Repository: aurora Updated Branches: refs/heads/master e34bf7c69 -> 970c2a519
Add support for shorthand names of security realm modules. Bugs closed: AURORA-1290 Reviewed at https://reviews.apache.org/r/33659/ Project: http://git-wip-us.apache.org/repos/asf/aurora/repo Commit: http://git-wip-us.apache.org/repos/asf/aurora/commit/970c2a51 Tree: http://git-wip-us.apache.org/repos/asf/aurora/tree/970c2a51 Diff: http://git-wip-us.apache.org/repos/asf/aurora/diff/970c2a51 Branch: refs/heads/master Commit: 970c2a519e4202b0cd28ff4d2e879b3fc9292f0b Parents: e34bf7c Author: Bill Farner <[email protected]> Authored: Wed Apr 29 15:08:31 2015 -0700 Committer: Bill Farner <[email protected]> Committed: Wed Apr 29 15:08:31 2015 -0700 ---------------------------------------------------------------------- docs/security.md | 16 +++++++++++----- .../vagrant/upstart/aurora-scheduler-kerberos.conf | 2 +- .../scheduler/http/api/security/ModuleParser.java | 16 ++++++++++++---- 3 files changed, 24 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/aurora/blob/970c2a51/docs/security.md ---------------------------------------------------------------------- diff --git a/docs/security.md b/docs/security.md index 9b77781..8fcbadb 100644 --- a/docs/security.md +++ b/docs/security.md @@ -45,7 +45,7 @@ At a minimum you need to set 4 command-line flags on the scheduler: ``` -http_authentication_mechanism=BASIC --shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule +-shiro_realm_modules=INI_AUTHNZ -shiro_ini_path=path/to/security.ini ``` @@ -86,7 +86,7 @@ At a minimum you need to set 6 command-line flags on the scheduler: ``` -http_authentication_mechanism=NEGOTIATE --shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule +-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ -kerberos_server_principal=HTTP/[email protected] -kerberos_server_keytab=path/to/aurora.example.com.keytab -shiro_ini_path=path/to/security.ini @@ -114,7 +114,7 @@ Next, a Realm module must be configured to **authenticate** the current request credentials that were requested. Aurora ships with a realm module that can do this ``` --shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule[,...] +-shiro_realm_modules=KERBEROS5_AUTHN[,...] ``` The Kerberos5Realm requires a keytab file and a server principal name. The principal name will usually @@ -130,7 +130,7 @@ enable a realm module that provides an Authorizer implementation. For example, t IniShiroRealmModule: ``` --shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule +-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ ``` You can then configure authorization using a security.ini file as described below @@ -250,6 +250,13 @@ public class MyRealmModule extends AbstractModule { } ``` +To use your module in the scheduler, include it as a realm module based on its fully-qualified +class name: + +``` +-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ,com.example.MyRealmModule +``` + # Known Issues While the APIs and SPIs we ship with are stable as of 0.8.0, we are aware of several incremental @@ -259,7 +266,6 @@ Relevant tickets: * [AURORA-343](https://issues.apache.org/jira/browse/AURORA-343): HTTPS support * [AURORA-1248](https://issues.apache.org/jira/browse/AURORA-1248): Client retries 4xx errors * [AURORA-1279](https://issues.apache.org/jira/browse/AURORA-1279): Remove kerberos-specific build targets -* [AURORA-1290](https://issues.apache.org/jira/browse/AURORA-1290): Allow specifying a shorthand for "well-known" Module FQCNs * [AURORA-1293](https://issues.apache.org/jira/browse/AURORA-1291): Consider defining a JSON format in place of INI * [AURORA-1179](https://issues.apache.org/jira/browse/AURORA-1179): Supported hashed passwords in security.ini * [AURORA-1295](https://issues.apache.org/jira/browse/AURORA-1295): Support security for the ReadOnlyScheduler service http://git-wip-us.apache.org/repos/asf/aurora/blob/970c2a51/examples/vagrant/upstart/aurora-scheduler-kerberos.conf ---------------------------------------------------------------------- diff --git a/examples/vagrant/upstart/aurora-scheduler-kerberos.conf b/examples/vagrant/upstart/aurora-scheduler-kerberos.conf index 4fd2bf6..7333e81 100644 --- a/examples/vagrant/upstart/aurora-scheduler-kerberos.conf +++ b/examples/vagrant/upstart/aurora-scheduler-kerberos.conf @@ -48,7 +48,7 @@ exec bin/aurora-scheduler \ -vlog=INFO \ -logtostderr \ -allowed_container_types=MESOS,DOCKER \ - -shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule \ + -shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ \ -shiro_ini_path=/home/vagrant/aurora/src/test/resources/org/apache/aurora/scheduler/http/api/security/shiro-example.ini \ -http_authentication_mechanism=NEGOTIATE \ -kerberos_server_keytab=/home/vagrant/krb5-1.13.1/build/testdir/HTTP-192.168.33.7.keytab \ http://git-wip-us.apache.org/repos/asf/aurora/blob/970c2a51/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java b/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java index c968216..9077827 100644 --- a/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java +++ b/src/main/java/org/apache/aurora/scheduler/http/api/security/ModuleParser.java @@ -13,6 +13,9 @@ */ package org.apache.aurora.scheduler.http.api.security; +import java.util.Map; + +import com.google.common.collect.ImmutableMap; import com.google.inject.Module; import com.twitter.common.args.ArgParser; import com.twitter.common.args.parsers.NonParameterizedTypeParser; @@ -20,23 +23,28 @@ import com.twitter.common.args.parsers.NonParameterizedTypeParser; import org.apache.aurora.scheduler.app.Modules; /** - * ArgParser for Guice modules. Constructs an instance of a Module with a given FQCN if it has a - * public no-args constructor. + * ArgParser for Guice modules. Constructs an instance of a Module with a given alias or FQCN if it + * has a public no-args constructor. */ @ArgParser public class ModuleParser extends NonParameterizedTypeParser<Module> { + private static final Map<String, String> NAME_ALIASES = ImmutableMap.of( + "KERBEROS5_AUTHN", Kerberos5ShiroRealmModule.class.getCanonicalName(), + "INI_AUTHNZ", IniShiroRealmModule.class.getCanonicalName()); + @Override public Module doParse(String raw) throws IllegalArgumentException { + String fullyQualifiedName = NAME_ALIASES.containsKey(raw) ? NAME_ALIASES.get(raw) : raw; Class<?> rawClass; try { - rawClass = Class.forName(raw); + rawClass = Class.forName(fullyQualifiedName); } catch (ClassNotFoundException e) { throw new IllegalArgumentException(e); } if (!Module.class.isAssignableFrom(rawClass)) { throw new IllegalArgumentException( - "Class " + raw + " must implement " + Module.class.getName()); + "Class " + fullyQualifiedName + " must implement " + Module.class.getName()); } @SuppressWarnings("unchecked") Class<? extends Module> moduleClass = (Class<? extends Module>) rawClass;
