[knox] branch master updated: KNOX-2672 - Handle aliases in HadoopAuth filter on gateway level too (#503)

Sun, 03 Oct 2021 11:29:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new d36f29a  KNOX-2672 - Handle aliases in HadoopAuth filter on gateway 
level too (#503)
d36f29a is described below

commit d36f29ae0052f930394e52f9e169cf8e78ac54a9
Author: Sandor Molnar <[email protected]>
AuthorDate: Sun Oct 3 20:29:20 2021 +0200

    KNOX-2672 - Handle aliases in HadoopAuth filter on gateway level too (#503)
---
 .../gateway/hadoopauth/HadoopAuthMessages.java     |  3 ++
 .../hadoopauth/filter/HadoopAuthFilter.java        | 50 +++++++++++++---------
 .../hadoopauth/filter/HadoopAuthFilterTest.java    | 19 ++++++--
 3 files changed, 49 insertions(+), 23 deletions(-)

diff --git 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
index f121730..06bde79 100755
--- 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
+++ 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
@@ -47,4 +47,7 @@ public interface HadoopAuthMessages {
 
   @Message( level = MessageLevel.ERROR, text = "Error while checking whether 
path {0} should be allowed unauthenticated access : {1}" )
   void unauthenticatedPathError(String path, String error);
+
+  @Message(level=MessageLevel.WARN, text="{1} alias is NOT stored on neither 
topology ({0}) nor gateway levels.")
+  void noAliasStored(String cluster, String alias);
 }
diff --git 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
index d26271d..1e23167 100755
--- 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
+++ 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
@@ -103,7 +103,7 @@ public class HadoopAuthFilter extends
 
   private final Set<String> ignoreDoAs = new HashSet<>();
   private JWTFederationFilter jwtFilter;
-  private Set<String> unAuthenticatedPaths = new HashSet(20);
+  private Set<String> unAuthenticatedPaths = new HashSet<>(20);
 
   @Override
   protected Properties getConfiguration(String configPrefix, FilterConfig 
filterConfig) throws ServletException {
@@ -352,33 +352,43 @@ public class HadoopAuthFilter extends
   }
 
   // Visible for testing
-  Properties getConfiguration(AliasService aliasService, String configPrefix,
-                                        FilterConfig filterConfig) throws 
ServletException {
-
-    String clusterName = filterConfig.getInitParameter("clusterName");
-
-    Properties props = new Properties();
-    Enumeration<String> names = filterConfig.getInitParameterNames();
+  Properties getConfiguration(AliasService aliasService, String configPrefix, 
FilterConfig filterConfig) throws ServletException {
+    final Properties props = new Properties();
+    final Enumeration<String> names = filterConfig.getInitParameterNames();
     while (names.hasMoreElements()) {
       String name = names.nextElement();
       if (name.startsWith(configPrefix)) {
-        String value = filterConfig.getInitParameter(name);
+        String value = handleAlias(aliasService, filterConfig, 
filterConfig.getInitParameter(name), name);
+        props.put(name.substring(configPrefix.length()), value);
+      }
+    }
+    return props;
+  }
 
-        // Handle the case value is an alias
-        if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
-          String alias = value.substring("${ALIAS=".length(), value.length() - 
1);
-          try {
-            value = String.valueOf(
-                aliasService.getPasswordFromAliasForCluster(clusterName, 
alias));
-          } catch (AliasServiceException e) {
-            throw new ServletException("Unable to retrieve alias for config: " 
+ name, e);
+  private String handleAlias(AliasService aliasService, FilterConfig 
filterConfig, String value, String name) throws ServletException {
+    String result = value;
+    // Handle the case value is an alias
+    if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
+      try {
+        final String clusterName = 
filterConfig.getInitParameter("clusterName");
+        final String alias = value.substring("${ALIAS=".length(), 
value.length() - 1);
+        final char[] topologyLevelAliasValue = 
aliasService.getPasswordFromAliasForCluster(clusterName, alias);
+        if (topologyLevelAliasValue == null) {
+          //try on gateway-level
+          final char[] gatewayLevelAliasValue = 
aliasService.getPasswordFromAliasForGateway(alias);
+          if (gatewayLevelAliasValue != null) {
+            result = String.valueOf(gatewayLevelAliasValue);
+          } else {
+            LOG.noAliasStored(clusterName, alias);
           }
+        } else {
+          result = String.valueOf(topologyLevelAliasValue);
         }
-
-        props.put(name.substring(configPrefix.length()), value);
+      } catch (AliasServiceException e) {
+        throw new ServletException("Unable to retrieve alias for config: " + 
name, e);
       }
     }
-    return props;
+    return result;
   }
 
   boolean isJwtSupported() {
diff --git 
a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
 
b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
index 20825a5..355005a 100644
--- 
a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
+++ 
b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
@@ -67,7 +67,11 @@ public class HadoopAuthFilterTest {
   private static final String JWKS_PATH = "/knoxtoken/api/v1/jwks.json";
 
   @Test
-  public void testHadoopAuthFilterAliases() throws Exception {
+  public void testHadoopAuthFilterAliasesOnTopologyLevel() throws Exception {
+    testHadoopAuthFilterAliases(true);
+  }
+
+  private void testHadoopAuthFilterAliases(boolean topologyLevel) throws 
Exception {
     String aliasKey = "signature.secret";
     String aliasConfigKey = "${ALIAS=" + aliasKey + "}";
     String aliasValue = "password";
@@ -77,8 +81,12 @@ public class HadoopAuthFilterTest {
     topology.setName(clusterName);
 
     AliasService as = createMock(AliasService.class);
-    expect(as.getPasswordFromAliasForCluster(clusterName, aliasKey))
-        .andReturn(aliasValue.toCharArray()).atLeastOnce();
+    if (topologyLevel) {
+      expect(as.getPasswordFromAliasForCluster(clusterName, 
aliasKey)).andReturn(aliasValue.toCharArray()).anyTimes();
+    } else {
+      expect(as.getPasswordFromAliasForCluster(clusterName, 
aliasKey)).andReturn(null).anyTimes();
+      
expect(as.getPasswordFromAliasForGateway(aliasKey)).andReturn(aliasValue.toCharArray()).anyTimes();
+    }
 
     String configPrefix = "hadoop.auth.config.";
 
@@ -105,6 +113,11 @@ public class HadoopAuthFilterTest {
   }
 
   @Test
+  public void testHadoopAuthFilterAliasesOnGatewayLevel() throws Exception {
+    testHadoopAuthFilterAliases(false);
+  }
+
+  @Test
   public void testHadoopAuthFilterIgnoreDoAs() throws Exception {
     Topology topology = new Topology();
     topology.setName("Sample");

Reply via email to