Repository: lens
Updated Branches:
  refs/heads/master d0d9adf35 -> 3b10f16cd


LENS-1509 : Lens Server SPNEGO authentication


Project: http://git-wip-us.apache.org/repos/asf/lens/repo
Commit: http://git-wip-us.apache.org/repos/asf/lens/commit/e40f2dec
Tree: http://git-wip-us.apache.org/repos/asf/lens/tree/e40f2dec
Diff: http://git-wip-us.apache.org/repos/asf/lens/diff/e40f2dec

Branch: refs/heads/master
Commit: e40f2dec023eea84599124986f9061dff90ee107
Parents: d0d9adf
Author: Rajitha R <[email protected]>
Authored: Fri May 18 19:10:37 2018 +0530
Committer: Rajitha.R <[email protected]>
Committed: Fri May 18 19:10:37 2018 +0530

----------------------------------------------------------------------
 contrib/clients/python/lens/client/session.py   |  9 +++-
 contrib/clients/python/setup.py                 |  2 +-
 .../apache/lens/client/LensClientConfig.java    |  7 +++
 .../org/apache/lens/client/LensConnection.java  |  1 +
 .../lens/client/LensConnectionParams.java       |  1 +
 .../lens/server/api/LensConfConstants.java      | 17 +++++++
 .../org/apache/lens/server/BaseLensService.java | 11 +++--
 .../org/apache/lens/server/LensApplication.java |  3 ++
 .../org/apache/lens/server/LogResource.java     |  2 +
 .../server/metastore/MetastoreResource.java     |  4 +-
 .../lens/server/query/QueryServiceResource.java |  2 +
 .../server/query/save/SavedQueryResource.java   |  2 +
 .../apache/lens/server/quota/QuotaResource.java |  3 ++
 .../lens/server/scheduler/ScheduleResource.java |  2 +
 .../lens/server/session/LensSessionImpl.java    |  6 +++
 .../lens/server/session/SessionResource.java    | 51 +++++++++++++++++++-
 16 files changed, 114 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/contrib/clients/python/lens/client/session.py
----------------------------------------------------------------------
diff --git a/contrib/clients/python/lens/client/session.py 
b/contrib/clients/python/lens/client/session.py
index a1ccc4b..e63da1e 100644
--- a/contrib/clients/python/lens/client/session.py
+++ b/contrib/clients/python/lens/client/session.py
@@ -17,6 +17,7 @@
 
 import requests
 
+from .auth import SpnegoAuth
 from .models import WrappedJson
 from .utils import conf_to_xml
 
@@ -24,6 +25,8 @@ from .utils import conf_to_xml
 class LensSessionClient(object):
     def __init__(self, base_url, username, password, database, conf):
         self.base_url = base_url + "session/"
+        self.keytab = conf.get('lens.client.authentication.kerberos.keytab')
+        self.principal = username or 
conf.get('lens.client.authentication.kerberos.principal')
         self.open(username, password, database, conf)
 
     def __getitem__(self, key):
@@ -41,10 +44,12 @@ class LensSessionClient(object):
         payload = [('username', username), ('password', password), 
('sessionconf', conf_to_xml(conf))]
         if database:
             payload.append(('database', database))
-        r = requests.post(self.base_url, files=payload, headers={'accept': 
'application/xml'})
+        r = requests.post(self.base_url, files=payload, headers={'accept': 
'application/xml'},
+                          auth=SpnegoAuth(self.keytab, self.principal))
         r.raise_for_status()
         self._sessionid = r.text
 
     def close(self):
-        requests.delete(self.base_url, params={'sessionid': self._sessionid})
+        requests.delete(self.base_url, params={'sessionid': self._sessionid},
+                        auth=SpnegoAuth(self.keytab, self.principal))
 

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/contrib/clients/python/setup.py
----------------------------------------------------------------------
diff --git a/contrib/clients/python/setup.py b/contrib/clients/python/setup.py
index de59d32..dc40bfa 100644
--- a/contrib/clients/python/setup.py
+++ b/contrib/clients/python/setup.py
@@ -57,7 +57,7 @@ setup(
     license='Apache Software License',
     author='Apache',
     tests_require=['tox'],
-    install_requires=['requests>=2.9.1', 'six>=1.10.0'],
+    install_requires=['requests>=2.9.1', 'six>=1.10.0', 'pykerberos=1.2.1'],
     cmdclass={'test': Tox},
     author_email='[email protected]',
     description='Python Lens Client',

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-client/src/main/java/org/apache/lens/client/LensClientConfig.java
----------------------------------------------------------------------
diff --git 
a/lens-client/src/main/java/org/apache/lens/client/LensClientConfig.java 
b/lens-client/src/main/java/org/apache/lens/client/LensClientConfig.java
index b703e13..eb12ee3 100644
--- a/lens-client/src/main/java/org/apache/lens/client/LensClientConfig.java
+++ b/lens-client/src/main/java/org/apache/lens/client/LensClientConfig.java
@@ -90,6 +90,12 @@ public class LensClientConfig extends Configuration {
 
   public static final int DEFAULT_CONNECTION_TIMEOUT_MILLIS = 60000; //60 secs
 
+  public static final String KERBEROS_PRINCIPAL = CLIENT_PFX + 
"authentication.kerberos.principal";
+
+  public static final String KERBEROS_REALM = CLIENT_PFX + 
"authentication.kerberos.realm";
+
+  public static final String KERBEROS_KEYTAB = CLIENT_PFX + 
"authentication.kerberos.keytab";
+
   /**
    * Get the username from config
    *
@@ -167,4 +173,5 @@ public class LensClientConfig extends Configuration {
   public static String getWSFilterImplConfKey(String filterName) {
     return CLIENT_PFX + filterName + WS_FILTER_IMPL_SFX;
   }
+
 }

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-client/src/main/java/org/apache/lens/client/LensConnection.java
----------------------------------------------------------------------
diff --git 
a/lens-client/src/main/java/org/apache/lens/client/LensConnection.java 
b/lens-client/src/main/java/org/apache/lens/client/LensConnection.java
index bb15b23..ab49831 100644
--- a/lens-client/src/main/java/org/apache/lens/client/LensConnection.java
+++ b/lens-client/src/main/java/org/apache/lens/client/LensConnection.java
@@ -185,6 +185,7 @@ public class LensConnection implements AutoCloseable {
       if (e.getCause() != null && e.getCause() instanceof ConnectException) {
         throw new 
LensClientServerConnectionException(e.getCause().getMessage(), e);
       }
+      throw e;
     }
 
     log.debug("Successfully switched to database {}", params.getDbName());

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-client/src/main/java/org/apache/lens/client/LensConnectionParams.java
----------------------------------------------------------------------
diff --git 
a/lens-client/src/main/java/org/apache/lens/client/LensConnectionParams.java 
b/lens-client/src/main/java/org/apache/lens/client/LensConnectionParams.java
index 3a5dcdb..90c70c8 100644
--- a/lens-client/src/main/java/org/apache/lens/client/LensConnectionParams.java
+++ b/lens-client/src/main/java/org/apache/lens/client/LensConnectionParams.java
@@ -53,6 +53,7 @@ public class LensConnectionParams {
   private Set<Class<?>> requestFilters = new HashSet<Class<?>>();
 
   private void setupRequestFilters() {
+    requestFilters.add(SpnegoClientFilter.class); // add default filter
     if (this.conf.get(LensClientConfig.SESSION_FILTER_NAMES) != null) {
       String[] filterNames = 
this.conf.getStrings(LensClientConfig.SESSION_FILTER_NAMES);
       for (String filterName : filterNames) {

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
----------------------------------------------------------------------
diff --git 
a/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
 
b/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
index f14ae44..bda995d 100644
--- 
a/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
+++ 
b/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
@@ -277,6 +277,11 @@ public final class LensConfConstants {
    */
   public static final String SESSION_LOGGEDIN_USER = SESSION_PFX + 
"loggedin.user";
 
+  /**
+   * constant for session proxy user
+   */
+  public static final String SESSION_PROXY_USER = SESSION_PFX + "proxy.user";
+
   // ldap user to cluster/hdfs accessing user resolver related configs
   /**
    * The Constant USER_RESOLVER_TYPE.
@@ -1297,4 +1302,16 @@ public final class LensConfConstants {
   public static final double DEFAULT_DRIVER_QUERY_COST = 0.0;
 
   public static final String DRIVER_COST_QUERY_DECIDER = DRIVER_PFX + 
"cost.query.decider.class";
+
+  public static final String AUTH_SCHEME = SERVER_PFX  + 
"authentication.scheme";
+
+  public static final String KERBEROS_PRINCIPAL = SERVER_PFX + 
"authentication.kerberos.principal";
+
+  public static final String KERBEROS_REALM = SERVER_PFX + 
"authentication.kerberos.realm";
+
+  public static final String KERBEROS_KEYTAB = SERVER_PFX + 
"authentication.kerberos.keytab";
+
+  public static final String ALLOWED_PROXY_USERS = SERVER_PFX + 
"authentication.allowed.proxy.users";
+
+
 }

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/BaseLensService.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/BaseLensService.java 
b/lens-server/src/main/java/org/apache/lens/server/BaseLensService.java
index b5248f3..006ee88 100644
--- a/lens-server/src/main/java/org/apache/lens/server/BaseLensService.java
+++ b/lens-server/src/main/java/org/apache/lens/server/BaseLensService.java
@@ -26,6 +26,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 
 import javax.ws.rs.BadRequestException;
@@ -36,6 +37,7 @@ import javax.ws.rs.core.Response;
 
 import org.apache.lens.api.LensConf;
 import org.apache.lens.api.LensSessionHandle;
+import org.apache.lens.api.auth.AuthScheme;
 import org.apache.lens.api.session.UserSessionInfo;
 import org.apache.lens.api.util.PathValidator;
 import org.apache.lens.server.api.LensConfConstants;
@@ -73,6 +75,9 @@ import lombok.extern.slf4j.Slf4j;
 @Slf4j
 public abstract class BaseLensService extends CompositeService implements 
Externalizable, LensService,
   SessionValidator {
+  public static final Configuration CONF = LensServerConf.getHiveConf();
+  public static final Optional<AuthScheme> AUTH_SCHEME =
+          AuthScheme.getFromString(CONF.get(LensConfConstants.AUTH_SCHEME));
 
   /** The cli service. */
   private final CLIService cliService;
@@ -161,7 +166,7 @@ public abstract class BaseLensService extends 
CompositeService implements Extern
    */
   public LensSessionHandle openSession(String username, String password, 
Map<String, String> configuration)
     throws LensException {
-    return openSession(username, password, configuration, true);
+    return openSession(username, password, configuration, 
!AUTH_SCHEME.isPresent());
   }
 
   public LensSessionHandle openSession(String username, String password, 
Map<String, String> configuration,
@@ -343,9 +348,9 @@ public abstract class BaseLensService extends 
CompositeService implements Extern
         } else {
           SESSIONS_PER_USER.put(userName, --sessionCount);
         }
-      }else {
+      } else {
         log.info("Trying to decrement session count for non existing session 
{} for user {}: ",
-          sessionHandle, userName);
+                sessionHandle, userName);
       }
     }
   }

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/LensApplication.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/LensApplication.java 
b/lens-server/src/main/java/org/apache/lens/server/LensApplication.java
index c3f9952..1e26a9e 100644
--- a/lens-server/src/main/java/org/apache/lens/server/LensApplication.java
+++ b/lens-server/src/main/java/org/apache/lens/server/LensApplication.java
@@ -26,6 +26,7 @@ import javax.ws.rs.core.Application;
 
 import org.apache.lens.server.api.LensConfConstants;
 import org.apache.lens.server.error.GenericExceptionMapper;
+import org.apache.lens.server.error.NotAuthorizedExceptionMapper;
 
 import org.apache.hadoop.conf.Configuration;
 
@@ -67,6 +68,7 @@ public class LensApplication extends Application {
       classes.add(wsListenerClass);
       log.info("Added listener {}", wsListenerClass);
     }
+
     for (String filterName : filterNames) {
       Class wsFilterClass = 
CONF.getClass(LensConfConstants.getWSFilterImplConfKey(filterName), null);
       classes.add(wsFilterClass);
@@ -74,6 +76,7 @@ public class LensApplication extends Application {
     }
 
     classes.add(GenericExceptionMapper.class);
+    classes.add(NotAuthorizedExceptionMapper.class);
     return classes;
   }
 

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/LogResource.java
----------------------------------------------------------------------
diff --git a/lens-server/src/main/java/org/apache/lens/server/LogResource.java 
b/lens-server/src/main/java/org/apache/lens/server/LogResource.java
index d6d3348..38e33ce 100644
--- a/lens-server/src/main/java/org/apache/lens/server/LogResource.java
+++ b/lens-server/src/main/java/org/apache/lens/server/LogResource.java
@@ -32,11 +32,13 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.core.StreamingOutput;
 
+import org.apache.lens.server.auth.Authenticate;
 import org.apache.lens.server.util.UtilityMethods;
 
 /**
  * The logs resource
  */
+@Authenticate
 @Path("/logs")
 public class LogResource {
 

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/metastore/MetastoreResource.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/metastore/MetastoreResource.java
 
b/lens-server/src/main/java/org/apache/lens/server/metastore/MetastoreResource.java
index 8818844..f7b3427 100644
--- 
a/lens-server/src/main/java/org/apache/lens/server/metastore/MetastoreResource.java
+++ 
b/lens-server/src/main/java/org/apache/lens/server/metastore/MetastoreResource.java
@@ -42,12 +42,14 @@ import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.lens.server.auth.Authenticate;
 
-/**
+  /**
  * metastore resource api
  * <p> </p>
  * This provides api for all things metastore.
  */
+@Authenticate
 @Path("metastore")
 @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
 @Slf4j

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/query/QueryServiceResource.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/query/QueryServiceResource.java
 
b/lens-server/src/main/java/org/apache/lens/server/query/QueryServiceResource.java
index d53fbbf..d00087a 100644
--- 
a/lens-server/src/main/java/org/apache/lens/server/query/QueryServiceResource.java
+++ 
b/lens-server/src/main/java/org/apache/lens/server/query/QueryServiceResource.java
@@ -39,6 +39,7 @@ import 
org.apache.lens.server.api.annotations.MultiPurposeResource;
 import org.apache.lens.server.api.error.LensException;
 import org.apache.lens.server.api.query.QueryExecutionService;
 import org.apache.lens.server.api.query.cost.QueryCostTOBuilder;
+import org.apache.lens.server.auth.Authenticate;
 import org.apache.lens.server.error.UnSupportedOpException;
 import org.apache.lens.server.model.LogSegregationContext;
 import org.apache.lens.server.util.UtilityMethods;
@@ -54,6 +55,7 @@ import lombok.extern.slf4j.Slf4j;
  * <p></p>
  * This provides api for all things query.
  */
+@Authenticate
 @Slf4j
 @Path("/queryapi")
 public class QueryServiceResource {

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/query/save/SavedQueryResource.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/query/save/SavedQueryResource.java
 
b/lens-server/src/main/java/org/apache/lens/server/query/save/SavedQueryResource.java
index 72748cd..961884b 100644
--- 
a/lens-server/src/main/java/org/apache/lens/server/query/save/SavedQueryResource.java
+++ 
b/lens-server/src/main/java/org/apache/lens/server/query/save/SavedQueryResource.java
@@ -45,6 +45,7 @@ import org.apache.lens.server.api.query.QueryExecutionService;
 import org.apache.lens.server.api.query.save.*;
 import org.apache.lens.server.api.query.save.param.ParameterParser;
 import org.apache.lens.server.api.query.save.param.ParameterResolver;
+import org.apache.lens.server.auth.Authenticate;
 import org.apache.lens.server.model.LogSegregationContext;
 
 import org.apache.hadoop.hive.conf.HiveConf;
@@ -53,6 +54,7 @@ import org.glassfish.grizzly.http.server.Response;
 import org.glassfish.jersey.media.multipart.FormDataParam;
 
 
+@Authenticate
 @Path("/queryapi")
 /**
  * Saved query resource

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/quota/QuotaResource.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/quota/QuotaResource.java 
b/lens-server/src/main/java/org/apache/lens/server/quota/QuotaResource.java
index 2130191..18d2b20 100644
--- a/lens-server/src/main/java/org/apache/lens/server/quota/QuotaResource.java
+++ b/lens-server/src/main/java/org/apache/lens/server/quota/QuotaResource.java
@@ -18,6 +18,8 @@
  */
 package org.apache.lens.server.quota;
 
+import org.apache.lens.server.auth.Authenticate;
+
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -26,6 +28,7 @@ import javax.ws.rs.core.MediaType;
 /**
  * The Class QuotaResource.
  */
+@Authenticate
 @Path("/quota")
 public class QuotaResource {
 

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/scheduler/ScheduleResource.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/scheduler/ScheduleResource.java
 
b/lens-server/src/main/java/org/apache/lens/server/scheduler/ScheduleResource.java
index 6c8b8ad..1d5959b 100644
--- 
a/lens-server/src/main/java/org/apache/lens/server/scheduler/ScheduleResource.java
+++ 
b/lens-server/src/main/java/org/apache/lens/server/scheduler/ScheduleResource.java
@@ -30,6 +30,7 @@ import org.apache.lens.api.scheduler.*;
 import org.apache.lens.server.LensServices;
 import org.apache.lens.server.api.error.LensException;
 import org.apache.lens.server.api.scheduler.SchedulerService;
+import org.apache.lens.server.auth.Authenticate;
 import org.apache.lens.server.error.UnSupportedOpException;
 import org.apache.lens.server.model.LogSegregationContext;
 import org.apache.lens.server.util.UtilityMethods;
@@ -37,6 +38,7 @@ import org.apache.lens.server.util.UtilityMethods;
 /**
  * REST end point for all scheduler operations.
  */
+@Authenticate
 @Path("scheduler")
 @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
 public class ScheduleResource {

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/session/LensSessionImpl.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/session/LensSessionImpl.java 
b/lens-server/src/main/java/org/apache/lens/server/session/LensSessionImpl.java
index 08a5cff..7d81375 100644
--- 
a/lens-server/src/main/java/org/apache/lens/server/session/LensSessionImpl.java
+++ 
b/lens-server/src/main/java/org/apache/lens/server/session/LensSessionImpl.java
@@ -115,6 +115,7 @@ public class LensSessionImpl extends HiveSessionImpl 
implements AutoCloseable {
     persistInfo.setPassword(getPassword());
     persistInfo.setLastAccessTime(System.currentTimeMillis());
     persistInfo.setSessionConf(sessionConf);
+    
persistInfo.setProxyUser(sessionConf.get(LensConfConstants.SESSION_PROXY_USER));
     if (sessionConf != null) {
       for (Map.Entry<String, String> entry : sessionConf.entrySet()) {
         conf.set(entry.getKey(), entry.getValue());
@@ -637,6 +638,9 @@ public class LensSessionImpl extends HiveSessionImpl 
implements AutoCloseable {
     /** Whether it's marked for close */
     private boolean markedForClose;
 
+    /** The proxy user which is initiating the request. This could be null */
+    private String proxyUser;
+
     public void setSessionConf(Map<String, String> sessionConf) {
       UtilityMethods.mergeMaps(config, sessionConf, true);
     }
@@ -666,6 +670,7 @@ public class LensSessionImpl extends HiveSessionImpl 
implements AutoCloseable {
       }
       out.writeLong(lastAccessTime);
       out.writeBoolean(markedForClose);
+      out.writeUTF(proxyUser == null ? "" : proxyUser);
     }
 
     /*
@@ -697,6 +702,7 @@ public class LensSessionImpl extends HiveSessionImpl 
implements AutoCloseable {
       }
       lastAccessTime = in.readLong();
       markedForClose = in.readBoolean();
+      proxyUser = in.readUTF();
     }
   }
 

http://git-wip-us.apache.org/repos/asf/lens/blob/e40f2dec/lens-server/src/main/java/org/apache/lens/server/session/SessionResource.java
----------------------------------------------------------------------
diff --git 
a/lens-server/src/main/java/org/apache/lens/server/session/SessionResource.java 
b/lens-server/src/main/java/org/apache/lens/server/session/SessionResource.java
index 63eea63..dfecba5 100644
--- 
a/lens-server/src/main/java/org/apache/lens/server/session/SessionResource.java
+++ 
b/lens-server/src/main/java/org/apache/lens/server/session/SessionResource.java
@@ -18,24 +18,47 @@
  */
 package org.apache.lens.server.session;
 
+import java.security.Principal;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
-import javax.ws.rs.*;
+
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.DefaultValue;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.SecurityContext;
 
 import org.apache.lens.api.APIResult;
 import org.apache.lens.api.APIResult.Status;
 import org.apache.lens.api.LensConf;
 import org.apache.lens.api.LensSessionHandle;
 import org.apache.lens.api.StringList;
+import org.apache.lens.api.auth.AuthScheme;
 import org.apache.lens.api.session.UserSessionInfo;
+import org.apache.lens.server.LensServerConf;
 import org.apache.lens.server.LensServices;
+import org.apache.lens.server.api.LensConfConstants;
 import org.apache.lens.server.api.error.LensException;
 import org.apache.lens.server.api.session.SessionService;
+import org.apache.lens.server.auth.Authenticate;
 import org.apache.lens.server.util.ScannedPaths;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+
 import org.glassfish.jersey.media.multipart.FormDataParam;
 
 import lombok.extern.slf4j.Slf4j;
@@ -45,13 +68,20 @@ import lombok.extern.slf4j.Slf4j;
  * <p></p>
  * This provides api for all things in session.
  */
+@Authenticate
 @Path("session")
 @Slf4j
 public class SessionResource {
+  public static final Configuration CONF = LensServerConf.getHiveConf();
+  public static final Optional<AuthScheme> AUTH_SCHEME =
+          AuthScheme.getFromString(CONF.get(LensConfConstants.AUTH_SCHEME));
 
   /** The session service. */
   private SessionService sessionService;
 
+  @Context
+  private SecurityContext securityContext;
+
   /**
    * API to know if session service is up and running
    *
@@ -94,7 +124,24 @@ public class SessionResource {
     } else {
       conf = new HashMap();
     }
-    return sessionService.openSession(username, password, database,   conf);
+
+    if (AUTH_SCHEME.isPresent()) {
+      Principal userPrincipal = securityContext.getUserPrincipal();
+      String userPrincipalName = userPrincipal.getName();
+      Collection<String> allowedProxyUsers = 
CONF.getTrimmedStringCollection(LensConfConstants.ALLOWED_PROXY_USERS);
+      if (allowedProxyUsers.contains(userPrincipalName)) {
+        String loggedInUser = 
conf.get(LensConfConstants.SESSION_LOGGEDIN_USER);
+        if (StringUtils.isBlank(loggedInUser)) {
+          throw new 
BadRequestException(LensConfConstants.SESSION_LOGGEDIN_USER + " is required in 
sessionconf");
+        }
+        username = loggedInUser;
+        conf.put(LensConfConstants.SESSION_PROXY_USER, userPrincipalName);
+      } else {
+        username = userPrincipalName;
+      }
+      password = "";
+    }
+    return sessionService.openSession(username, password, database, conf);
   }
 
   /**

Reply via email to