HDDS-643. Parse Authorization header in a separate filter. Contributed by Bharat Viswanadham.

This commit is contained in:
Márton Elek 2018-10-25 12:45:53 +02:00
parent 97bd49fc36
commit 23887129cd
7 changed files with 115 additions and 52 deletions

View File

@ -34,6 +34,7 @@ import java.util.Arrays;
import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.fs.InvalidRequestException;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -52,11 +53,18 @@ public class VirtualHostStyleFilter implements ContainerRequestFilter {
@Inject
private OzoneConfiguration conf;
@Inject
private AuthenticationHeaderParser authenticationHeaderParser;
private String[] domains;
@Override
public void filter(ContainerRequestContext requestContext) throws
IOException {
authenticationHeaderParser.setAuthHeader(requestContext.getHeaderString(
HttpHeaders.AUTHORIZATION));
domains = conf.getTrimmedStrings(OZONE_S3G_DOMAIN_NAME);
if (domains.length == 0) {
@ -140,4 +148,9 @@ public class VirtualHostStyleFilter implements ContainerRequestFilter {
return match;
}
@VisibleForTesting
public void setAuthenticationHeaderParser(AuthenticationHeaderParser parser) {
this.authenticationHeaderParser = parser;
}
}

View File

@ -36,7 +36,6 @@ import java.io.IOException;
import java.io.InputStream;
import java.time.Instant;
import java.util.Iterator;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response.ResponseBuilder;
import org.apache.hadoop.ozone.client.OzoneBucket;
@ -151,7 +150,7 @@ public class BucketEndpoint extends EndpointBase {
public Response put(@PathParam("bucket") String bucketName, @Context
HttpHeaders httpHeaders) throws IOException, OS3Exception {
String userName = parseUsername(httpHeaders);
String userName = getAuthenticationHeaderParser().getAccessKeyID();
String location = createS3Bucket(userName, bucketName);

View File

@ -19,8 +19,6 @@ package org.apache.hadoop.ozone.s3.endpoint;
import javax.inject.Inject;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import java.io.IOException;
import org.apache.hadoop.ozone.client.OzoneBucket;
@ -28,8 +26,7 @@ import org.apache.hadoop.ozone.client.OzoneClient;
import org.apache.hadoop.ozone.client.OzoneVolume;
import org.apache.hadoop.ozone.s3.exception.OS3Exception;
import org.apache.hadoop.ozone.s3.exception.S3ErrorTable;
import org.apache.hadoop.ozone.s3.header.AuthorizationHeaderV2;
import org.apache.hadoop.ozone.s3.header.AuthorizationHeaderV4;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import com.google.common.annotations.VisibleForTesting;
import org.slf4j.Logger;
@ -46,6 +43,9 @@ public class EndpointBase {
@Inject
private OzoneClient client;
@Inject
private AuthenticationHeaderParser authenticationHeaderParser;
protected OzoneBucket getBucket(String volumeName, String bucketName)
throws IOException {
return getVolume(volumeName).getBucket(bucketName);
@ -172,43 +172,17 @@ public class EndpointBase {
return client.getObjectStore().getOzoneBucketName(s3BucketName);
}
/**
* Retrieve the username based on the authorization header.
*
* @param httpHeaders
* @return Identified username
* @throws OS3Exception
*/
public String parseUsername(
@Context HttpHeaders httpHeaders) throws OS3Exception {
String auth = httpHeaders.getHeaderString("Authorization");
LOG.info("Auth header string {}", auth);
public AuthenticationHeaderParser getAuthenticationHeaderParser() {
return authenticationHeaderParser;
}
if (auth == null) {
// In this case, adding resource as Authorization, need to revisit in
// future if it needs to be changed.
throw S3ErrorTable
.newError(S3ErrorTable.MALFORMED_HEADER, "Authorization");
}
String userName;
if (auth.startsWith("AWS4")) {
LOG.info("V4 Header {}", auth);
AuthorizationHeaderV4 authorizationHeader = new AuthorizationHeaderV4(
auth);
userName = authorizationHeader.getAccessKeyID().toLowerCase();
} else {
LOG.info("V2 Header {}", auth);
AuthorizationHeaderV2 authorizationHeader = new AuthorizationHeaderV2(
auth);
userName = authorizationHeader.getAccessKeyID().toLowerCase();
}
return userName;
@VisibleForTesting
public void setAuthenticationHeaderParser(AuthenticationHeaderParser parser) {
this.authenticationHeaderParser = parser;
}
@VisibleForTesting
public void setClient(OzoneClient ozoneClient) {
this.client = ozoneClient;
}
}

View File

@ -20,8 +20,6 @@ package org.apache.hadoop.ozone.s3.endpoint;
import javax.ws.rs.GET;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import java.io.IOException;
import java.time.Instant;
import java.util.Iterator;
@ -50,12 +48,12 @@ public class RootEndpoint extends EndpointBase {
* for more details.
*/
@GET
public ListBucketResponse get(@Context HttpHeaders headers)
public ListBucketResponse get()
throws OS3Exception, IOException {
OzoneVolume volume;
ListBucketResponse response = new ListBucketResponse();
String volumeName = "s3" + parseUsername(headers).toLowerCase();
String volumeName = "s3" + getAuthenticationHeaderParser().getAccessKeyID();
try {
//TODO: we need a specific s3bucketlist endpoint instead
// of reimplement the naming convention here

View File

@ -0,0 +1,61 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.s3.header;
import org.apache.hadoop.ozone.s3.exception.OS3Exception;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.enterprise.context.RequestScoped;
/**
* Authentication Header parser to parse HttpHeader Authentication.
*/
@RequestScoped
public class AuthenticationHeaderParser {
private final static Logger LOG = LoggerFactory.getLogger(
AuthenticationHeaderParser.class);
private String authHeader;
private String accessKeyID;
public void parse() throws OS3Exception {
if (authHeader.startsWith("AWS4")) {
LOG.debug("V4 Header {}", authHeader);
AuthorizationHeaderV4 authorizationHeader = new AuthorizationHeaderV4(
authHeader);
accessKeyID = authorizationHeader.getAccessKeyID().toLowerCase();
} else {
LOG.debug("V2 Header {}", authHeader);
AuthorizationHeaderV2 authorizationHeader = new AuthorizationHeaderV2(
authHeader);
accessKeyID = authorizationHeader.getAccessKeyID().toLowerCase();
}
}
public String getAccessKeyID() throws OS3Exception {
parse();
return accessKeyID;
}
public void setAuthHeader(String header) {
this.authHeader = header;
}
}

View File

@ -19,6 +19,7 @@ package org.apache.hadoop.ozone.s3;
import org.apache.hadoop.fs.InvalidRequestException;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.apache.hadoop.test.GenericTestUtils;
import org.glassfish.jersey.internal.PropertiesDelegate;
import org.glassfish.jersey.server.ContainerRequest;
@ -41,6 +42,7 @@ public class TestVirtualHostStyleFilter {
private static OzoneConfiguration conf;
private static String s3HttpAddr;
private AuthenticationHeaderParser authenticationHeaderParser;
@Before
public void setup() {
@ -48,6 +50,8 @@ public class TestVirtualHostStyleFilter {
s3HttpAddr = "localhost:9878";
conf.set(S3GatewayConfigKeys.OZONE_S3G_HTTP_ADDRESS_KEY, s3HttpAddr);
conf.set(S3GatewayConfigKeys.OZONE_S3G_DOMAIN_NAME, s3HttpAddr);
authenticationHeaderParser = new AuthenticationHeaderParser();
authenticationHeaderParser.setAuthHeader("AWS ozone:scret");
}
/**
@ -99,6 +103,8 @@ public class TestVirtualHostStyleFilter {
VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9878", "/myfile", null, true);
@ -114,6 +120,8 @@ public class TestVirtualHostStyleFilter {
VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest(s3HttpAddr,
"/mybucket/myfile", null, false);
@ -130,6 +138,8 @@ public class TestVirtualHostStyleFilter {
VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9878", null, null, true);
@ -145,6 +155,8 @@ public class TestVirtualHostStyleFilter {
VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9878", null, "?prefix=bh", true);
@ -169,6 +181,8 @@ public class TestVirtualHostStyleFilter {
VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" +
".localhost:9999", null, null, true);
@ -187,6 +201,8 @@ public class TestVirtualHostStyleFilter {
VirtualHostStyleFilter virtualHostStyleFilter =
new VirtualHostStyleFilter();
virtualHostStyleFilter.setConfiguration(conf);
virtualHostStyleFilter.setAuthenticationHeaderParser(
authenticationHeaderParser);
ContainerRequest containerRequest = createContainerRequest("mybucket" +
"localhost:9878", null, null, true);

View File

@ -20,7 +20,6 @@
package org.apache.hadoop.ozone.s3.endpoint;
import javax.ws.rs.core.HttpHeaders;
import org.apache.hadoop.ozone.client.ObjectStore;
import org.apache.hadoop.ozone.client.OzoneClientStub;
@ -28,21 +27,21 @@ import org.apache.hadoop.ozone.client.OzoneVolume;
import org.apache.commons.lang3.RandomStringUtils;
import static org.junit.Assert.assertEquals;
import org.apache.hadoop.ozone.s3.header.AuthenticationHeaderParser;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import static org.mockito.Mockito.when;
/**
* This class test HeadBucket functionality.
*/
public class TestRootList {
private String volumeName = "vol1";
private OzoneClientStub clientStub;
private ObjectStore objectStoreStub;
private OzoneVolume volumeStub;
private RootEndpoint rootEndpoint;
private String userName = "ozone";
@Before
public void setup() throws Exception {
@ -50,21 +49,24 @@ public class TestRootList {
//Create client stub and object store stub.
clientStub = new OzoneClientStub();
objectStoreStub = clientStub.getObjectStore();
objectStoreStub.createVolume("s3key");
volumeStub = objectStoreStub.getVolume("s3key");
String volumeName = "s3" + userName;
objectStoreStub.createVolume(volumeName);
volumeStub = objectStoreStub.getVolume(volumeName);
// Create HeadBucket and setClient to OzoneClientStub
rootEndpoint = new RootEndpoint();
rootEndpoint.setClient(clientStub);
AuthenticationHeaderParser parser = new AuthenticationHeaderParser();
parser.setAuthHeader("AWS " + userName +":secret");
rootEndpoint.setAuthenticationHeaderParser(parser);
}
@Test
public void testListBucket() throws Exception {
HttpHeaders headers = Mockito.mock(HttpHeaders.class);
when(headers.getHeaderString("Authorization")).thenReturn("AWS key:secret");
// List operation should success even there is no bucket.
ListBucketResponse response = rootEndpoint.get(headers);
ListBucketResponse response = rootEndpoint.get();
assertEquals(0, response.getBucketsNum());
String bucketBaseName = "bucket-";
@ -72,7 +74,7 @@ public class TestRootList {
volumeStub.createBucket(
bucketBaseName + RandomStringUtils.randomNumeric(3));
}
response = rootEndpoint.get(headers);
response = rootEndpoint.get();
assertEquals(10, response.getBucketsNum());
}