Repository: knox Updated Branches: refs/heads/master 7f8f97912 -> 138a99bed
KNOX-1339 - (KIP-11 Federation) Add support for header preauth dispatch Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/138a99be Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/138a99be Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/138a99be Branch: refs/heads/master Commit: 138a99bed99ba1920dc09dc92886d258a5cd0091 Parents: 7f8f979 Author: Sandeep More <[email protected]> Authored: Mon Jun 11 10:50:15 2018 -0400 Committer: Sandeep More <[email protected]> Committed: Mon Jun 11 10:50:15 2018 -0400 ---------------------------------------------------------------------- .../gateway/config/impl/GatewayConfigImpl.java | 17 +++++ .../knox/gateway/config/GatewayConfig.java | 9 +++ .../HeaderPreAuthFederationDispatch.java | 74 ++++++++++++++++++++ .../apache/knox/gateway/GatewayTestConfig.java | 12 ++++ 4 files changed, 112 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java index a6325b6..e0898a2 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java @@ -246,6 +246,11 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { static final String KNOX_ADMIN_GROUPS = GATEWAY_CONFIG_FILE_PREFIX + ".knox.admin.groups"; static final String KNOX_ADMIN_USERS = GATEWAY_CONFIG_FILE_PREFIX + ".knox.admin.users"; + /* property that specifies custom header name to be added to outgoing federated request */ + static final String CUSTOM_FEDERATION_HEADER_NAME = GATEWAY_CONFIG_FILE_PREFIX + ".custom.federation.header.name"; + /* Default federated header name, see HeaderPreAuthFederationFilter.headerName */ + static final String DEFAULT_FEDERATION_HEADER_NAME = "SM_USER"; + private static List<String> DEFAULT_GLOBAL_RULES_SERVICES; @@ -1057,4 +1062,16 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { return result; } + /** + * Custom header name to be used to pass the authenticated principal via + * dispatch + * + * @return + * @since 1.1.0 + */ + @Override + public String getFederationHeaderName() { + return get(CUSTOM_FEDERATION_HEADER_NAME, DEFAULT_FEDERATION_HEADER_NAME); + } + } http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java index 3423220..78ae227 100644 --- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java +++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java @@ -400,4 +400,13 @@ public interface GatewayConfig { * @return */ String getKnoxAdminUsers(); + + /** + * Custom header name to be used to pass the authenticated principal + * via dispatch + * @since 1.1.0 + * @return + */ + String getFederationHeaderName(); + } http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java new file mode 100644 index 0000000..8625cd0 --- /dev/null +++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HeaderPreAuthFederationDispatch.java @@ -0,0 +1,74 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with this + * work for additional information regarding copyright ownership. The ASF + * licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.knox.gateway.dispatch; + +import org.apache.http.HttpResponse; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.knox.gateway.config.GatewayConfig; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.security.Principal; + +/** + * This dispatch should be used for federating multiple + * Knox instances. This dispatch will add the authentication header, + * which can be set using the property + * gateway.custom.federation.header.name + * in gateway-site.xml. The value of the header will be + * authenticated principal. + * Authentication provider configured in topology will be used to authenticate. + * The receiving Knox instance will need to have Header PreAuth + * provider configured to accept the requests. + * + * @since 1.1.0 + */ +public class HeaderPreAuthFederationDispatch extends DefaultDispatch { + + String headerName = "SM_USER"; + + /* Create an instance */ + public HeaderPreAuthFederationDispatch() { + super(); + } + + @Override + protected void executeRequest( + final HttpUriRequest outboundRequest, + final HttpServletRequest inboundRequest, + final HttpServletResponse outboundResponse) + throws IOException { + + final GatewayConfig config = + (GatewayConfig)inboundRequest.getServletContext().getAttribute( GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE ); + + if(config != null && config.getFederationHeaderName() != null) { + headerName = config.getFederationHeaderName(); + } + + final Principal principal = inboundRequest.getUserPrincipal(); + if(principal != null) { + outboundRequest.addHeader(headerName, principal.getName()); + } + + final HttpResponse inboundResponse = executeOutboundRequest(outboundRequest); + writeOutboundResponse(outboundRequest, inboundRequest, outboundResponse, inboundResponse); + } + + +} http://git-wip-us.apache.org/repos/asf/knox/blob/138a99be/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java ---------------------------------------------------------------------- diff --git a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java index cca0081..f9afa32 100644 --- a/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java +++ b/gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java @@ -703,4 +703,16 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig { return null; } + /** + * Custom header name to be used to pass the authenticated principal via + * dispatch + * + * @return + * @since 1.1.0 + */ + @Override + public String getFederationHeaderName() { + return "SM_USER"; + } + }
