and various updates to the JWT code for HSSO POC
Date Mon, 03 Jun 2013 19:34:37 GMT
Updated Branches:
  refs/heads/master 0511c11b2 -> f68377ecc


added authenticate server and token granting services and various updates to the JWT code
for HSSO POC

Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/f68377ec
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/f68377ec
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/f68377ec

Branch: refs/heads/master
Commit: f68377eccda731dbc9ad5cc246ca930d97f7ade7
Parents: 0511c11
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Mon Jun 3 15:34:19 2013 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Mon Jun 3 15:34:19 2013 -0400

----------------------------------------------------------------------
 .../provider/federation/jwt/JWTAuthority.java      |   19 ++++-
 .../gateway/provider/federation/jwt/JWTToken.java  |    2 +-
 .../jwt/filter/AccessTokenFederationFilter.java    |   33 ++++++---
 .../jwt/filter/JWTAccessTokenAssertionFilter.java  |   28 ++++++-
 .../federation/jwt/filter/JWTFederationFilter.java |   14 +++-
 gateway-release/pom.xml                            |   10 ++-
 gateway-service-as/pom.xml                         |   57 ++++++++++++++
 .../hadoop/gateway/as/ASDeploymentContributor.java |   58 +++++++++++++++
 ...oop.gateway.deploy.ServiceDeploymentContributor |   19 +++++
 gateway-service-tgs/pom.xml                        |   57 ++++++++++++++
 .../gateway/tgs/TGSDeploymentContributor.java      |   58 +++++++++++++++
 ...oop.gateway.deploy.ServiceDeploymentContributor |   19 +++++
 pom.xml                                            |   14 +++-
 13 files changed, 364 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
index 34c3713..d8c86ae 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
@@ -33,11 +33,21 @@ public class JWTAuthority {
   
   public JWTToken issueToken(Subject subject, String algorithm) {
     Principal p = (Principal) subject.getPrincipals().toArray()[0];
+    return issueToken(p, algorithm);
+  }
+  
+  public JWTToken issueToken(Principal p, String algorithm) {
+    return issueToken(p, null, algorithm);
+  }
+  
+  public JWTToken issueToken(Principal p, String audience, String algorithm) {
     String[] claimArray = new String[4];
-    claimArray[0] = "gateway";
+    claimArray[0] = "HSSO";
     claimArray[1] = p.getName();
-    // TODO: what do we need here and how do we determine what it should be?
-    claimArray[2] = "https://login.hadoop.example.org";
+    if (audience == null) {
+      audience = "HSSO";
+    }
+    claimArray[2] = audience;
     // TODO: make the validity period configurable
     claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
 
@@ -61,6 +71,9 @@ public class JWTAuthority {
   
   public boolean verifyToken(JWTToken token) {
     boolean rc = false;
+    
+    // TODO: interrogate the token for issuer claim in order to determine the public key
to use for verification
+    // consider jwk for specifying the key too
     rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
     return rc;
   }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
index 9adf46e..4ecf7bd 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
@@ -39,7 +39,7 @@ public class JWTToken {
   
   byte[] payload = null;
   
-  public JWTToken(byte[] header, byte[] claims, byte[] signature) {
+  private JWTToken(byte[] header, byte[] claims, byte[] signature) {
     try {
       this.header = new String(header, "UTF-8");
       this.claims = new String(claims, "UTF-8");

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
index 179d2ee..e067afc 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
@@ -34,7 +34,8 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.hadoop.gateway.provider.federation.jwt.AccessToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
 import org.apache.hadoop.gateway.services.GatewayServices;
 import org.apache.hadoop.gateway.services.security.CryptoService;
 
@@ -42,11 +43,14 @@ public class AccessTokenFederationFilter implements Filter {
   private static final String BEARER = "Bearer ";
   
   private CryptoService crypto = null;
+
+  private JWTAuthority authority;
   
   @Override
   public void init( FilterConfig filterConfig ) throws ServletException {
     GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
     crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
+    authority = new JWTAuthority(crypto);
   }
 
   public void destroy() {
@@ -58,16 +62,20 @@ public class AccessTokenFederationFilter implements Filter {
     if (header != null && header.startsWith(BEARER)) {
       // what follows the bearer designator should be the JWT token being used to request
or as an access token
       String wireToken = header.substring(BEARER.length());
-      AccessToken token = AccessToken.parseToken(crypto, wireToken);
-// LJM TODO: replace with actual verification - should we do it in the authority? Probably.
-//      boolean verified = authority.verifyAccessToken(token);
-      boolean verified = true;
+      JWTToken token = JWTToken.parseToken(wireToken);
+      boolean verified = authority.verifyToken(token);
       if (verified) {
         // TODO: validate expiration
         // TODO: confirm that audience matches intended target
-        // TODO: verify that the user requesting access to the service/resource is authorized
for it - need scopes?
-        Subject subject = createSubjectFromToken(token);
-        continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response,
chain);
+        if (token.getAudience().equals(getAudienceFromRequest(request))) {
+          // TODO: verify that the user requesting access to the service/resource is authorized
for it - need scopes?
+          Subject subject = createSubjectFromToken(token);
+          continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response,
chain);
+        }
+        else {
+          ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+          return; //break filter chain
+        }
       }
       else {
         ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
@@ -82,6 +90,11 @@ public class AccessTokenFederationFilter implements Filter {
     }
   }
   
+  private String getAudienceFromRequest(ServletRequest request) {
+    // TODO determine the audience value that would match the requested resource
+    return "HDFS";
+  }
+
   private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest
request, final HttpServletResponse response, final FilterChain chain) throws IOException,
ServletException {
     try {
       Subject.doAs(
@@ -109,8 +122,8 @@ public class AccessTokenFederationFilter implements Filter {
     }
   }
   
-  private Subject createSubjectFromToken(AccessToken token) {
-    final String principal = token.getPrincipalName();
+  private Subject createSubjectFromToken(JWTToken token) {
+    final String principal = token.getPrincipal();
 
     HashSet emptySet = new HashSet();
     Set<Principal> principals = new HashSet<Principal>();

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
index f179932..db1fd2c 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.gateway.provider.federation.jwt.filter;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.AccessController;
+import java.security.Principal;
 import java.util.HashMap;
 
 import javax.security.auth.Subject;
@@ -32,7 +33,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
-import org.apache.hadoop.gateway.provider.federation.jwt.AccessToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
 import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
 import org.apache.hadoop.gateway.services.GatewayServices;
 import org.apache.hadoop.gateway.services.security.CryptoService;
@@ -69,6 +70,14 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
       // what follows the bearer designator should be the JWT token being used to request
or as an access token
       String wireToken = header.substring(BEARER.length());
       JWTToken token = JWTToken.parseToken(wireToken);
+      // ensure that there is a valid jwt token available and that there isn't a misconfiguration
of filters
+      if (token != null) {
+        JWTAuthority authority = new JWTAuthority(crypto);
+        authority.verifyToken(token);
+      }
+      else {
+        throw new ServletException("Expected JWT Token not provided as Bearer token");
+      }
       
       // authorization of the user for the requested service (and resource?) should have
been done by
       // the JWTFederationFilter - once we get here we can assume that it is authorized and
we just need
@@ -81,7 +90,8 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
       // calculate expiration timestamp: validity * 1000 + currentTimeInMillis
       long expires = System.currentTimeMillis() + validity * 1000;
       
-      String accessToken = getAccessToken(principalName, expires);
+      String serviceName = request.getParameter("service-name");
+      String accessToken = getAccessToken(principalName, serviceName, expires);
       
       HashMap<String, Object> map = new HashMap<String, Object>();
       // TODO: populate map from JWT authorization code
@@ -104,10 +114,20 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
     }
   }
 
-  private String getAccessToken(String principalName, long expires) {
+  private String getAccessToken(final String principalName, String serviceName, long expires)
{
     String accessToken = null;
 
-    AccessToken token = new AccessToken(crypto, principalName, expires);
+    JWTAuthority authority = new JWTAuthority(crypto);
+    Principal p = new Principal() {
+
+      @Override
+      public String getName() {
+        // TODO Auto-generated method stub
+        return principalName;
+      }
+    };
+    JWTToken token = authority.issueToken(p, serviceName, "RS256");
+//    AccessToken token = new AccessToken(crypto, principalName, expires);
     accessToken = token.toString();
     
     return accessToken;

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
index 26f1d7b..29dbe5b 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
@@ -67,10 +67,16 @@ public class JWTFederationFilter implements Filter {
       boolean verified = authority.verifyToken(token);
       if (verified) {
         // TODO: validate expiration
-        // TODO: confirm that audience matches intended target
-        // TODO: verify that the user requesting access to the service/resource is authorized
for it - need scopes?
-        Subject subject = createSubjectFromToken(token);
-        continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response,
chain);
+        // confirm that audience matches intended target - which for this filter must be
HSSO
+        if (token.getAudience().equals("HSSO")) {
+          // TODO: verify that the user requesting access to the service/resource is authorized
for it - need scopes?
+          Subject subject = createSubjectFromToken(token);
+          continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response,
chain);
+        }
+        else {
+          ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+          return; //break filter chain
+        }
       }
       else {
         ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index b106c42..6af3da3 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -111,15 +111,23 @@
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-service-as</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
             <artifactId>gateway-service-hdfs</artifactId>
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-service-oozie</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
             <artifactId>gateway-service-templeton</artifactId>
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
-            <artifactId>gateway-service-oozie</artifactId>
+            <artifactId>gateway-service-tgs</artifactId>
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-as/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-service-as/pom.xml b/gateway-service-as/pom.xml
new file mode 100644
index 0000000..72883f9
--- /dev/null
+++ b/gateway-service-as/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.hadoop</groupId>
+        <artifactId>gateway</artifactId>
+        <version>0.3.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-service-as</artifactId>
+
+    <name>gateway-service-as</name>
+    <description>The extension to the gateway for authentication service.</description>
+
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <dependencies>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-provider-rewrite</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
b/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
new file mode 100644
index 0000000..de99866
--- /dev/null
+++ b/gateway-service-as/src/main/java/org/apache/hadoop/gateway/as/ASDeploymentContributor.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.as;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ServiceDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRuleDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRulesDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteActionRewriteDescriptorExt;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.net.URISyntaxException;
+
+public class ASDeploymentContributor extends ServiceDeploymentContributorBase {
+
+  private static final String AS_EXTERNAL_PATH = "/authserver/api/v1";
+
+  @Override
+  public String getRole() {
+    return "AS";
+  }
+
+  @Override
+  public String getName() {
+    return "as";
+  }
+
+  @Override
+  public void contributeService( DeploymentContext context, Service service ) throws URISyntaxException
{
+    ResourceDescriptor resource = context.getGatewayDescriptor().addResource();
+    resource.role( service.getRole() );
+    resource.pattern( AS_EXTERNAL_PATH + "/authenticate");
+    if (topologyContainsProviderType(context, "authentication")) {
+      context.contributeFilter( service, resource, "authentication", null, null );
+    }
+    if (topologyContainsProviderType(context, "federation")) {
+      context.contributeFilter( service, resource, "federation", null, null );
+    }
+    context.contributeFilter( service, resource, "identity-assertion", null, null );
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
b/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
new file mode 100644
index 0000000..5cca9ca
--- /dev/null
+++ b/gateway-service-as/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.as.ASDeploymentContributor
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-tgs/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-service-tgs/pom.xml b/gateway-service-tgs/pom.xml
new file mode 100644
index 0000000..706e510
--- /dev/null
+++ b/gateway-service-tgs/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.hadoop</groupId>
+        <artifactId>gateway</artifactId>
+        <version>0.3.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-service-tgs</artifactId>
+
+    <name>gateway-service-tgs</name>
+    <description>The extension to the gateway for authentication service.</description>
+
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <dependencies>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-provider-rewrite</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
b/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
new file mode 100644
index 0000000..e2ac618
--- /dev/null
+++ b/gateway-service-tgs/src/main/java/org/apache/hadoop/gateway/tgs/TGSDeploymentContributor.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.tgs;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ServiceDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRuleDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRulesDescriptor;
+import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteActionRewriteDescriptorExt;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.net.URISyntaxException;
+
+public class TGSDeploymentContributor extends ServiceDeploymentContributorBase {
+
+  private static final String TGS_EXTERNAL_PATH = "/tgs/api/v1";
+
+  @Override
+  public String getRole() {
+    return "TGS";
+  }
+
+  @Override
+  public String getName() {
+    return "tgs";
+  }
+
+  @Override
+  public void contributeService( DeploymentContext context, Service service ) throws URISyntaxException
{
+    ResourceDescriptor resource = context.getGatewayDescriptor().addResource();
+    resource.role( service.getRole() );
+    resource.pattern( TGS_EXTERNAL_PATH + "/accesstoken");
+    if (topologyContainsProviderType(context, "authentication")) {
+      context.contributeFilter( service, resource, "authentication", null, null );
+    }
+    if (topologyContainsProviderType(context, "federation")) {
+      context.contributeFilter( service, resource, "federation", null, null );
+    }
+    context.contributeFilter( service, resource, "identity-assertion", null, null );
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
b/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
new file mode 100644
index 0000000..91ba8fc
--- /dev/null
+++ b/gateway-service-tgs/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ServiceDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.tgs.TGSDeploymentContributor
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f68377ec/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index eb8124a..0dcc310 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,9 +45,11 @@
         <module>gateway-provider-security-jwt</module>
         <module>gateway-provider-security-shiro</module>
         <module>gateway-provider-identity-assertion-pseudo</module>
+        <module>gateway-service-as</module>
         <module>gateway-service-hdfs</module>
-        <module>gateway-service-templeton</module>
         <module>gateway-service-oozie</module>
+        <module>gateway-service-templeton</module>
+        <module>gateway-service-tgs</module>
         <module>gateway-server</module>
         <module>gateway-server-launcher</module>
         <module>gateway-shell</module>
@@ -326,6 +328,16 @@
             </dependency>
             <dependency>
                 <groupId>${gateway-group}</groupId>
+                <artifactId>gateway-service-tgs</artifactId>
+                <version>${gateway-version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${gateway-group}</groupId>
+                <artifactId>gateway-service-as</artifactId>
+                <version>${gateway-version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${gateway-group}</groupId>
                 <artifactId>gateway-service-hdfs</artifactId>
                 <version>${gateway-version}</version>
             </dependency>


Mime
View raw message