Repository: oozie Updated Branches: refs/heads/master 7b6d23546 -> 5983cdfe3
OOZIE-2825 Custom Authentication doc page is not well formatted (Jan Hentschel via rkanter) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/5983cdfe Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/5983cdfe Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/5983cdfe Branch: refs/heads/master Commit: 5983cdfe3d976c46f18970d77b003b637a83faf8 Parents: 7b6d235 Author: Robert Kanter <[email protected]> Authored: Tue Jun 13 17:38:04 2017 -0700 Committer: Robert Kanter <[email protected]> Committed: Tue Jun 13 17:38:04 2017 -0700 ---------------------------------------------------------------------- .../site/twiki/ENG_Custom_Authentication.twiki | 106 ++++--------------- release-log.txt | 1 + 2 files changed, 21 insertions(+), 86 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/5983cdfe/docs/src/site/twiki/ENG_Custom_Authentication.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/ENG_Custom_Authentication.twiki b/docs/src/site/twiki/ENG_Custom_Authentication.twiki index 64334b6..3b8202d 100644 --- a/docs/src/site/twiki/ENG_Custom_Authentication.twiki +++ b/docs/src/site/twiki/ENG_Custom_Authentication.twiki @@ -13,107 +13,41 @@ The following authenticators are provided in hadoop-auth: * KerberosAuthenticator : the authenticator implements the Kerberos SPNEGO authentication sequence. - * PseudoAuthenticator : the authenticator implementation provides an authentication equivalent to Hadoop's Simple authentication, it trusts the value of the 'user.name' Java System property. + * PseudoAuthenticator : the authenticator implementation provides an authentication equivalent to Hadoop's Simple + authentication, it trusts the value of the 'user.name' Java System property. 2. =org.apache.hadoop.security.authentication.server.AuthenticationHandler:= Interface for server authentication mechanisms. * KerberosAuthenticationHandler : the authenticator handler implements the Kerberos SPNEGO authentication mechanism for HTTP. - * PseudoAuthenticationHandler : the authenticator handler provides a pseudo authentication mechanism that accepts the user name specified as a query string parameter. + * PseudoAuthenticationHandler : the authenticator handler provides a pseudo authentication mechanism that accepts the user + name specified as a query string parameter. -3. =org.apache.hadoop.security.authentication.server.AuthenticationFilter:= A servlet filter enables protecting web application resources with different authentication mechanisms provided by AuthenticationHandler. To enable the filter, web application resources file (ex. web.xml) needs to include a filter class derived from =AuthenticationFilter=. +3. =org.apache.hadoop.security.authentication.server.AuthenticationFilter:= A servlet filter enables protecting web application +resources with different authentication mechanisms provided by AuthenticationHandler. To enable the filter, web application +resources file (ex. web.xml) needs to include a filter class derived from =AuthenticationFilter=. ----++ Provide Custom Client Authenticator - -In client side, a custom authentication requires a extended =Authenticator= to retrieve authentication token or certificate and set it to 'token' instance in method 'authenticate()'. - -The following methods should be overridden by derived Authenticator. -<verbatim> - - public void authenticate(URL url, AuthenticatedURL.Token token) - throws IOException, AuthenticationException { - - TheAuthenticatorConf conf = TheAuthenticatorConf(); - - HttpURLConnection conn = (HttpURLConnection) url.openConnection(); - conn.setRequestMethod("OPTIONS"); - - //Depending on actual authenticationovide Custom Authentication to Oozie Server - -Eclipse and IntelliJ can use directly MiniOozie Maven project files. MiniOozie project can be imported to -Eclipse and IntelliJ as independent project. - -overridden methods -<verbatim> - mechanism, retrieve the cert string or token. - String encodedStr = URLEncoder.encode(aCertString, "UTF-8"); - // set to cookie with a key that can be recognized later in the server side. - conn.addRequestProperty("Cookie", "NEWAUTH=" + encodedStr); - - // extract token from connection and set to token - AuthenticatedURL.extractToken(conn, token); - - } -</verbatim> - -The following shows an example of a singleton class which can be used at a class of Authenticator to set and get configuration which is required for authentication purpose. - -<verbatim> - public static class TheAuthenticatorConf { - private static final TheAuthenticatorConf instance = new TheAuthenticatorConf(); - private final Map<String, String> map = new HashMap<String, String>(); - - private TheAuthenticatorConf() { - } - - public static TheAuthenticatorConf getInstance() { - return instance; - } - - public void put(String key, String value) { - map.put(key, value); - } - - public String get(String key) { - return map.get(key); - } - - public void clear() { - map.clear(); - } - } -</verbatim> +For more information have a look at the appropriate +[[https://hadoop.apache.org/docs/r2.7.2/hadoop-auth/index.html][Hadoop documentation]]. ---++ Provide Custom Authentication to Oozie Client -Apache Oozie contains a default class =org.apache.oozie.client.AuthOozieClient= to support Kerberos HTTP SPNEGO authentication, pseudo/simple authentication and anonymous access for client connections. +Apache Oozie contains a default class =org.apache.oozie.client.AuthOozieClient= to support Kerberos HTTP SPNEGO authentication, +pseudo/simple authentication and anonymous access for client connections. -To provide other authentication mechanisms, a Oozie client should extend from =AuthOozieClient= and provide the following methods should be overridden by derived classes to provide custom authentication: +To provide other authentication mechanisms, an Oozie client should extend from =AuthOozieClient= and provide the following +methods should be overridden by derived classes to provide custom authentication: * getAuthenticator() : return corresponding Authenticator based on value specified by user at =auth= command option. - * createConnection() : create a singleton class at Authenticator to allow client set and get key-value configuration for authentication. - ----++ Provide Custom Server AuthenticationHandler - -In server side, a custom authentication requires a extended AuthenticationHandler to retrieve authentication token or certificate from http request and verify it. After successful verification, an =AuthenticationToken= is created with user name and current authentication type. With this token, this request can be proceeded for response. - -The following methods should be overridden by derived AuthenticationHandler. -<verbatim> - - public AuthenticationToken authenticate(HttpServletRequest request, HttpServletResponse response) - throws IOException, AuthenticationException { - - // the certificate or token can be retrieved from request and verified. - - // use the information from the legal certificate or token to create AuthenticationToken - AuthenticationToken token = new AuthenticationToken(userName, principal, type); - - return token; - } -</verbatim> + * createConnection() : create a singleton class at Authenticator to allow client set and get key-value configuration for + authentication. ---++ Provide Custom Authentication to Oozie Server -To accept custom authentication in Oozie server, a filter extends from AuthenticationFilter must be provided. This filter delegates to the configured authentication handler for authentication and once it obtains an =AuthenticationToken= from it, sets a signed HTTP cookie with the token. If HTTP cookie is provided with different key name, its cookie value can be retrieved by overriding =getToken()= method. Please note, only when =getToken()= return NULL, a custom authentication can be invoked and processed in =AuthenticationFilter.doFilter()=. +To accept custom authentication in Oozie server, a filter extends from AuthenticationFilter must be provided. This filter +delegates to the configured authentication handler for authentication and once it obtains an =AuthenticationToken= from it, sets +a signed HTTP cookie with the token. If HTTP cookie is provided with different key name, its cookie value can be retrieved by +overriding =getToken()= method. Please note, only when =getToken()= return NULL, a custom authentication can be invoked and +processed in =AuthenticationFilter.doFilter()=. The following method explains how to read it and return NULL token. <verbatim> http://git-wip-us.apache.org/repos/asf/oozie/blob/5983cdfe/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 0d09a79..794d46c 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 5.0.0 release (trunk - unreleased) +OOZIE-2825 Custom Authentication doc page is not well formatted (Jan Hentschel via rkanter) OOZIE-2747 README.txt is out of date (Jan Hentschel via rkanter) OOZIE-2926 Update Oozie version to 5.0.0-SNAPSHOT (dbist13 via rkanter) OOZIE-2930 Duplicate declaration of version warning for hadoop-yarn-api and hadoop-yarn-common (Artem Ervits via gezapeti)
