This proposed change adds Basic HTTP Auth functionality to the Oozie CLI. This would never be used in a usual Oozie installation because Oozie servers support token-based authentication: Pseudo/Simple Auth and Kerberos.
Basic HTTP Auth is needed in the Oozie CLI for when the Oozie service is placed behind a gateway that uses Basic HTTP Auth over SSL. It is assumed that the Oozie service is running with authorization turned off, because the gateway is handling authorization. Once the user authenticates himself to the gateway, the request is forwarded through the gateway to the oozie service.
This had to be implemented outside of the custom authentication framework provided by Oozie because basic auth requires adding a request property to each connection created. It's completely possible that there is a cleaner way of implementing this, if so please let me know!
Two additions were implemented in the CLI:
- Indication to use Basic Auth. This is done by specifying BASIC as the argument to the -auth argument.
- Configuration of Basic Auth.
- Introduction of -username and -password command line arguments.
- If the auth mode is BASIC, only -username is provided, and the OOZIEPASSWORD environment variable is set, the OOZIEPASSWORD environment variable will be used for the password.
- If mode is BASIC and only -username is provided, and OOZIEPASSWORD is undefined, the user will be prompted for the password, and the shell facilities for masking input will be used.