Hadoop Common
  1. Hadoop Common
  2. HADOOP-8458

Add management hook to AuthenticationHandler to enable delegation token operations support

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 2.0.2-alpha
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Incompatible change, Reviewed

      Description

      Currently hadoop-auth AuthenticationHandler only authenticates a request.

      While it can easily be extended to authenticate delegation tokens, it cannot handle the delegation token get/renew/cancel operations.

      The motivation of this new feature is that the above delegation token operations should be handled by a security component (hadoop-auth) instead of a functional component (httpfs implementation). Ideally we should have a complete separation of concerns between delegation token management and FileSystem/MapReduce/YARN API, but we don't. This change is a step on that directory for HTTP based services (like HttpFS).

      1. HADOOP-8458.patch
        22 kB
        Alejandro Abdelnur
      2. HADOOP-8458.patch
        23 kB
        Alejandro Abdelnur

        Issue Links

          Activity

          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Patch Available Patch Available
          6m 56s 1 Alejandro Abdelnur 31/May/12 18:52
          Patch Available Patch Available Resolved Resolved
          12d 2h 56m 1 Alejandro Abdelnur 12/Jun/12 21:48
          Resolved Resolved Closed Closed
          120d 20h 56m 1 Arun C Murthy 11/Oct/12 18:45
          Gavin made changes -
          Link This issue is depended upon by HADOOP-8465 [ HADOOP-8465 ]
          Gavin made changes -
          Link This issue blocks HADOOP-8465 [ HADOOP-8465 ]
          Arun C Murthy made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Arun C Murthy made changes -
          Affects Version/s 2.0.0-alpha [ 12320352 ]
          Affects Version/s 2.1.0-alpha [ 12321441 ]
          Fix Version/s 2.0.2-alpha [ 12322473 ]
          Fix Version/s 2.1.0-alpha [ 12321441 ]
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #1108 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1108/)
          HADOOP-8458. Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514)

          Result = FAILURE
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1108 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1108/ ) HADOOP-8458 . Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk #1075 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1075/)
          HADOOP-8458. Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1075 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1075/ ) HADOOP-8458 . Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk-Commit #2371 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2371/)
          HADOOP-8458. Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514)

          Result = FAILURE
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #2371 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2371/ ) HADOOP-8458 . Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #2348 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2348/)
          HADOOP-8458. Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #2348 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2348/ ) HADOOP-8458 . Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk-Commit #2421 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2421/)
          HADOOP-8458. Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #2421 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2421/ ) HADOOP-8458 . Add management hook to AuthenticationHandler to enable delegation token operations support (tucu) (Revision 1349514) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1349514 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          Alejandro Abdelnur made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Hadoop Flags Incompatible change [ 10342 ] Incompatible change,Reviewed [ 10342, 10343 ]
          Resolution Fixed [ 1 ]
          Hide
          Alejandro Abdelnur added a comment -

          committed to trunk and branch-2

          Show
          Alejandro Abdelnur added a comment - committed to trunk and branch-2
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12531769/HADOOP-8458.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-auth.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/1109//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/1109//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12531769/HADOOP-8458.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 1 new or modified test files. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-auth. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/1109//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/1109//console This message is automatically generated.
          Alejandro Abdelnur made changes -
          Attachment HADOOP-8458.patch [ 12531769 ]
          Hide
          Alejandro Abdelnur added a comment -

          updated patch reformatting lines to be within 80 chars.

          I'll wait till tomorrow mid day PST for Daryn's comments, after that I'll commit if there are no objections.

          Show
          Alejandro Abdelnur added a comment - updated patch reformatting lines to be within 80 chars. I'll wait till tomorrow mid day PST for Daryn's comments, after that I'll commit if there are no objections.
          Hide
          Aaron T. Myers added a comment -

          The patch contains a few lines that are over 80 chars, with some over 100. Otherwise the patch looks good to me. +1 from me once this is addressed.

          I agree that this shouldn't affect host-based tokens at all. Daryn, could you please take a look soon to allay any concerns you might have?

          Show
          Aaron T. Myers added a comment - The patch contains a few lines that are over 80 chars, with some over 100. Otherwise the patch looks good to me. +1 from me once this is addressed. I agree that this shouldn't affect host-based tokens at all. Daryn, could you please take a look soon to allay any concerns you might have?
          Hide
          Alejandro Abdelnur added a comment -

          @Daryn, any update on your side? BTW, don't see how this JIRA would affect host-based tokens as it is only enabling a mechanism for the authhandler to perform auth management operations.

          Show
          Alejandro Abdelnur added a comment - @Daryn, any update on your side? BTW, don't see how this JIRA would affect host-based tokens as it is only enabling a mechanism for the authhandler to perform auth management operations.
          Hide
          Daryn Sharp added a comment -

          Please give me a little time to review to ensure this doesn't affect host-based tokens.

          Show
          Daryn Sharp added a comment - Please give me a little time to review to ensure this doesn't affect host-based tokens.
          Alejandro Abdelnur made changes -
          Link This issue blocks HADOOP-8465 [ HADOOP-8465 ]
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12530417/HADOOP-8458.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-auth.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/1064//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/1064//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12530417/HADOOP-8458.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 1 new or modified test files. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-auth. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/1064//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/1064//console This message is automatically generated.
          Alejandro Abdelnur made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Hadoop Flags Incompatible change [ 10342 ]
          Hide
          Alejandro Abdelnur added a comment -

          while AuthenticationHandler is a 'private' API it may break existing implementations (Oozie, hbase, etc.), the solution for those implementations is to add the new method doing a NOP and returning TRUE.

          Show
          Alejandro Abdelnur added a comment - while AuthenticationHandler is a 'private' API it may break existing implementations (Oozie, hbase, etc.), the solution for those implementations is to add the new method doing a NOP and returning TRUE.
          Alejandro Abdelnur made changes -
          Attachment HADOOP-8458.patch [ 12530417 ]
          Hide
          Alejandro Abdelnur added a comment -

          This patch adds a new method to the AuthenticationHandler interface:

          public boolean managementOperation(AuthenticationToken token,
            HttpServletRequest request,  HttpServletResponse response) 
            throws IOException, AuthenticationException;
          

          This method is allows interacting with the incoming request in both authenticated and non-authenticated modes and it can let the request continue processing or stop processing.

          Show
          Alejandro Abdelnur added a comment - This patch adds a new method to the AuthenticationHandler interface: public boolean managementOperation(AuthenticationToken token, HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException; This method is allows interacting with the incoming request in both authenticated and non-authenticated modes and it can let the request continue processing or stop processing.
          Alejandro Abdelnur made changes -
          Field Original Value New Value
          Link This issue is required by HDFS-3113 [ HDFS-3113 ]
          Alejandro Abdelnur created issue -

            People

            • Assignee:
              Alejandro Abdelnur
              Reporter:
              Alejandro Abdelnur
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development