Repository: falcon Updated Branches: refs/heads/master 0232f1b6b -> a6298f8a7
FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate auth token. Contributed by Balu Vellanki Project: http://git-wip-us.apache.org/repos/asf/falcon/repo Commit: http://git-wip-us.apache.org/repos/asf/falcon/commit/a6298f8a Tree: http://git-wip-us.apache.org/repos/asf/falcon/tree/a6298f8a Diff: http://git-wip-us.apache.org/repos/asf/falcon/diff/a6298f8a Branch: refs/heads/master Commit: a6298f8a7fdccf05a5aece2289df36431558affd Parents: 0232f1b Author: Ajay Yadava <[email protected]> Authored: Fri Apr 24 21:13:46 2015 +0530 Committer: Ajay Yadava <[email protected]> Committed: Fri Apr 24 21:13:46 2015 +0530 ---------------------------------------------------------------------- CHANGES.txt | 3 ++ .../AuthenticationInitializationService.java | 47 ++++++++++++++++++-- docs/src/site/twiki/Security.twiki | 3 ++ .../org/apache/falcon/aspect/GenericAlert.java | 7 +++ src/conf/startup.properties | 3 ++ 5 files changed, 60 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 267b01e..bbe3dd7 100755 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -18,6 +18,9 @@ Trunk (Unreleased) OPTIMIZATIONS BUG FIXES + FALCON-954 Secure Kerberos setup : Falcon should periodically revalidate + auth token (Balu Vellanki via Ajay Yadava) + FALCON-1146 feed retention policy deleted everything all the way up to the root (Peeyush Bishnoi via Suhas Vasu) http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java index fbed283..cf27408 100644 --- a/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java +++ b/common/src/main/java/org/apache/falcon/security/AuthenticationInitializationService.java @@ -18,8 +18,10 @@ package org.apache.falcon.security; +import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang.Validate; import org.apache.falcon.FalconException; +import org.apache.falcon.aspect.GenericAlert; import org.apache.falcon.service.FalconService; import org.apache.falcon.util.StartupProperties; import org.apache.hadoop.conf.Configuration; @@ -29,7 +31,10 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; +import java.util.Date; import java.util.Properties; +import java.util.Timer; +import java.util.TimerTask; /** @@ -49,15 +54,23 @@ public class AuthenticationInitializationService implements FalconService { * Constant for the configuration property that indicates the keytab file path. */ protected static final String KERBEROS_KEYTAB = CONFIG_PREFIX + KerberosAuthenticationHandler.KEYTAB; + /** * Constant for the configuration property that indicates the kerberos principal. */ protected static final String KERBEROS_PRINCIPAL = CONFIG_PREFIX + KerberosAuthenticationHandler.PRINCIPAL; + /** + * Constant for the configuration property that indicates the authentication token validity time in seconds. + */ + protected static final String AUTH_TOKEN_VALIDITY_SECONDS = CONFIG_PREFIX + "token.validity"; + + private Timer timer = new Timer(); + private static final String SERVICE_NAME = "Authentication initialization service"; @Override public String getName() { - return "Authentication initialization service"; + return SERVICE_NAME; } @Override @@ -66,6 +79,17 @@ public class AuthenticationInitializationService implements FalconService { if (SecurityUtil.isSecurityEnabled()) { LOG.info("Falcon Kerberos Authentication Enabled!"); initializeKerberos(); + + String authTokenValidity = StartupProperties.get().getProperty(AUTH_TOKEN_VALIDITY_SECONDS); + long validateFrequency; + try { + validateFrequency = (StringUtils.isNotEmpty(authTokenValidity)) + ? Long.valueOf(authTokenValidity) : 86400; + } catch (NumberFormatException nfe) { + throw new FalconException("Invalid value provided for startup property \"" + + AUTH_TOKEN_VALIDITY_SECONDS + "\", please provide a valid long number", nfe); + } + timer.schedule(new TokenValidationThread(), 0, validateFrequency*1000); } else { LOG.info("Falcon Simple Authentication Enabled!"); Configuration ugiConf = new Configuration(); @@ -74,7 +98,7 @@ public class AuthenticationInitializationService implements FalconService { } } - protected void initializeKerberos() throws FalconException { + protected static void initializeKerberos() throws FalconException { try { Properties configuration = StartupProperties.get(); String principal = configuration.getProperty(KERBEROS_PRINCIPAL); @@ -96,7 +120,7 @@ public class AuthenticationInitializationService implements FalconService { LOG.info("Got Kerberos ticket, keytab: {}, Falcon principal: {}", keytabFilePath, principal); } catch (Exception ex) { - throw new FalconException("Could not initialize " + getName() + throw new FalconException("Could not initialize " + SERVICE_NAME + ": " + ex.getMessage(), ex); } } @@ -118,5 +142,22 @@ public class AuthenticationInitializationService implements FalconService { @Override public void destroy() throws FalconException { + timer.cancel(); } + + private static class TokenValidationThread extends TimerTask { + @Override + public void run() { + try { + LOG.info("Validating Auth Token: {}", new Date()); + initializeKerberos(); + } catch (Throwable t) { + LOG.error("Error in Auth Token Validation task: ", t); + GenericAlert.initializeKerberosFailed( + "Exception in Auth Token Validation : ", t); + } + } + } + + } http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/docs/src/site/twiki/Security.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/Security.twiki b/docs/src/site/twiki/Security.twiki index 7c4eb07..8955bdc 100644 --- a/docs/src/site/twiki/Security.twiki +++ b/docs/src/site/twiki/Security.twiki @@ -178,6 +178,9 @@ Following is the Server Side Configuration Setup for Authentication. # name node principal to talk to config store *.dfs.namenode.kerberos.principal=nn/[email protected] +# Indicates how long (in seconds) falcon authentication token is valid before it has to be renewed. +*.falcon.service.authentication.token.validity=86400 + ##### SPNEGO Configuration # Authentication type must be specified: simple|kerberos|<class> http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java ---------------------------------------------------------------------- diff --git a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java b/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java index 2973347..321c769 100644 --- a/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java +++ b/metrics/src/main/java/org/apache/falcon/aspect/GenericAlert.java @@ -92,6 +92,13 @@ public final class GenericAlert { } //RESUME CHECKSTYLE CHECK ParameterNumberCheck + @Monitored(event = "init-kerberos-failed") + public static String initializeKerberosFailed( + @Dimension(value = "message") String message, + @Dimension(value = "exception") Throwable throwable) { + return "IGNORE"; + } + @Monitored(event = "rerun-queue-failed") public static String alertRerunConsumerFailed( @Dimension(value = "message") String message, http://git-wip-us.apache.org/repos/asf/falcon/blob/a6298f8a/src/conf/startup.properties ---------------------------------------------------------------------- diff --git a/src/conf/startup.properties b/src/conf/startup.properties index 6bbd06e..64a7d27 100644 --- a/src/conf/startup.properties +++ b/src/conf/startup.properties @@ -153,6 +153,9 @@ prism.configstore.listeners=org.apache.falcon.entity.v0.EntityGraph,\ # The kerberos names rules is to resolve kerberos principal names, refer to Hadoop's KerberosName for more details. *.falcon.http.authentication.kerberos.name.rules=DEFAULT +# Indicates the validity time (in seconds) for kerberos token. +*.falcon.service.authentication.token.validity=86400 + # Comma separated list of black listed users *.falcon.http.authentication.blacklisted.users=
