This is an automated email from the ASF dual-hosted git repository.
pramod pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apex-core.git
The following commit(s) were added to refs/heads/master by this push:
new 4464082 APEXCORE-757 Web authentication DISABLE option not working.
4464082 is described below
commit 44640824cbea2ff588d9c56e6b2d97117051d63a
Author: Thomas Weise <[email protected]>
AuthorDate: Thu Jul 13 18:50:58 2017 -0700
APEXCORE-757 Web authentication DISABLE option not working.
---
.../stram/StreamingAppMasterService.java | 42 +-----------
.../com/datatorrent/stram/util/SecurityUtils.java | 74 +++++++++++++++++++++-
2 files changed, 72 insertions(+), 44 deletions(-)
diff --git
a/engine/src/main/java/com/datatorrent/stram/StreamingAppMasterService.java
b/engine/src/main/java/com/datatorrent/stram/StreamingAppMasterService.java
index 5de8288..5030a32 100644
--- a/engine/src/main/java/com/datatorrent/stram/StreamingAppMasterService.java
+++ b/engine/src/main/java/com/datatorrent/stram/StreamingAppMasterService.java
@@ -55,7 +55,6 @@ import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.tuple.MutablePair;
import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.Credentials;
@@ -87,7 +86,6 @@ import org.apache.hadoop.yarn.util.Records;
import org.apache.hadoop.yarn.util.SystemClock;
import org.apache.hadoop.yarn.webapp.WebApp;
import org.apache.hadoop.yarn.webapp.WebApps;
-import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
@@ -96,7 +94,6 @@ import com.datatorrent.api.Attribute;
import com.datatorrent.api.AutoMetric;
import com.datatorrent.api.Context;
import com.datatorrent.api.Context.DAGContext;
-import com.datatorrent.api.Context.SSLConfig;
import com.datatorrent.api.DAG;
import com.datatorrent.api.StringCodec;
import com.datatorrent.stram.StreamingContainerAgent.ContainerStartRequest;
@@ -114,7 +111,6 @@ import com.datatorrent.stram.plan.physical.PTOperator;
import com.datatorrent.stram.security.StramDelegationTokenIdentifier;
import com.datatorrent.stram.security.StramDelegationTokenManager;
import com.datatorrent.stram.security.StramUserLogin;
-import com.datatorrent.stram.security.StramWSFilterInitializer;
import com.datatorrent.stram.util.ConfigUtils;
import com.datatorrent.stram.util.SecurityUtils;
import com.datatorrent.stram.webapp.AppInfo;
@@ -135,11 +131,6 @@ public class StreamingAppMasterService extends
CompositeService
private static final long DELEGATION_TOKEN_RENEW_INTERVAL = Long.MAX_VALUE /
2;
private static final long DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL = 24 * 60 *
60 * 1000;
private static final int UPDATE_NODE_REPORTS_INTERVAL = 10 * 60 * 1000;
- /**
- * Config property name for the SSL keystore location used by Hadoop webapps.
- * This should be replaced when a constant is defined there
- */
- private static final String SSL_SERVER_KEYSTORE_LOCATION =
"ssl.server.keystore.location";
private AMRMClient<ContainerRequest> amRmClient;
private NMClientAsync nmClient;
private LogicalPlan dag;
@@ -640,13 +631,7 @@ public class StreamingAppMasterService extends
CompositeService
}
try {
- Configuration config = getConfig();
- if (SecurityUtils.isStramWebSecurityEnabled()) {
- config = new Configuration(config);
- config.set("hadoop.http.filter.initializers",
StramWSFilterInitializer.class.getCanonicalName());
- }
- // update config with appropriate SSL params if passed via the dag
attribute SSL_CONFIG
- addSSLConfigResource(config);
+ Configuration config =
SecurityUtils.configureWebAppSecurity(getConfig(),
dag.getValue(Context.DAGContext.SSL_CONFIG));
WebApp webApp = WebApps.$for("stram", StramAppContext.class, appContext,
"ws").with(config).start(new StramWebApp(this.dnmgr));
LOG.info("Started web service at port: " + webApp.port());
appMasterTrackingUrl =
NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName() + ":" +
webApp.port();
@@ -660,31 +645,6 @@ public class StreamingAppMasterService extends
CompositeService
}
}
- /**
- * Modify config object by adding SSL related parameters into a resource for
WebApp's use
- *
- * @param config Configuration to be modified
- */
- private void addSSLConfigResource(Configuration config)
- {
- SSLConfig sslConfig = dag.getValue(Context.DAGContext.SSL_CONFIG);
- if (sslConfig != null) {
- String nodeLocalConfig = sslConfig.getConfigPath();
- if (StringUtils.isNotEmpty(nodeLocalConfig)) {
- config.addResource(new Path(nodeLocalConfig));
- } else {
- // create a configuration object and add it as a resource
- Configuration sslConfigResource = new Configuration(false);
-
- final String SSL_CONFIG_LONG_NAME =
Context.DAGContext.SSL_CONFIG.getLongName();
- sslConfigResource.set(SSL_SERVER_KEYSTORE_LOCATION, new
Path(sslConfig.getKeyStorePath()).getName(), SSL_CONFIG_LONG_NAME);
- sslConfigResource.set(WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY,
sslConfig.getKeyStorePassword(), SSL_CONFIG_LONG_NAME);
- sslConfigResource.set(WebAppUtils.WEB_APP_KEY_PASSWORD_KEY,
sslConfig.getKeyStoreKeyPassword(), SSL_CONFIG_LONG_NAME);
- config.addResource(sslConfigResource);
- }
- }
- }
-
@Override
protected void serviceStop() throws Exception
{
diff --git a/engine/src/main/java/com/datatorrent/stram/util/SecurityUtils.java
b/engine/src/main/java/com/datatorrent/stram/util/SecurityUtils.java
index 3985827..dae9552 100644
--- a/engine/src/main/java/com/datatorrent/stram/util/SecurityUtils.java
+++ b/engine/src/main/java/com/datatorrent/stram/util/SecurityUtils.java
@@ -18,12 +18,23 @@
*/
package com.datatorrent.stram.util;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.datatorrent.api.Context;
+import com.datatorrent.api.Context.SSLConfig;
import com.datatorrent.api.Context.StramHTTPAuthentication;
import com.datatorrent.stram.security.AuthScheme;
import com.datatorrent.stram.security.StramUserLogin;
+import com.datatorrent.stram.security.StramWSFilterInitializer;
/**
*
@@ -32,9 +43,16 @@ import com.datatorrent.stram.security.StramUserLogin;
*/
public class SecurityUtils
{
-
- public static final String HADOOP_HTTP_AUTH_PROP =
"hadoop.http.authentication.type";
+ private static final Logger LOG =
LoggerFactory.getLogger(SecurityUtils.class);
+ @VisibleForTesting
+ protected static final String HADOOP_HTTP_AUTH_PROP =
"hadoop.http.authentication.type";
private static final String HADOOP_HTTP_AUTH_VALUE_SIMPLE = "simple";
+ private static final String HADOOP_HTTP_AUTH_SIMPLE_ANONYMOUS_ALLOWED_PROP =
"hadoop.http.authentication.simple.anonymous.allowed";
+ /**
+ * Config property name for the SSL keystore location used by Hadoop webapps.
+ * This should be replaced when a constant is defined there
+ */
+ private static final String SSL_SERVER_KEYSTORE_LOCATION =
"ssl.server.keystore.location";
// If not initialized explicitly using init call, default to Hadoop auth for
backwards compatibility
private static boolean stramWebSecurityEnabled =
UserGroupInformation.isSecurityEnabled();
@@ -87,9 +105,59 @@ public class SecurityUtils
return hadoopWebSecurityEnabled;
}
- public static boolean isStramWebSecurityEnabled()
+ @VisibleForTesting
+ protected static boolean isStramWebSecurityEnabled()
{
return stramWebSecurityEnabled;
}
+ /**
+ * Setup security related configuration for {@link
org.apache.hadoop.yarn.webapp.WebApp}.
+ * @param config
+ * @param sslConfig
+ * @return
+ */
+ public static Configuration configureWebAppSecurity(Configuration config,
SSLConfig sslConfig)
+ {
+ if (isStramWebSecurityEnabled()) {
+ config = new Configuration(config);
+ config.set("hadoop.http.filter.initializers",
StramWSFilterInitializer.class.getCanonicalName());
+ } else {
+ String authType = config.get(HADOOP_HTTP_AUTH_PROP);
+ if (!HADOOP_HTTP_AUTH_VALUE_SIMPLE.equals(authType)) {
+ // turn off authentication for Apex as specified by user
+ LOG.warn("Found {} {} but authentication was disabled in Apex.",
HADOOP_HTTP_AUTH_PROP, authType);
+ config = new Configuration(config);
+ config.set(HADOOP_HTTP_AUTH_PROP, HADOOP_HTTP_AUTH_VALUE_SIMPLE);
+ config.setBoolean(HADOOP_HTTP_AUTH_SIMPLE_ANONYMOUS_ALLOWED_PROP,
true);
+ }
+ }
+ if (sslConfig != null) {
+ addSSLConfigResource(config, sslConfig);
+ }
+ return config;
+ }
+
+ /**
+ * Modify config object by adding SSL related parameters into a resource for
WebApp's use
+ *
+ * @param config Configuration to be modified
+ * @param sslConfig
+ */
+ private static void addSSLConfigResource(Configuration config, SSLConfig
sslConfig)
+ {
+ String nodeLocalConfig = sslConfig.getConfigPath();
+ if (StringUtils.isNotEmpty(nodeLocalConfig)) {
+ config.addResource(new Path(nodeLocalConfig));
+ } else {
+ // create a configuration object and add it as a resource
+ Configuration sslConfigResource = new Configuration(false);
+ final String SSL_CONFIG_LONG_NAME =
Context.DAGContext.SSL_CONFIG.getLongName();
+ sslConfigResource.set(SSL_SERVER_KEYSTORE_LOCATION, new
Path(sslConfig.getKeyStorePath()).getName(), SSL_CONFIG_LONG_NAME);
+ sslConfigResource.set(WebAppUtils.WEB_APP_KEYSTORE_PASSWORD_KEY,
sslConfig.getKeyStorePassword(), SSL_CONFIG_LONG_NAME);
+ sslConfigResource.set(WebAppUtils.WEB_APP_KEY_PASSWORD_KEY,
sslConfig.getKeyStoreKeyPassword(), SSL_CONFIG_LONG_NAME);
+ config.addResource(sslConfigResource);
+ }
+ }
+
}
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].
