This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new f7acac9 KNOX-2026 - Accept Impala's authentication cookies (#161)
f7acac9 is described below
commit f7acac99b10064f6f992f3352d2446d6661fe373
Author: Thomas Tauber-Marshall <[email protected]>
AuthorDate: Wed Oct 9 08:58:32 2019 -0700
KNOX-2026 - Accept Impala's authentication cookies (#161)
This patch modifies HadoopAuthCookieStore to accept cookies with
Impala's cookie name, "impala.auth".
It also updates a check that is used to ensure the cookie belongs to
Knox - previously, this check parsed the cookie according to the
specific format that Hadoop uses for its cookies and ensures that the
Knox principal appears in the expected location.
Impala uses a similar cookie format, but with a few changes such as
fields being in a different order. The check is made more permissive
such that it will accept any cookie that contains the Knox principal
anywhere in it.
Testing:
- Deployed in a cluster and verified that Knox accepts and returns
Impala's cookies as expected.
---
.../gateway/dispatch/HadoopAuthCookieStore.java | 24 ++++++++--------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git
a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
index bd85617..522019b 100644
---
a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
+++
b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
@@ -38,6 +38,7 @@ public class HadoopAuthCookieStore extends BasicCookieStore {
private static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth";
private static final String HIVE_SERVER2_AUTH_COOKIE_NAME =
"hive.server2.auth";
+ private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth";
private static String knoxPrincipal;
@@ -73,28 +74,21 @@ public class HadoopAuthCookieStore extends BasicCookieStore
{
private boolean isAuthCookie(Cookie cookie) {
return HADOOP_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
- HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName());
+ HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
+ IMPALA_AUTH_COOKIE_NAME.equals(cookie.getName());
}
private boolean isKnoxCookie(Cookie cookie) {
boolean result = false;
+ // We expect cookies to be some delimited list of parameters, eg.
username, principal,
+ // timestamp, random number, etc. along with an HMAC signature. To ensure
we only
+ // store cookies that are relevant to Knox, we check that the Knox
principal appears
+ // somewhere in the cookie value.
if (cookie != null) {
String value = cookie.getValue();
- if (value != null && !value.isEmpty()) {
- String principal = null;
-
- String[] cookieParts = value.split("&");
- if (cookieParts.length > 1) {
- String[] elementParts = cookieParts[1].split("=");
- if (elementParts.length == 2) {
- principal = elementParts[1];
- }
-
- if (principal != null) {
- result = principal.equals(knoxPrincipal);
- }
- }
+ if (value != null && value.contains(knoxPrincipal)) {
+ result = true;
}
}
