mirror of https://github.com/apache/druid.git
Remove obsolete isExcluded config from Kerberos authenticator (#7745)
This commit is contained in:
parent
daf20b4b86
commit
ec4d09a02f
|
@ -54,13 +54,16 @@ The configuration examples in the rest of this document will use "kerberos" as t
|
|||
|`druid.auth.authenticator.kerberos.serverPrincipal`|`HTTP/_HOST@EXAMPLE.COM`| SPNego service principal used by druid processes|empty|Yes|
|
||||
|`druid.auth.authenticator.kerberos.serverKeytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego service keytab used by druid processes|empty|Yes|
|
||||
|`druid.auth.authenticator.kerberos.authToLocal`|`RULE:[1:$1@$0](druid@EXAMPLE.COM)s/.*/druid DEFAULT`|It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT|No|
|
||||
|`druid.auth.authenticator.kerberos.excludedPaths`|`['/status','/health']`| Array of HTTP paths which which does NOT need to be authenticated.|None|No|
|
||||
|`druid.auth.authenticator.kerberos.cookieSignatureSecret`|`secretString`| Secret used to sign authentication cookies. It is advisable to explicitly set it, if you have multiple druid ndoes running on same machine with different ports as the Cookie Specification does not guarantee isolation by port.|<Random value>|No|
|
||||
|`druid.auth.authenticator.kerberos.authorizerName`|Depends on available authorizers|Authorizer that requests should be directed to|Empty|Yes|
|
||||
|
||||
As a note, it is required that the SPNego principal in use by the druid processes must start with HTTP (This specified by [RFC-4559](https://tools.ietf.org/html/rfc4559)) and must be of the form "HTTP/_HOST@REALM".
|
||||
The special string _HOST will be replaced automatically with the value of config `druid.host`
|
||||
|
||||
### `druid.auth.authenticator.kerberos.excludedPaths`
|
||||
|
||||
In older releases, the Kerberos authenticator had an `excludedPaths` property that allowed the user to specify a list of paths where authentication checks should be skipped. This property has been removed from the Kerberos authenticator because the path exclusion functionality is now handled across all authenticators/authorizers by setting `druid.auth.unsecuredPaths`, as described in the [main auth documentation](../../design/auth.html).
|
||||
|
||||
### Auth to Local Syntax
|
||||
`druid.auth.authenticator.kerberos.authToLocal` allows you to set a general rules for mapping principal names to local user names.
|
||||
The syntax for mapping rules is `RULE:\[n:string](regexp)s/pattern/replacement/g`. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n‘th component of the principal for $n. e.g. if the principal was druid/admin then `\[2:$2$1suffix]` would result in the string `admindruidsuffix`.
|
||||
|
|
|
@ -66,19 +66,16 @@ import java.io.IOException;
|
|||
import java.net.HttpCookie;
|
||||
import java.security.Principal;
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.Collections;
|
||||
import java.util.Date;
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
import java.util.Set;
|
||||
import java.util.TimeZone;
|
||||
import java.util.concurrent.ThreadLocalRandom;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
|
||||
|
@ -86,15 +83,11 @@ import java.util.stream.Collectors;
|
|||
public class KerberosAuthenticator implements Authenticator
|
||||
{
|
||||
private static final Logger log = new Logger(KerberosAuthenticator.class);
|
||||
private static final Pattern HADOOP_AUTH_COOKIE_REGEX = Pattern.compile(".*p=(\\S+)&t=.*");
|
||||
public static final List<String> DEFAULT_EXCLUDED_PATHS = Collections.emptyList();
|
||||
public static final String SIGNED_TOKEN_ATTRIBUTE = "signedToken";
|
||||
|
||||
private final DruidNode node;
|
||||
private final String serverPrincipal;
|
||||
private final String serverKeytab;
|
||||
private final String authToLocal;
|
||||
private final List<String> excludedPaths;
|
||||
private final String cookieSignatureSecret;
|
||||
private final String authorizerName;
|
||||
private final String name;
|
||||
|
@ -105,17 +98,14 @@ public class KerberosAuthenticator implements Authenticator
|
|||
@JsonProperty("serverPrincipal") String serverPrincipal,
|
||||
@JsonProperty("serverKeytab") String serverKeytab,
|
||||
@JsonProperty("authToLocal") String authToLocal,
|
||||
@JsonProperty("excludedPaths") List<String> excludedPaths,
|
||||
@JsonProperty("cookieSignatureSecret") String cookieSignatureSecret,
|
||||
@JsonProperty("authorizerName") String authorizerName,
|
||||
@JsonProperty("name") String name,
|
||||
@JacksonInject @Self DruidNode node
|
||||
)
|
||||
{
|
||||
this.node = node;
|
||||
this.serverKeytab = serverKeytab;
|
||||
this.authToLocal = authToLocal == null ? "DEFAULT" : authToLocal;
|
||||
this.excludedPaths = excludedPaths == null ? DEFAULT_EXCLUDED_PATHS : excludedPaths;
|
||||
this.cookieSignatureSecret = cookieSignatureSecret;
|
||||
this.authorizerName = authorizerName;
|
||||
this.name = Preconditions.checkNotNull(name);
|
||||
|
@ -232,14 +222,8 @@ public class KerberosAuthenticator implements Authenticator
|
|||
initializeKerberosLogin();
|
||||
}
|
||||
|
||||
// Checking for excluded paths is Druid-specific, not from hadoop-auth
|
||||
String path = ((HttpServletRequest) request).getRequestURI();
|
||||
if (isExcluded(path)) {
|
||||
filterChain.doFilter(request, response);
|
||||
} else {
|
||||
// Run the original doFilter method, but with modifications to error handling
|
||||
doFilterSuper(request, response, filterChain);
|
||||
}
|
||||
// Run the original doFilter method, but with modifications to error handling
|
||||
doFilterSuper(request, response, filterChain);
|
||||
}
|
||||
|
||||
|
||||
|
@ -427,16 +411,6 @@ public class KerberosAuthenticator implements Authenticator
|
|||
throw new UnsupportedOperationException("JDBC Kerberos auth not supported yet");
|
||||
}
|
||||
|
||||
private boolean isExcluded(String path)
|
||||
{
|
||||
for (String excluded : excludedPaths) {
|
||||
if (path.startsWith(excluded)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void decorateProxyRequest(
|
||||
HttpServletRequest clientRequest,
|
||||
|
|
Loading…
Reference in New Issue