Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove Escalator jetty http client escalation method (#5322)

This commit is contained in:
Jonathan Wei 2018-02-02 10:43:02 -08:00 committed by Himanshu
parent 7e02408510
commit c9e7c0a817
7 changed files with 19 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
extensions-core/druid-basic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java
View File

@ -22,21 +22,11 @@ package io.druid.security.basic.authentication;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.common.base.Throwables;
import io.druid.java.util.http.client.CredentialedHttpClient;
import io.druid.java.util.http.client.HttpClient;
import io.druid.java.util.http.client.auth.BasicCredentials;
import io.druid.java.util.common.StringUtils;
import io.druid.security.basic.BasicAuthUtils;
import io.druid.server.security.AuthenticationResult;
import io.druid.server.security.Escalator;
import org.eclipse.jetty.client.api.Authentication;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.util.Attributes;
import org.jboss.netty.handler.codec.http.HttpHeaders;
import java.net.URI;
@JsonTypeName("basic")
public class BasicHTTPEscalator implements Escalator
@ -66,48 +56,6 @@ public class BasicHTTPEscalator implements Escalator
);
}
@Override
public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient)
{
baseClient.getAuthenticationStore().addAuthentication(new Authentication()
{
@Override
public boolean matches(String type, URI uri, String realm)
{
return true;
}
@Override
public Result authenticate(
final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context
)
{
return new Result()
{
@Override
public URI getURI()
{
return request.getURI();
}
@Override
public void apply(Request request)
{
try {
final String unencodedCreds = StringUtils.format("%s:%s", internalClientUsername, internalClientPassword);
final String base64Creds = BasicAuthUtils.getEncodedCredentials(unencodedCreds);
request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Basic " + base64Creds);
}
catch (Throwable e) {
Throwables.propagate(e);
}
}
};
}
});
return baseClient;
}
@Override
public AuthenticationResult createEscalatedAuthenticationResult()
{

72
extensions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java
View File

@ -22,20 +22,10 @@ package io.druid.security.kerberos;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.common.base.Throwables;
import io.druid.java.util.http.client.HttpClient;
import io.druid.java.util.common.logger.Logger;
import io.druid.server.security.AuthenticationResult;
import io.druid.server.security.Escalator;
import org.apache.hadoop.security.UserGroupInformation;
import org.eclipse.jetty.client.api.Authentication;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.util.Attributes;
import org.jboss.netty.handler.codec.http.HttpHeaders;
import java.net.URI;
import java.security.PrivilegedExceptionAction;
@JsonTypeName("kerberos")
public class KerberosEscalator implements Escalator
@ -64,68 +54,6 @@ public class KerberosEscalator implements Escalator
return new KerberosHttpClient(baseClient, internalClientPrincipal, internalClientKeytab);
}
@Override
public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient)
{
baseClient.getAuthenticationStore().addAuthentication(new Authentication()
{
@Override
public boolean matches(String type, URI uri, String realm)
{
return true;
}
@Override
public Result authenticate(
final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context
)
{
return new Result()
{
@Override
public URI getURI()
{
return request.getURI();
}
@Override
public void apply(Request request)
{
try {
// No need to set cookies as they are handled by Jetty Http Client itself.
URI uri = request.getURI();
if (DruidKerberosUtil.needToSendCredentials(baseClient.getCookieStore(), uri)) {
log.debug(
"No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ",
uri,
baseClient.getCookieStore().getCookies()
);
final String host = request.getHost();
DruidKerberosUtil.authenticateIfRequired(internalClientPrincipal, internalClientKeytab);
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>()
{
@Override
public String run() throws Exception
{
return DruidKerberosUtil.kerberosChallenge(host);
}
});
request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge);
} else {
log.debug("Found Auth Cookie found for URI[%s].", uri);
}
}
catch (Throwable e) {
Throwables.propagate(e);
}
}
};
}
});
return baseClient;
}
@Override
public AuthenticationResult createEscalatedAuthenticationResult()
{

17
server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java
View File

@ -44,7 +44,6 @@ import io.druid.server.metrics.QueryCountStatsProvider;
import io.druid.server.router.QueryHostFinder;
import io.druid.server.router.Router;
import io.druid.server.security.AuthConfig;
import io.druid.server.security.Escalator;
import org.apache.http.client.utils.URIBuilder;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.Request;
@ -112,7 +111,6 @@ public class AsyncQueryForwardingServlet extends AsyncProxyServlet implements Qu
private final ServiceEmitter emitter;
private final RequestLogger requestLogger;
private final GenericQueryMetricsFactory queryMetricsFactory;
private final Escalator escalator;
private HttpClient broadcastClient;
@ -126,8 +124,7 @@ public class AsyncQueryForwardingServlet extends AsyncProxyServlet implements Qu
@Router DruidHttpClientConfig httpClientConfig,
ServiceEmitter emitter,
RequestLogger requestLogger,
GenericQueryMetricsFactory queryMetricsFactory,
Escalator escalator
GenericQueryMetricsFactory queryMetricsFactory
)
{
this.warehouse = warehouse;
@ -139,7 +136,6 @@ public class AsyncQueryForwardingServlet extends AsyncProxyServlet implements Qu
this.emitter = emitter;
this.requestLogger = requestLogger;
this.queryMetricsFactory = queryMetricsFactory;
this.escalator = escalator;
}
@Override
@ -213,11 +209,14 @@ public class AsyncQueryForwardingServlet extends AsyncProxyServlet implements Qu
);
}
};
broadcastClient
Request broadcastReq = broadcastClient
.newRequest(rewriteURI(request, server.getScheme(), server.getHost()))
.method(HttpMethod.DELETE)
.timeout(CANCELLATION_TIMEOUT_MILLIS, TimeUnit.MILLISECONDS)
.send(completeListener);
.timeout(CANCELLATION_TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
copyRequestHeaders(request, broadcastReq);
broadcastReq.send(completeListener);
}
interruptedQueryCount.incrementAndGet();
}
@ -347,7 +346,7 @@ public class AsyncQueryForwardingServlet extends AsyncProxyServlet implements Qu
@Override
protected HttpClient newHttpClient()
{
return escalator.createEscalatedJettyClient(httpClientProvider.get());
return httpClientProvider.get();
}
@Override

11
server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java
View File

@ -95,11 +95,20 @@ public class AuthorizerMapperModule implements DruidModule
// Default is allow all
if (authorizers == null) {
AllowAllAuthorizer allowAllAuthorizer = new AllowAllAuthorizer();
authorizerMap.put(AuthConfig.ALLOW_ALL_NAME, allowAllAuthorizer);
return new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name)
{
return new AllowAllAuthorizer();
return allowAllAuthorizer;
}
@Override
public Map<String, Authorizer> getAuthorizerMap()
{
return authorizerMap;
}
};
}

12
server/src/main/java/io/druid/server/security/Escalator.java
View File

@ -46,18 +46,6 @@ public interface Escalator
*/
HttpClient createEscalatedClient(HttpClient baseClient);
/**
* Return a client that sends requests with the format/information necessary to authenticate successfully
* against this Authenticator's authentication scheme using the identity of the internal system user.
* <p>
* This HTTP client is used by the Druid Router node.
*
* @param baseClient Base Jetty HttpClient
*
* @return Jetty HttpClient that sends requests with the credentials of the internal system user
*/
org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient);
/**
* @return an AuthenticationResult representing the identity of the internal system user.
*/

6
server/src/main/java/io/druid/server/security/NoopEscalator.java
View File

@ -29,12 +29,6 @@ public class NoopEscalator implements Escalator
return baseClient;
}
@Override
public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient)
{
return baseClient;
}
@Override
public AuthenticationResult createEscalatedAuthenticationResult()
{

4
server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java
View File

@ -54,7 +54,6 @@ import io.druid.server.router.RendezvousHashAvaticaConnectionBalancer;
import io.druid.server.security.AllowAllAuthorizer;
import io.druid.server.security.Authorizer;
import io.druid.server.security.AuthorizerMapper;
import io.druid.server.security.NoopEscalator;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
@ -252,8 +251,7 @@ public class AsyncQueryForwardingServletTest extends BaseJettyTest
// noop
}
},
new DefaultGenericQueryMetricsFactory(jsonMapper),
new NoopEscalator()
new DefaultGenericQueryMetricsFactory(jsonMapper)
)
{
@Override