From 1a05d6f4f1a6e7c99662549c8f24a11727d86b2f Mon Sep 17 00:00:00 2001 From: Ishan Chattopadhyaya Date: Thu, 19 Jan 2017 09:35:59 +0530 Subject: [PATCH] SOLR-9984: Deprecate GenericHadoopAuthPlugin in favor of HadoopAuthPlugin --- solr/CHANGES.txt | 8 + .../security/GenericHadoopAuthPlugin.java | 245 +----------------- .../solr/security/HadoopAuthPlugin.java | 2 +- 3 files changed, 14 insertions(+), 241 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index aab51166874..62b88185e72 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -94,6 +94,12 @@ Jetty 9.3.14.v20161028 Detailed Change List ---------------------- +Upgrade Notes +---------------------- + +* SOLR-9984: GenericHadoopAuthPlugin is deprecated in favor of HadoopAuthPlugin. Simply changing the + name of the class in the security configurations should suffice while upgrading. + New Features ---------------------- @@ -122,6 +128,8 @@ Other Changes ---------------------- * SOLR-9980: Expose configVersion in core admin status (Jessica Cheng Mallet via Tomás Fernández Löbbe) +* SOLR-9984: Deprecate GenericHadoopAuthPlugin in favor of HadoopAuthPlugin (Ishan Chattopadhyaya) + ================== 6.4.0 ================== Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release. diff --git a/solr/core/src/java/org/apache/solr/security/GenericHadoopAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/GenericHadoopAuthPlugin.java index e5fe3497b7d..3d63fd6e6e1 100644 --- a/solr/core/src/java/org/apache/solr/security/GenericHadoopAuthPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/GenericHadoopAuthPlugin.java @@ -16,251 +16,16 @@ */ package org.apache.solr.security; -import static org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.REQUEST_CONTINUES_ATTR; -import static org.apache.solr.security.HadoopAuthFilter.DELEGATION_TOKEN_ZK_CLIENT; - -import java.io.IOException; -import java.io.PrintWriter; -import java.lang.invoke.MethodHandles; -import java.util.Collection; -import java.util.Collections; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Map; -import java.util.Objects; -import java.util.Optional; - -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpServletResponseWrapper; - -import org.apache.commons.collections.iterators.IteratorEnumeration; -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; -import org.apache.solr.client.solrj.impl.HttpClientBuilderFactory; -import org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder; -import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder; -import org.apache.solr.cloud.ZkController; -import org.apache.solr.common.SolrException; -import org.apache.solr.common.SolrException.ErrorCode; -import org.apache.solr.common.util.SuppressForbidden; import org.apache.solr.core.CoreContainer; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** - * This class implements a generic plugin which can use authentication schemes exposed by the - * Hadoop framework. This plugin supports following features - * - integration with authentication mehcanisms (e.g. kerberos) - * - Delegation token support - * - Proxy users (or secure impersonation) support - * - * This plugin enables defining configuration parameters required by the undelying Hadoop authentication - * mechanism. These configuration parameters can either be specified as a Java system property or the default - * value can be specified as part of the plugin configuration. - * - * The proxy users are configured by specifying relevant Hadoop configuration parameters. Please note that - * the delegation token support must be enabled for using the proxy users support. - * - * For Solr internal communication, this plugin enables configuring {@linkplain HttpClientBuilderFactory} - * implementation (e.g. based on kerberos). + * * @deprecated Use {@link HadoopAuthPlugin}. For backcompat against Solr 6.4. */ -public class GenericHadoopAuthPlugin extends AuthenticationPlugin implements HttpClientBuilderPlugin { - private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); - - /** - * A property specifying the type of authentication scheme to be configured. - */ - private static final String HADOOP_AUTH_TYPE = "type"; - - /** - * A property specifies the value of the prefix to be used to define Java system property - * for configuring the authentication mechanism. The name of the Java system property is - * defined by appending the configuration parmeter namne to this prefix value e.g. if prefix - * is 'solr' then the Java system property 'solr.kerberos.principal' defines the value of - * configuration parameter 'kerberos.principal'. - */ - private static final String SYSPROP_PREFIX_PROPERTY = "sysPropPrefix"; - - /** - * A property specifying the configuration parameters required by the authentication scheme - * defined by {@linkplain #HADOOP_AUTH_TYPE} property. - */ - private static final String AUTH_CONFIG_NAMES_PROPERTY = "authConfigs"; - - /** - * A property specifying the {@linkplain HttpClientBuilderFactory} used for the Solr internal - * communication. - */ - private static final String HTTPCLIENT_BUILDER_FACTORY = "clientBuilderFactory"; - - /** - * A property specifying the default values for the configuration parameters specified by the - * {@linkplain #AUTH_CONFIG_NAMES_PROPERTY} property. The default values are specified as a - * collection of key-value pairs (i.e. property-name : default_value). - */ - private static final String DEFAULT_AUTH_CONFIGS_PROPERTY = "defaultConfigs"; - - /** - * A property which enable (or disable) the delegation tokens functionality. - */ - private static final String DELEGATION_TOKEN_ENABLED_PROPERTY = "enableDelegationToken"; - - /** - * A property which enables initialization of kerberos before connecting to Zookeeper. - */ - private static final String INIT_KERBEROS_ZK = "initKerberosZk"; - - /** - * A property which configures proxy users for the underlying Hadoop authentication mechanism. - * This configuration is expressed as a collection of key-value pairs (i.e. property-name : value). - */ - public static final String PROXY_USER_CONFIGS = "proxyUserConfigs"; - - private AuthenticationFilter authFilter; - private HttpClientBuilderFactory factory = null; - private final CoreContainer coreContainer; +@Deprecated +public class GenericHadoopAuthPlugin extends HadoopAuthPlugin { public GenericHadoopAuthPlugin(CoreContainer coreContainer) { - this.coreContainer = coreContainer; + super(coreContainer); } - @SuppressWarnings("rawtypes") - @Override - public void init(Map pluginConfig) { - try { - String delegationTokenEnabled = (String)pluginConfig.getOrDefault(DELEGATION_TOKEN_ENABLED_PROPERTY, "false"); - authFilter = (Boolean.parseBoolean(delegationTokenEnabled)) ? new HadoopAuthFilter() : new AuthenticationFilter(); - - // Initialize kerberos before initializing curator instance. - boolean initKerberosZk = Boolean.parseBoolean((String)pluginConfig.getOrDefault(INIT_KERBEROS_ZK, "false")); - if (initKerberosZk) { - (new Krb5HttpClientBuilder()).getBuilder(); - } - - FilterConfig conf = getInitFilterConfig(pluginConfig); - authFilter.init(conf); - - String httpClientBuilderFactory = (String)pluginConfig.get(HTTPCLIENT_BUILDER_FACTORY); - if (httpClientBuilderFactory != null) { - Class c = Class.forName(httpClientBuilderFactory); - factory = (HttpClientBuilderFactory)c.newInstance(); - } - - } catch (ServletException | ClassNotFoundException | InstantiationException | IllegalAccessException e) { - throw new SolrException(ErrorCode.SERVER_ERROR, "Error initializing kerberos authentication plugin: "+e); - } - } - - @SuppressWarnings("unchecked") - protected FilterConfig getInitFilterConfig(Map pluginConfig) { - Map params = new HashMap<>(); - - String type = (String) Objects.requireNonNull(pluginConfig.get(HADOOP_AUTH_TYPE)); - params.put(HADOOP_AUTH_TYPE, type); - - String sysPropPrefix = (String) pluginConfig.getOrDefault(SYSPROP_PREFIX_PROPERTY, "solr."); - Collection authConfigNames = (Collection) pluginConfig. - getOrDefault(AUTH_CONFIG_NAMES_PROPERTY, Collections.emptyList()); - Map authConfigDefaults = (Map) pluginConfig - .getOrDefault(DEFAULT_AUTH_CONFIGS_PROPERTY, Collections.emptyMap()); - Map proxyUserConfigs = (Map) pluginConfig - .getOrDefault(PROXY_USER_CONFIGS, Collections.emptyMap()); - - for ( String configName : authConfigNames) { - String systemProperty = sysPropPrefix + configName; - String defaultConfigVal = authConfigDefaults.get(configName); - String configVal = System.getProperty(systemProperty, defaultConfigVal); - if (configVal != null) { - params.put(configName, configVal); - } - } - - // Configure proxy user settings. - params.putAll(proxyUserConfigs); - - final ServletContext servletContext = new AttributeOnlyServletContext(); - log.info("Params: "+params); - - ZkController controller = coreContainer.getZkController(); - if (controller != null) { - servletContext.setAttribute(DELEGATION_TOKEN_ZK_CLIENT, controller.getZkClient()); - } - - FilterConfig conf = new FilterConfig() { - @Override - public ServletContext getServletContext() { - return servletContext; - } - - @Override - public Enumeration getInitParameterNames() { - return new IteratorEnumeration(params.keySet().iterator()); - } - - @Override - public String getInitParameter(String param) { - return params.get(param); - } - - @Override - public String getFilterName() { - return "HadoopAuthFilter"; - } - }; - - return conf; - } - - @Override - public boolean doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain) - throws Exception { - final HttpServletResponse frsp = (HttpServletResponse)response; - - // Workaround until HADOOP-13346 is fixed. - HttpServletResponse rspCloseShield = new HttpServletResponseWrapper(frsp) { - @SuppressForbidden(reason = "Hadoop DelegationTokenAuthenticationFilter uses response writer, this" + - "is providing a CloseShield on top of that") - @Override - public PrintWriter getWriter() throws IOException { - final PrintWriter pw = new PrintWriterWrapper(frsp.getWriter()) { - @Override - public void close() {}; - }; - return pw; - } - }; - authFilter.doFilter(request, rspCloseShield, filterChain); - - if (authFilter instanceof HadoopAuthFilter) { // delegation token mgmt. - String requestContinuesAttr = (String)request.getAttribute(REQUEST_CONTINUES_ATTR); - if (requestContinuesAttr == null) { - log.warn("Could not find " + REQUEST_CONTINUES_ATTR); - return false; - } else { - return Boolean.parseBoolean(requestContinuesAttr); - } - } - - return true; - } - - @Override - public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder builder) { - return (factory != null) ? factory.getHttpClientBuilder(Optional.ofNullable(builder)) : builder; - } - - @Override - public void close() throws IOException { - if (authFilter != null) { - authFilter.destroy(); - } - if (factory != null) { - factory.close(); - } - } -} +} \ No newline at end of file diff --git a/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java index db0f6391686..1f0d5ad4e8d 100644 --- a/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/HadoopAuthPlugin.java @@ -135,7 +135,7 @@ public class HadoopAuthPlugin extends AuthenticationPlugin { authFilter.init(conf); } catch (ServletException e) { - throw new SolrException(ErrorCode.SERVER_ERROR, "Error initializing GenericHadoopAuthPlugin: "+e); + throw new SolrException(ErrorCode.SERVER_ERROR, "Error initializing " + getClass().getName() + ": "+e); } }