diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java index 9fc13348c13..98adcfd8d1c 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java @@ -31,6 +31,7 @@ import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.AuthenticationFilterInitializer; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; @@ -53,38 +54,17 @@ public RMAuthenticationFilterInitializer() { } protected Map createFilterConfig(Configuration conf) { - Map filterConfig = new HashMap(); - - // setting the cookie path to root '/' so it is used for all resources. - filterConfig.put(AuthenticationFilter.COOKIE_PATH, cookiePath); + Map filterConfig = AuthenticationFilterInitializer + .getFilterConfigMap(conf, configPrefix); // Before conf object is passed in, RM has already processed it and used RM // specific configs to overwrite hadoop common ones. Hence we just need to // source hadoop.proxyuser configs here. - for (Map.Entry entry : conf) { - String propName = entry.getKey(); - if (propName.startsWith(configPrefix)) { - String value = conf.get(propName); - String name = propName.substring(configPrefix.length()); - filterConfig.put(name, value); - } else if (propName.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) { - String value = conf.get(propName); - String name = propName.substring("hadoop.".length()); - filterConfig.put(name, value); - } - } - // Resolve _HOST into bind address - String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); - String principal = filterConfig.get(kerberosPrincipalProperty); - if (principal != null) { - try { - principal = SecurityUtil.getServerPrincipal(principal, bindAddress); - } catch (IOException ex) { - throw new RuntimeException( - "Could not resolve Kerberos principal name: " + ex.toString(), ex); - } - filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal); + //Add proxy user configs + for ( Map.Entry entry : conf. + getPropsWithPrefix(ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) { + filterConfig.put("proxyuser" + entry.getKey(), entry.getValue()); } filterConfig.put(DelegationTokenAuthenticationHandler.TOKEN_KIND, @@ -95,10 +75,8 @@ public RMAuthenticationFilterInitializer() { @Override public void initFilter(FilterContainer container, Configuration conf) { - Map filterConfig = createFilterConfig(conf); container.addFilter("RMAuthenticationFilter", RMAuthenticationFilter.class.getName(), filterConfig); } - } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/timeline/security/TimelineAuthenticationFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/timeline/security/TimelineAuthenticationFilterInitializer.java index 3d8ce058952..6c326f3ae7a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/timeline/security/TimelineAuthenticationFilterInitializer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/timeline/security/TimelineAuthenticationFilterInitializer.java @@ -23,6 +23,7 @@ import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterInitializer; import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.AuthenticationFilterInitializer; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; @@ -62,42 +63,18 @@ protected void setAuthFilterConfig(Configuration conf) { filterConfig = new HashMap(); - // setting the cookie path to root '/' so it is used for all resources. - filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); - - for (Map.Entry entry : conf) { - String name = entry.getKey(); - if (name.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) { - String value = conf.get(name); - name = name.substring("hadoop.".length()); - filterConfig.put(name, value); - } - } - for (Map.Entry entry : conf) { - String name = entry.getKey(); - if (name.startsWith(PREFIX)) { - // yarn.timeline-service.http-authentication.proxyuser will override - // hadoop.proxyuser - String value = conf.get(name); - name = name.substring(PREFIX.length()); - filterConfig.put(name, value); - } + for (Map.Entry entry : conf.getPropsWithPrefix(ProxyUsers + .CONF_HADOOP_PROXYUSER).entrySet()) { + filterConfig.put("proxyuser" + entry.getKey(), entry.getValue()); } - // Resolve _HOST into bind address - String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); - String principal = - filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); - if (principal != null) { - try { - principal = SecurityUtil.getServerPrincipal(principal, bindAddress); - } catch (IOException ex) { - throw new RuntimeException("Could not resolve Kerberos principal " + - "name: " + ex.toString(), ex); - } - filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, - principal); - } + // yarn.timeline-service.http-authentication.proxyuser will override + // hadoop.proxyuser + Map timelineAuthProps = AuthenticationFilterInitializer + .getFilterConfigMap + (conf, PREFIX); + + filterConfig.putAll(timelineAuthProps); } protected Map getFilterConfig() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMAuthenticationFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMAuthenticationFilter.java new file mode 100644 index 00000000000..6920a9a34d7 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMAuthenticationFilter.java @@ -0,0 +1,80 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.yarn.server.resourcemanager.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.http.FilterContainer; +import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.AuthenticationFilterInitializer; +import org.apache.hadoop.security.authentication.server.AuthenticationFilter; +import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter; +import org.apache.hadoop.yarn.server.security.http + .RMAuthenticationFilterInitializer; +import org.junit.Test; +import org.mockito.Mockito; +import org.mockito.invocation.InvocationOnMock; +import org.mockito.stubbing.Answer; + +import java.util.Map; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; + +public class TestRMAuthenticationFilter { + + @SuppressWarnings("unchecked") + @Test + public void testConfiguration() throws Exception { + Configuration conf = new Configuration(); + conf.set("hadoop.http.authentication.foo", "bar"); + conf.set("hadoop.proxyuser.user.foo", "bar1"); + + conf.set(HttpServer2.BIND_ADDRESS, "barhost"); + + FilterContainer container = Mockito.mock(FilterContainer.class); + Mockito.doAnswer(new Answer() { + @Override + public Object answer(InvocationOnMock invocationOnMock) throws Throwable { + Object[] args = invocationOnMock.getArguments(); + + assertEquals("RMAuthenticationFilter", args[0]); + + assertEquals(RMAuthenticationFilter.class.getName(), args[1]); + + Map conf = (Map) args[2]; + assertEquals("/", conf.get("cookie.path")); + + assertEquals("simple", conf.get("type")); + assertEquals("36000", conf.get("token.validity")); + assertNull(conf.get("cookie.domain")); + assertEquals("true", conf.get("simple.anonymous.allowed")); + assertEquals("HTTP/barhost@LOCALHOST", conf.get("kerberos.principal")); + assertEquals(System.getProperty("user.home") + "/hadoop.keytab", + conf.get("kerberos.keytab")); + assertEquals("bar", conf.get("foo")); + assertEquals("bar1", conf.get("proxyuser.user.foo")); + + return null; + } + }).when(container).addFilter(Mockito.anyObject(), + Mockito.anyObject(), Mockito.>anyObject()); + + new RMAuthenticationFilterInitializer().initFilter(container, conf); + } +} +