From de5d43300adaeccb6d436ca16597c2c15b12eab6 Mon Sep 17 00:00:00 2001 From: Masatake Iwasaki Date: Sat, 18 Apr 2020 06:38:25 +0900 Subject: [PATCH] HADOOP-16972. Ignore AuthenticationFilterInitializer for KMSWebServer. (#1961) (cherry picked from commit ac40daece17e9a6339927dbcadab76034bd7882c) --- .../crypto/key/kms/server/KMSWebServer.java | 20 +++++++++ .../hadoop/crypto/key/kms/server/TestKMS.java | 42 +++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java index 7cfc010ac2c..639d85521c3 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java @@ -22,12 +22,16 @@ import java.net.InetSocketAddress; import java.net.MalformedURLException; import java.net.URI; import java.net.URL; +import java.util.LinkedHashSet; +import java.util.Set; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.http.HttpServer2; import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; import org.apache.hadoop.metrics2.source.JvmMetrics; +import org.apache.hadoop.security.AuthenticationFilterInitializer; +import org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.util.JvmPauseMonitor; @@ -94,6 +98,22 @@ public class KMSWebServer { KMSConfiguration.HTTP_PORT_DEFAULT); URI endpoint = new URI(scheme, null, host, port, null, null, null); + String configuredInitializers = + conf.get(HttpServer2.FILTER_INITIALIZER_PROPERTY); + if (configuredInitializers != null) { + Set target = new LinkedHashSet(); + String[] initializers = configuredInitializers.split(","); + for (String init : initializers) { + if (!init.equals(AuthenticationFilterInitializer.class.getName()) && + !init.equals( + ProxyUserAuthenticationFilterInitializer.class.getName())) { + target.add(init); + } + } + String actualInitializers = StringUtils.join(",", target); + conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY, actualInitializers); + } + httpServer = new HttpServer2.Builder() .setName(NAME) .setConf(conf) diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index 3b511a1c5c4..9190df27ccc 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -38,6 +38,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.io.Text; import org.apache.hadoop.io.MultipleIOException; import org.apache.hadoop.minikdc.MiniKdc; +import org.apache.hadoop.security.AuthenticationFilterInitializer; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; @@ -3079,4 +3080,45 @@ public class TestKMS { } }); } + + @Test + public void testFilterInitializer() throws Exception { + Configuration conf = new Configuration(); + File testDir = getTestDir(); + conf = createBaseKMSConf(testDir, conf); + conf.set("hadoop.security.authentication", "kerberos"); + conf.set("hadoop.kms.authentication.token.validity", "1"); + conf.set("hadoop.kms.authentication.type", "kerberos"); + conf.set("hadoop.kms.authentication.kerberos.keytab", + keytab.getAbsolutePath()); + conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); + conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT"); + conf.set("hadoop.http.filter.initializers", + AuthenticationFilterInitializer.class.getName()); + conf.set("hadoop.http.authentication.type", "kerberos"); + conf.set("hadoop.http.authentication.kerberos.principal", "HTTP/localhost"); + conf.set("hadoop.http.authentication.kerberos.keytab", + keytab.getAbsolutePath()); + + writeConf(testDir, conf); + + runServer(null, null, testDir, new KMSCallable() { + @Override + public Void call() throws Exception { + final Configuration conf = new Configuration(); + URL url = getKMSUrl(); + final URI uri = createKMSUri(getKMSUrl()); + + doAs("client", new PrivilegedExceptionAction() { + @Override + public Void run() throws Exception { + final KeyProvider kp = createProvider(uri, conf); + Assert.assertTrue(kp.getKeys().isEmpty()); + return null; + } + }); + return null; + } + }); + } }