Modified: oozie/branches/hcat-intre/docs/src/site/twiki/ENG_Custom_Authentication.twiki URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/docs/src/site/twiki/ENG_Custom_Authentication.twiki?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/docs/src/site/twiki/ENG_Custom_Authentication.twiki (original) +++ oozie/branches/hcat-intre/docs/src/site/twiki/ENG_Custom_Authentication.twiki Mon Jan 7 22:10:44 2013 @@ -19,6 +19,7 @@ The following authenticators are provide * KerberosAuthenticationHandler : the authenticator handler implements the Kerberos SPNEGO authentication mechanism for HTTP. * PseudoAuthenticationHandler : the authenticator handler provides a pseudo authentication mechanism that accepts the user name specified as a query string parameter. + * AltKerberosAuthenticationHandler: the authenticator handler allows for Kerberos SPNEGO authentication for non-browsers and an alternate form of authentication for browsers. A subclass must implement the alternate authentication (see [[ENG_Custom_Authentication#LoginServerExample][Example Login Server]]) 3. =org.apache.hadoop.security.authentication.server.AuthenticationFilter:= A servlet filter enables protecting web application resources with different authentication mechanisms provided by AuthenticationHandler. To enable the filter, web application resources file (ex. web.xml) needs to include the a filter class derived from =AuthenticationFilter=. @@ -140,6 +141,144 @@ protected AuthenticationToken getToken(H } </verbatim> +#LoginServerExample +---++ Login Server Example + +---+++ Overview + +The Login Server Example is a web application that is an example of how to create a login server for Oozie. It provides two example +servlets: LoginServlet and LDAPLoginServlet. The LoginServlet example is very primitive and simply authenticates users whose +username and password match (e.g. user=foo and pass=foo). The LDAPLoginServlet example can be configured against an LDAP server to +authenticate users from that LDAP server. Once authenticated, both example servlets write the username to a cookie that Oozie +checks via the ExampleAltAuthenticationHandler (which uses that cookie for authentication for browsers but Kerberos otherwise). + +The LoginServlet and LDAPLoginServlet are run from a separate WAR file called oozie-login.war; its web.xml can be used to configure +which servlet is used as well as some additional properties. The ExampleAltAuthenticationHandler is run as part of the Oozie server +but is built as a separate jar: oozie-login.jar. + +---+++ ExampleAltAuthenticationHandler + +This is a subclass of the abstract AltKerberosAuthenticationHandler, which is an AuthenticationHandler that allows for a "mixed" +mode of authentication. When a non-browser is used, Kerberos will be used for authentication; when a browser is used, some other +authentication method will be used. In the case of ExampleAltAuthenticationHandler, the other authentication method is to look for +a cookie named =oozie.web.login.auth= and create an AuthenticationToken using the value of the cookie as the username. If the +cookie cannot be found, it will redirect the browser to a page where the user can (presumably) login to a server that can +authenticate the user and create the cookie. As this is obviously a very primitive method of authentication that is not secure, it +should NOT be used in production; it is only provided as an example of how the AltKerberosAuthenticationHandler can be used. + +To reiterate: %RED%ExampleAltAuthenticationHandler IS NOT SECURE -- DO NOT USE IT IN A PRODUCTION ENVIRONMENT%ENDCOLOR% + +To use the ExampleAltAuthenticationHandler, make at least the following two changes to your oozie-site.xml. All of the existing +Kerberos-related settings are still applicable (for when a non-browser is used) so make sure to configure them appropriately. +<verbatim> + <property> + <name>oozie.authentication.type</name> + <value>org.apache.oozie.authentication.ExampleAltAuthenticationHandler</value> + </property> + <property> + <name>oozie.service.HadoopAccessorService.kerberos.enabled</name> + <value>true</value> + </property> +</verbatim> +Note: The ExampleAltAuthenticationHandler is included in the oozie-login.jar file and not normally included with Oozie core. +Additionally, you can configure which user-agents AltKerberosAuthenticationHandler (and thus ExampleAltAuthenticationHandler) +consider to be non-browsers by setting the following property in oozie-site.xml to a comma separated list. When any of the values +in this property are contained in the user-agent of the request, Kerberos will be used; otherwise, the alternate authentication will +be used. +<verbatim> + <property> + <name>alt-kerberos.non-browser.user-agents</name> + <value>java,curl,wget,perl</value> + </property> +</verbatim> +The above values, which are the default, will cause a user-agent such as "java" (the user-agent used by Java programs) to use +Kerberos. Note that this would also match with user-agents such as "java6" and "I am not a JaVa program". + +When the ExampleAltAuthenticationHandler cannot find the =oozie.web.login.auth= cookie, it will redirect the user to another URL, +which can be configured by setting the following property in oozie-site.xml. Typically, this URL should take the user to a server +where they can login to acquire the cookie and then get redirected back to the Oozie web console (the Login Server Example does this +and will be explained in more detail later). +<verbatim> + <property> + <name>oozie.authentication.ExampleAltAuthenticationHandler.redirect.url</name> + <value>http://localhost:11000/oozie-login/?backurl={0}</value> + </property> +</verbatim> +The above value, which is the default, will cause the user to be redirected to the Login Server Example if its running in the same +tomcat as Oozie and on the default port. If ={0}= appears anywhere in this URL, it will be replaced by the URL of Oozie's web +console so that the Login Server Example can know where to send the user back while staying independent of Oozie. + +---+++ LoginServlet + +This is a web servlet that gets bundled in the oozie-login.war web application. It is a very primitive example of a login server +implementation that is compatible with the ExampleAltAuthenticationHandler. When users visit this servlet, they are shown a simple +login page that allows them to enter their username and password. It authenticates them if their username and password are the same +(e.g. user=foo and pass=foo), which is not secure and should not be used in production; it is only provided as an example. + +To reiterate: %RED%LoginServlet IS NOT SECURE -- DO NOT USE IT IN A PRODUCTION ENVIRONMENT%ENDCOLOR% + +Sending it a GET request returns the login page; the =backurl= parameter is required (so it knows where to redirect the user back to +once they are authenticated), but there is also an optional =username= parameter that will pre-populate the username field if given. + +Sending it a POST request will also return the login page, but only if an error occurs (e.g. invalid username or password). As with +the GET request, the =backurl= parameter is required, but now the =username= and =password= parameters are also required. If they +match, the LoginServlet will write the =oozie.web.login.auth= cookie containing the username and redirect the user to the =backurl=, +which is presumably the Oozie web console. + +The login page can be configured to look differently by changing the following parameter in the web.xml in the oozie-login.war file +(or in the login/src/main/webapp/WEB-INF/ directory before building it). The file needs to be located in the +login/src/main/resources/ directory and should contain ={0}= for where an error message can go, ={1}= for where the username +included with a GET request will go, and ={2}= for where the =backurl= goes. +<verbatim> + <init-param> + <param-name>login.page.template</param-name> + <param-value>login-page-template.html</param-value> + </init-param> +</verbatim> +The above value, which is the default, is a basic html page that has fields for the username and password and meets the previously +stated requirements. + +---+++ LDAPLoginServlet + +This is a second web servlet that gets bundled in the oozie-login.war web application. It inherits from the LoginServlet, so the +previous configuration information (i.e. login.page.template) still applies to this servlet. The only difference between the +LDAPLoginServlet and the LoginServlet, is that the LDAPLoginServlet is configured against an LDAP server to provide the +authentication instead of simply checking that the username and password are equal. As before, this is not secure and should not be +used in production; it is only provided as an example. + +To reiterate: %RED%LDAPLoginServlet IS NOT SECURE -- DO NOT USE IT IN A PRODUCTION ENVIRONMENT%ENDCOLOR% + +The oozie-login.war web application is configured to use LoginServlet by default. To switch it to use the LDAPLoginServlet, you +have to change the following line in the web.xml from: +<verbatim> + <servlet-class>org.apache.oozie.servlet.login.LoginServlet</servlet-class> +to: + <servlet-class>org.apache.oozie.servlet.login.LDAPLoginServlet</servlet-class> +</verbatim> + +There are three additional parameters related to LDAP that you should configure in the web.xml: +<verbatim> + <init-param> + <param-name>ldap.provider.url</param-name> + <param-value>ldap://localhost:389</param-value> + </init-param> + <init-param> + <param-name>ldap.context.factory</param-name> + <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value> + </init-param> + <init-param> + <param-name>ldap.security.authentication</param-name> + <param-value>simple</param-value> + </init-param> +</verbatim> +The ldap.provider.url is the LDAP provider URL to use, the ldap.context.factory is the LDAP context factory to use, and the +ldap.security.authentication is the LDAP security authentication type to use. + +---+++ Building and Deploying +The README.txt file in the =login= directory contains instructions on how to build and deploy the Login Server Example + + + [[index][::Go back to Oozie Documentation Index::]] </noautolink> \ No newline at end of file
Modified: oozie/branches/hcat-intre/examples/src/main/apps/hive/workflow.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/examples/src/main/apps/hive/workflow.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/examples/src/main/apps/hive/workflow.xml (original) +++ oozie/branches/hcat-intre/examples/src/main/apps/hive/workflow.xml Mon Jan 7 22:10:44 2013 @@ -32,10 +32,6 @@ <name>mapred.job.queue.name</name> <value>${queueName}</value> </property> - <property> - <name>oozie.hive.defaults</name> - <value>my-hive-default.xml</value> - </property> </configuration> <script>script.q</script> <param>INPUT=/user/${wf:user()}/${examplesRoot}/input-data/table</param> Modified: oozie/branches/hcat-intre/hadooplibs/hadoop-1/pom.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/hadooplibs/hadoop-1/pom.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/hadooplibs/hadoop-1/pom.xml (original) +++ oozie/branches/hcat-intre/hadooplibs/hadoop-1/pom.xml Mon Jan 7 22:10:44 2013 @@ -27,7 +27,7 @@ </parent> <groupId>org.apache.oozie</groupId> <artifactId>oozie-hadoop</artifactId> - <version>1.0.1.oozie-3.4.0-SNAPSHOT</version> + <version>1.1.1.oozie-3.4.0-SNAPSHOT</version> <description>Apache Oozie Hadoop ${project.version}</description> <name>Apache Oozie Hadoop ${project.version}</name> <packaging>jar</packaging> @@ -36,7 +36,7 @@ <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-client</artifactId> - <version>1.0.1</version> + <version>1.1.1</version> <scope>compile</scope> </dependency> </dependencies> Modified: oozie/branches/hcat-intre/hadooplibs/hadoop-3/pom.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/hadooplibs/hadoop-3/pom.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/hadooplibs/hadoop-3/pom.xml (original) +++ oozie/branches/hcat-intre/hadooplibs/hadoop-3/pom.xml Mon Jan 7 22:10:44 2013 @@ -38,6 +38,16 @@ <artifactId>hadoop-client</artifactId> <version>3.0.0-SNAPSHOT</version> <scope>compile</scope> + <exclusions> + <exclusion> + <artifactId>jasper-runtime</artifactId> + <groupId>tomcat</groupId> + </exclusion> + <exclusion> + <artifactId>jsp-api</artifactId> + <groupId>javax.servlet.jsp</groupId> + </exclusion> + </exclusions> </dependency> </dependencies> Modified: oozie/branches/hcat-intre/hadooplibs/hadoop-distcp-1/pom.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/hadooplibs/hadoop-distcp-1/pom.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/hadooplibs/hadoop-distcp-1/pom.xml (original) +++ oozie/branches/hcat-intre/hadooplibs/hadoop-distcp-1/pom.xml Mon Jan 7 22:10:44 2013 @@ -27,7 +27,7 @@ </parent> <groupId>org.apache.oozie</groupId> <artifactId>oozie-hadoop-distcp</artifactId> - <version>1.0.1.oozie-3.4.0-SNAPSHOT</version> + <version>1.1.1.oozie-3.4.0-SNAPSHOT</version> <description>Apache Oozie Hadoop Distcp ${project.version}</description> <name>Apache Oozie Hadoop Distcp ${project.version}</name> <packaging>jar</packaging> @@ -36,7 +36,7 @@ <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-tools</artifactId> - <version>1.0.1</version> + <version>1.1.1</version> <scope>compile</scope> <exclusions> <exclusion> Modified: oozie/branches/hcat-intre/hadooplibs/hadoop-test-1/pom.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/hadooplibs/hadoop-test-1/pom.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/hadooplibs/hadoop-test-1/pom.xml (original) +++ oozie/branches/hcat-intre/hadooplibs/hadoop-test-1/pom.xml Mon Jan 7 22:10:44 2013 @@ -27,7 +27,7 @@ </parent> <groupId>org.apache.oozie</groupId> <artifactId>oozie-hadoop-test</artifactId> - <version>1.0.1.oozie-3.4.0-SNAPSHOT</version> + <version>1.1.1.oozie-3.4.0-SNAPSHOT</version> <description>Apache Oozie Hadoop ${project.version} Test</description> <name>Apache Oozie Hadoop ${project.version} Test</name> <packaging>jar</packaging> @@ -36,7 +36,7 @@ <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-minicluster</artifactId> - <version>1.0.1</version> + <version>1.1.1</version> <scope>compile</scope> </dependency> </dependencies> Modified: oozie/branches/hcat-intre/pom.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/pom.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/pom.xml (original) +++ oozie/branches/hcat-intre/pom.xml Mon Jan 7 22:10:44 2013 @@ -66,7 +66,7 @@ </oozie.test.default.config.file> <oozie.test.config.file>${oozie.test.default.config.file}</oozie.test.config.file> - <hadoop.version>1.0.1</hadoop.version> + <hadoop.version>1.1.1</hadoop.version> <hadooplib.version>${hadoop.version}.oozie-${project.version}</hadooplib.version> @@ -789,6 +789,26 @@ <findbugsXmlWithMessages>true</findbugsXmlWithMessages> </configuration> </plugin> + + <!-- checkstyle plugin. Execute 'mvn verify' and look for checkstyle-result.xml under target folder --> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-checkstyle-plugin</artifactId> + <version>2.9.1</version> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + <configuration> + <consoleOutput>true</consoleOutput> + <includeTestSourceDirectory>true</includeTestSourceDirectory> + <configLocation>src/main/resources/checkstyle.xml</configLocation> + </configuration> + </execution> + </executions> + </plugin> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> @@ -961,5 +981,14 @@ <hadoop.auth.version>3.0.0-SNAPSHOT</hadoop.auth.version> </properties> </profile> + <profile> + <id>loginServerExample</id> + <activation> + <activeByDefault>false</activeByDefault> + </activation> + <modules> + <module>login</module> + </modules> + </profile> </profiles> </project> Modified: oozie/branches/hcat-intre/release-log.txt URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/release-log.txt?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/release-log.txt (original) +++ oozie/branches/hcat-intre/release-log.txt Mon Jan 7 22:10:44 2013 @@ -1,5 +1,16 @@ -- Oozie 3.4.0 release (trunk - unreleased) +OOZIE-1102 Update Oozie README.txt to have the TLP mailing list and links (jaoki via rkanter) +OOZIE-1103 Create example using AltKerberosAuthenticationHandler (rkanter) +OOZIE-816 Add Support for Hadoop 1.1.1 (zhujinwei and harsh via harsh) +OOZIE-1101 Fix log messages that contain {0} or similar (rkanter) +OOZIE-1113 The cookies used in the AltKerberosAuthenticationHandler examples aren't read properly if quoted (rkanter) +OOZIE-1127 Missed one services.destroy() in OOZIE-1114 (rkanter) +OOZIE-1084 When use IBM jdk , UT TestCallbackServlet and TestHadoopELFunctions fail (zhujinwei via rkanter) +OOZIE-1129 Add documentation for configurable filesystem support (rkanter) +OOZIE-1087 Remove requirement of hive-default.xml from Hive action (rkanter) +OOZIE-1126 see if checkstyle works for oozie development. (jaoki via rkanter) +OOZIE-1152 Unit test for JavaActionExecutor has a wrong action XML (jaoki via harsh) OOZIE-1145 Modify Recovery Service to handle push missing dependencies (virag) OOZIE-1135 Display missing partition dependencies via job -info command on CLI (mona) OOZIE-1125 Prepare actions for hcat (rohini via virag) Modified: oozie/branches/hcat-intre/src/main/assemblies/distro.xml URL: http://svn.apache.org/viewvc/oozie/branches/hcat-intre/src/main/assemblies/distro.xml?rev=1430055&r1=1430054&r2=1430055&view=diff ============================================================================== --- oozie/branches/hcat-intre/src/main/assemblies/distro.xml (original) +++ oozie/branches/hcat-intre/src/main/assemblies/distro.xml Mon Jan 7 22:10:44 2013 @@ -107,6 +107,16 @@ </includes> <fileMode>0555</fileMode> </fileSet> + <!-- Oozie Login Server Example war and jar --> + <fileSet> + <directory>${basedir}/../login/target</directory> + <outputDirectory>/</outputDirectory> + <includes> + <include>oozie-login.war</include> + <include>oozie-login.jar</include> + </includes> + <fileMode>0555</fileMode> + </fileSet> </fileSets> <files>
