SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK

This commit is contained in:
Noble Paul 2016-10-24 17:52:02 +05:30
parent 265d425b00
commit a973ca1752
3 changed files with 15 additions and 7 deletions

View File

@ -164,6 +164,8 @@ Bug Fixes
* SOLR-9325: solr.log is now written to $SOLR_LOGS_DIR without changing log4j.properties (janhoy)
* SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK (Ishan Chattopadhyaya,via noble)
Optimizations
----------------------

View File

@ -46,6 +46,11 @@ import org.apache.zookeeper.data.ACL;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This is an authentication filter based on Hadoop's {@link DelegationTokenAuthenticationFilter}.
* The Kerberos plugin can be configured to use delegation tokens, which allow an
* application to reuse the authentication of an end-user or another application.
*/
public class DelegationTokenKerberosFilter extends DelegationTokenAuthenticationFilter {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
@ -105,10 +110,10 @@ public class DelegationTokenKerberosFilter extends DelegationTokenAuthentication
throw new IllegalArgumentException("zkClient required");
}
String zkHost = zkClient.getZkServerAddress();
String zkChroot = zkHost.substring(zkHost.indexOf("/"));
zkChroot = zkChroot.startsWith("/") ? zkChroot.substring(1) : zkChroot;
String zkChroot = zkHost.contains("/")? zkHost.substring(zkHost.indexOf("/")): "";
String zkNamespace = zkChroot + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH;
String zkConnectionString = zkHost.substring(0, zkHost.indexOf("/"));
zkNamespace = zkNamespace.startsWith("/") ? zkNamespace.substring(1) : zkNamespace;
String zkConnectionString = zkHost.contains("/")? zkHost.substring(0, zkHost.indexOf("/")): zkHost;
SolrZkToCuratorCredentialsACLs curatorToSolrZk = new SolrZkToCuratorCredentialsACLs(zkClient);
final int connectionTimeoutMs = 30000; // this value is currently hard coded, see SOLR-7561.

View File

@ -134,12 +134,13 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientIn
String zkHost = controller.getZkServerAddress();
putParam(params, "token.validity", DELEGATION_TOKEN_VALIDITY, "36000");
params.put("zk-dt-secret-manager.enable", "true");
String chrootPath = zkHost.contains("/")? zkHost.substring(zkHost.indexOf("/")): "";
String znodeWorkingPath = chrootPath + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm";
// Note - Curator complains if the znodeWorkingPath starts with /
String chrootPath = zkHost.substring(zkHost.indexOf("/"));
String relativePath = chrootPath.startsWith("/") ? chrootPath.substring(1) : chrootPath;
znodeWorkingPath = znodeWorkingPath.startsWith("/")? znodeWorkingPath.substring(1): znodeWorkingPath;
putParam(params, "zk-dt-secret-manager.znodeWorkingPath",
DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH,
relativePath + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm");
DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH, znodeWorkingPath);
putParam(params, "signer.secret.provider.zookeeper.path",
DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH, "/token");
// need to ensure krb5 is setup properly before running curator;