YARN-8530. Add SPNEGO filter to application catalog. Contributed by Eric Yang

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/entrypoint.sh

@@ -42,4 +42,15 @@ if [ -e "$KEYTAB" ]; then
   export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=/etc/tomcat/jaas.config -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false"
   template_generator /etc/tomcat/jaas.config.template /etc/tomcat/jaas.config
 fi
+if [ -e "$SPNEGO_KEYTAB" ]; then
+  sed -i.bak 's/authentication.type=.*$/authentication.type=kerberos/g' /etc/tomcat/catalina.properties
+  sed -i.bak 's/simple.anonymous.allowed=.*$/simple.anonymous.allowed=false/g' /etc/tomcat/catalina.properties
+  if [ -z "$SPNEGO_PRINCIPAL" ]; then
+    echo "kerberos.principal=HTTP/$HOSTNAME" >> /etc/tomcat/catalina.properties
+  else
+    echo "kerberos.principal=$SPNEGO_PRINCIPAL" >> /etc/tomcat/catalina.properties
+  fi
+  echo "kerberos.keytab=$SPNEGO_KEYTAB" >> /etc/tomcat/catalina.properties
+  echo "hostname=$HOSTNAME" >> /etc/tomcat/catalina.properties
+fi
 /usr/libexec/tomcat/server start

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/setup-image.sh

@@ -19,3 +19,8 @@ mkdir -p /etc/hadoop
 mkdir -p /opt/apache/solr/server/logs
 chmod -R 777 /opt/apache/solr/server/logs /var/log/tomcat /var/cache/tomcat /var/lib/tomcat/webapps /opt/apache/solr/server/solr
 chmod 777 /etc/tomcat
+{
+  echo "auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter"
+  echo "authentication.type=simple"
+  echo "simple.anonymous.allowed=true"
+} >> /etc/tomcat/catalina.properties

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/java/org/apache/hadoop/yarn/appcatalog/application/AppCatalogInitializer.java

@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.appcatalog.application;
+
+import java.io.IOException;
+
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.HadoopKerberosName;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Initialization class for setting Kerberos configuration.
+ */
+public class AppCatalogInitializer implements ServletContextListener {
+
+  static final Logger LOG = LoggerFactory.getLogger(
+      AppCatalogInitializer.class);
+
+  @Override
+  public void contextInitialized(ServletContextEvent sce) {
+    Configuration conf = new Configuration();
+    if (!HadoopKerberosName.hasRulesBeenSet()) {
+      try {
+        HadoopKerberosName.setConfiguration(conf);
+      } catch (IOException e) {
+        LOG.error("Application Catalog initialization failed:", e);
+      }
+    }
+  }
+
+  @Override
+  public void contextDestroyed(ServletContextEvent sce) {
+  }
+
+}

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/webapp/WEB-INF/web.xml

@@ -30,6 +30,48 @@
     </description>
     <display-name>appcatalog</display-name>
 
+    <listener>
+      <listener-class>org.apache.hadoop.yarn.appcatalog.application.AppCatalogInitializer</listener-class>
+    </listener>
+
+    <filter>
+      <filter-name>AuthFilter</filter-name>
+      <filter-class>${auth.filter}</filter-class>
+      <init-param>
+        <param-name>type</param-name>
+        <param-value>${authentication.type}</param-value>
+      </init-param>
+      <init-param>
+        <param-name>simple.anonymous.allowed</param-name>
+        <param-value>${simple.anonymous.allowed}</param-value>
+      </init-param>
+      <init-param>
+        <param-name>token.validity</param-name>
+        <param-value>30</param-value>
+      </init-param>
+      <init-param>
+        <param-name>cookie.path</param-name>
+        <param-value>/</param-value>
+      </init-param>
+      <init-param>
+        <param-name>cookie.domain</param-name>
+        <param-value>${hostname}</param-value>
+      </init-param>
+      <init-param>
+        <param-name>kerberos.principal</param-name>
+        <param-value>${kerberos.principal}</param-value>
+      </init-param>
+      <init-param>
+        <param-name>kerberos.keytab</param-name>
+        <param-value>${kerberos.keytab}</param-value>
+      </init-param>
+    </filter>
+
+    <filter-mapping>
+      <filter-name>AuthFilter</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <servlet>
       <servlet-name>REST_API</servlet-name>
       <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/yarn-service/Examples.md

@@ -178,6 +178,16 @@ where `service-name` is user defined name.
 The deployment progress of the application catalog is located in Resource Manager UI.  When the service reaches STABLE state, application catalog UI is available at:
 http://appcatalog.${SERVICE_NAME}.${USER}.${DOMAIN}:8080/
 
+For secure cluster, Kerberos settings for application catalog can be configured in Yarn service JSON using environment variable settings:
+
+| Environment Variable | Example | Description |
+|:---- |:---- |:----|
+| YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS | /etc/hadoop/conf:/etc/hadoop/conf:ro,/etc/krb5.conf:/etc/krb5.conf:ro,/etc/security/keytabs/yarn.service.keytab:/etc/security/keytabs/yarn.service.keytab:ro,/etc/security/keytabs/spnego.service.keytab:/etc/security/keytabs/spnego.service.keytab:ro | Container mount path for Hadoop configuration, Kerberos krb5.conf, and list of Kerberos keytab files. |
+| SPNEGO_KEYTAB | /etc/security/keytabs/spnego.service.keytab | Service principal for Application catalog. |
+| SPNEGO_PRINCIPAL | HTTP/appcatalog.catalog.yarn.example.com@EXAMPLE.COM | Service principal for Application catalog. |
+| KEYTAB | /etc/security/keytabs/yarn.service.ketab | Path to keytab file, used by YARN service application master. |
+| PRINCIPAL | yarn/_HOST@EXAMPLE.COM | Service principal used by YARN service application master. |
+
 ## Docker image ENTRYPOINT support
 
 Docker images may have built with ENTRYPOINT to enable start up of docker image without any parameters.