From a973ca1752fccecee8db7d2a7a09ded7159e4c58 Mon Sep 17 00:00:00 2001 From: Noble Paul Date: Mon, 24 Oct 2016 17:52:02 +0530 Subject: [PATCH] SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK --- solr/CHANGES.txt | 2 ++ .../solr/security/DelegationTokenKerberosFilter.java | 11 ++++++++--- .../java/org/apache/solr/security/KerberosPlugin.java | 9 +++++---- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index f90b137194e..7d36808ba65 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -164,6 +164,8 @@ Bug Fixes * SOLR-9325: solr.log is now written to $SOLR_LOGS_DIR without changing log4j.properties (janhoy) +* SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK (Ishan Chattopadhyaya,via noble) + Optimizations ---------------------- diff --git a/solr/core/src/java/org/apache/solr/security/DelegationTokenKerberosFilter.java b/solr/core/src/java/org/apache/solr/security/DelegationTokenKerberosFilter.java index 7dbb1ad8545..a96605dad1b 100644 --- a/solr/core/src/java/org/apache/solr/security/DelegationTokenKerberosFilter.java +++ b/solr/core/src/java/org/apache/solr/security/DelegationTokenKerberosFilter.java @@ -46,6 +46,11 @@ import org.apache.zookeeper.data.ACL; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +/** + * This is an authentication filter based on Hadoop's {@link DelegationTokenAuthenticationFilter}. + * The Kerberos plugin can be configured to use delegation tokens, which allow an + * application to reuse the authentication of an end-user or another application. + */ public class DelegationTokenKerberosFilter extends DelegationTokenAuthenticationFilter { private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); @@ -105,10 +110,10 @@ public class DelegationTokenKerberosFilter extends DelegationTokenAuthentication throw new IllegalArgumentException("zkClient required"); } String zkHost = zkClient.getZkServerAddress(); - String zkChroot = zkHost.substring(zkHost.indexOf("/")); - zkChroot = zkChroot.startsWith("/") ? zkChroot.substring(1) : zkChroot; + String zkChroot = zkHost.contains("/")? zkHost.substring(zkHost.indexOf("/")): ""; String zkNamespace = zkChroot + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH; - String zkConnectionString = zkHost.substring(0, zkHost.indexOf("/")); + zkNamespace = zkNamespace.startsWith("/") ? zkNamespace.substring(1) : zkNamespace; + String zkConnectionString = zkHost.contains("/")? zkHost.substring(0, zkHost.indexOf("/")): zkHost; SolrZkToCuratorCredentialsACLs curatorToSolrZk = new SolrZkToCuratorCredentialsACLs(zkClient); final int connectionTimeoutMs = 30000; // this value is currently hard coded, see SOLR-7561. diff --git a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java index 2eb8bc49af0..a8911ceda38 100644 --- a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java @@ -134,12 +134,13 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientIn String zkHost = controller.getZkServerAddress(); putParam(params, "token.validity", DELEGATION_TOKEN_VALIDITY, "36000"); params.put("zk-dt-secret-manager.enable", "true"); + + String chrootPath = zkHost.contains("/")? zkHost.substring(zkHost.indexOf("/")): ""; + String znodeWorkingPath = chrootPath + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm"; // Note - Curator complains if the znodeWorkingPath starts with / - String chrootPath = zkHost.substring(zkHost.indexOf("/")); - String relativePath = chrootPath.startsWith("/") ? chrootPath.substring(1) : chrootPath; + znodeWorkingPath = znodeWorkingPath.startsWith("/")? znodeWorkingPath.substring(1): znodeWorkingPath; putParam(params, "zk-dt-secret-manager.znodeWorkingPath", - DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH, - relativePath + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm"); + DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH, znodeWorkingPath); putParam(params, "signer.secret.provider.zookeeper.path", DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH, "/token"); // need to ensure krb5 is setup properly before running curator;