YARN-2697. Remove useless RMAuthenticationHandler. Contributed by Haosong Huang.
This commit is contained in:
Zhijie Shen
parent
1ce4d33c2d
commit
e37a4ff0c1
|
|
@ -138,6 +138,8 @@ Release 2.7.0 - UNRELEASED
|
|||
YARN-1984. LeveldbTimelineStore does not handle db exceptions properly
|
||||
(Varun Saxena via jlowe)
|
||||
|
||||
YARN-2697. Remove useless RMAuthenticationHandler. (Haosong Huang via zjshen)
|
||||
|
||||
Release 2.6.0 - 2014-11-18
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
|
|
|||
|
|
@ -18,15 +18,7 @@
|
|||
|
||||
package org.apache.hadoop.yarn.server.resourcemanager;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.concurrent.BlockingQueue;
|
||||
import java.util.concurrent.LinkedBlockingQueue;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.apache.hadoop.classification.InterfaceAudience.Private;
|
||||
|
|
@ -88,16 +80,11 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer;
|
|||
import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeEvent;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeEventType;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ContainerPreemptEvent;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ContainerPreemptEventType;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.PreemptableResourceScheduler;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.QueueMetrics;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.*;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEvent;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEventType;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.security.RMAuthenticationHandler;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebApp;
|
||||
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
||||
import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter;
|
||||
|
|
@ -111,7 +98,14 @@ import org.apache.hadoop.yarn.webapp.WebApps;
|
|||
import org.apache.hadoop.yarn.webapp.WebApps.Builder;
|
||||
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.concurrent.BlockingQueue;
|
||||
import java.util.concurrent.LinkedBlockingQueue;
|
||||
|
||||
/**
|
||||
* The ResourceManager is the main class that is a set of components.
|
||||
|
|
@ -925,13 +919,8 @@ public class ResourceManager extends CompositeService implements Recoverable {
|
|||
|
||||
LOG.info("Using RM authentication filter(kerberos/delegation-token)"
|
||||
+ " for RM webapp authentication");
|
||||
RMAuthenticationHandler
|
||||
.setSecretManager(getClientRMService().rmDTSecretManager);
|
||||
RMAuthenticationFilter
|
||||
.setDelegationTokenSecretManager(getClientRMService().rmDTSecretManager);
|
||||
String yarnAuthKey =
|
||||
authPrefix + RMAuthenticationFilter.AUTH_HANDLER_PROPERTY;
|
||||
conf.setStrings(yarnAuthKey, RMAuthenticationHandler.class.getName());
|
||||
conf.set(filterInitializerConfKey, actualInitializers);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,157 +0,0 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.apache.hadoop.yarn.server.resourcemanager.security;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.DataInputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
|
||||
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
|
||||
import org.apache.hadoop.security.token.Token;
|
||||
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
|
||||
|
||||
public class RMAuthenticationHandler extends KerberosAuthenticationHandler {
|
||||
|
||||
public static final String TYPE = "kerberos-dt";
|
||||
public static final String HEADER = "Hadoop-YARN-Auth-Delegation-Token";
|
||||
|
||||
static RMDelegationTokenSecretManager secretManager;
|
||||
static boolean secretManagerInitialized = false;
|
||||
|
||||
public RMAuthenticationHandler() {
|
||||
super();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns authentication type of the handler.
|
||||
*
|
||||
* @return <code>kerberos-dt</code>
|
||||
*/
|
||||
@Override
|
||||
public String getType() {
|
||||
return TYPE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean managementOperation(AuthenticationToken token,
|
||||
HttpServletRequest request, HttpServletResponse response) {
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Authenticates a request looking for the <code>delegation</code> header and
|
||||
* verifying it is a valid token. If the header is missing, it delegates the
|
||||
* authentication to the {@link KerberosAuthenticationHandler} unless it is
|
||||
* disabled.
|
||||
*
|
||||
* @param request
|
||||
* the HTTP client request.
|
||||
* @param response
|
||||
* the HTTP client response.
|
||||
*
|
||||
* @return the authentication token for the authenticated request.
|
||||
* @throws IOException
|
||||
* thrown if an IO error occurred.
|
||||
* @throws AuthenticationException
|
||||
* thrown if the authentication failed.
|
||||
*/
|
||||
@Override
|
||||
public AuthenticationToken authenticate(HttpServletRequest request,
|
||||
HttpServletResponse response) throws IOException, AuthenticationException {
|
||||
|
||||
AuthenticationToken token;
|
||||
String delegationParam = this.getEncodedDelegationTokenFromRequest(request);
|
||||
if (delegationParam != null) {
|
||||
Token<RMDelegationTokenIdentifier> dt =
|
||||
new Token<RMDelegationTokenIdentifier>();
|
||||
;
|
||||
dt.decodeFromUrlString(delegationParam);
|
||||
UserGroupInformation ugi = this.verifyToken(dt);
|
||||
if (ugi == null) {
|
||||
throw new AuthenticationException("Invalid token");
|
||||
}
|
||||
final String shortName = ugi.getShortUserName();
|
||||
token = new AuthenticationToken(shortName, ugi.getUserName(), getType());
|
||||
} else {
|
||||
token = super.authenticate(request, response);
|
||||
if (token != null) {
|
||||
// create a token with auth type set correctly
|
||||
token =
|
||||
new AuthenticationToken(token.getUserName(), token.getName(),
|
||||
super.getType());
|
||||
}
|
||||
}
|
||||
return token;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verifies a delegation token.
|
||||
*
|
||||
* @param token
|
||||
* delegation token to verify.
|
||||
* @return the UGI for the token; null if the verification fails
|
||||
* @throws IOException
|
||||
* thrown if the token could not be verified.
|
||||
*/
|
||||
protected UserGroupInformation verifyToken(
|
||||
Token<RMDelegationTokenIdentifier> token) throws IOException {
|
||||
if (secretManagerInitialized == false) {
|
||||
throw new IllegalStateException("Secret manager not initialized");
|
||||
}
|
||||
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
|
||||
DataInputStream dis = new DataInputStream(buf);
|
||||
RMDelegationTokenIdentifier id = secretManager.createIdentifier();
|
||||
try {
|
||||
id.readFields(dis);
|
||||
secretManager.verifyToken(id, token.getPassword());
|
||||
} catch (Throwable t) {
|
||||
return null;
|
||||
} finally {
|
||||
dis.close();
|
||||
}
|
||||
return id.getUser();
|
||||
}
|
||||
|
||||
/**
|
||||
* Extract encoded delegation token from request
|
||||
*
|
||||
* @param req
|
||||
* HTTPServletRequest object
|
||||
*
|
||||
* @return String containing the encoded token; null if encoded token not
|
||||
* found
|
||||
*
|
||||
*/
|
||||
protected String getEncodedDelegationTokenFromRequest(HttpServletRequest req) {
|
||||
String header = req.getHeader(HEADER);
|
||||
return header;
|
||||
}
|
||||
|
||||
public static void setSecretManager(RMDelegationTokenSecretManager manager) {
|
||||
secretManager = manager;
|
||||
secretManagerInitialized = true;
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue