OOZIE-2825 Custom Authentication doc page is not well formatted (Jan Hentschel
via rkanter)
(cherry picked from commit 5983cdfe3d976c46f18970d77b003b637a83faf8)
docs/src/site/twiki/ENG_Custom_Authentication.twiki
Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/636e434e
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/636e434e
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/636e434e
Branch: refs/heads/branch-4.3
Commit: 636e434ee8ae5e616b5fbf61f70b807adcffbd8b
Parents: f232030
Author: Robert Kanter <[email protected]>
Authored: Tue Jun 13 17:38:04 2017 -0700
Committer: satishsaley <[email protected]>
Committed: Fri Dec 8 16:34:55 2017 -0800
----------------------------------------------------------------------
.../site/twiki/ENG_Custom_Authentication.twiki | 106 ++++---------------
release-log.txt | 1 +
2 files changed, 21 insertions(+), 86 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/oozie/blob/636e434e/docs/src/site/twiki/ENG_Custom_Authentication.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/ENG_Custom_Authentication.twiki
b/docs/src/site/twiki/ENG_Custom_Authentication.twiki
index 6bac3a6..7d967c3 100644
--- a/docs/src/site/twiki/ENG_Custom_Authentication.twiki
+++ b/docs/src/site/twiki/ENG_Custom_Authentication.twiki
@@ -13,108 +13,42 @@
The following authenticators are provided in hadoop-auth:
* KerberosAuthenticator : the authenticator implements the Kerberos
SPNEGO authentication sequence.
- * PseudoAuthenticator : the authenticator implementation provides an
authentication equivalent to Hadoop's Simple authentication, it trusts the
value of the 'user.name' Java System property.
+ * PseudoAuthenticator : the authenticator implementation provides an
authentication equivalent to Hadoop's Simple
+ authentication, it trusts the value of the 'user.name' Java System property.
2. =org.apache.hadoop.security.authentication.server.AuthenticationHandler:=
Interface for server authentication mechanisms.
* KerberosAuthenticationHandler : the authenticator handler implements
the Kerberos SPNEGO authentication mechanism for HTTP.
- * PseudoAuthenticationHandler : the authenticator handler provides a
pseudo authentication mechanism that accepts the user name specified as a query
string parameter.
* AltKerberosAuthenticationHandler: the authenticator handler allows for
Kerberos SPNEGO authentication for non-browsers and an alternate form of
authentication for browsers. A subclass must implement the alternate
authentication (see [[ENG_Custom_Authentication#LoginServerExample][Example
Login Server]])
+ * PseudoAuthenticationHandler : the authenticator handler provides a
pseudo authentication mechanism that accepts the user
+ name specified as a query string parameter.
-3. =org.apache.hadoop.security.authentication.server.AuthenticationFilter:= A
servlet filter enables protecting web application resources with different
authentication mechanisms provided by AuthenticationHandler. To enable the
filter, web application resources file (ex. web.xml) needs to include a filter
class derived from =AuthenticationFilter=.
+3. =org.apache.hadoop.security.authentication.server.AuthenticationFilter:= A
servlet filter enables protecting web application
+resources with different authentication mechanisms provided by
AuthenticationHandler. To enable the filter, web application
+resources file (ex. web.xml) needs to include a filter class derived from
=AuthenticationFilter=.
----++ Provide Custom Client Authenticator
-
-In client side, a custom authentication requires a extended =Authenticator= to
retrieve authentication token or certificate and set it to 'token' instance in
method 'authenticate()'.
-
-The following methods should be overridden by derived Authenticator.
-<verbatim>
-
- public void authenticate(URL url, AuthenticatedURL.Token token)
- throws IOException, AuthenticationException {
-
- TheAuthenticatorConf conf = TheAuthenticatorConf();
-
- HttpURLConnection conn = (HttpURLConnection)
url.openConnection();
- conn.setRequestMethod("OPTIONS");
-
- //Depending on actual authenticationovide Custom Authentication
to Oozie Server
-
-Eclipse and IntelliJ can use directly MiniOozie Maven project files. MiniOozie
project can be imported to
-Eclipse and IntelliJ as independent project.
-
-overridden methods
-<verbatim>
- mechanism, retrieve the cert string or token.
- String encodedStr = URLEncoder.encode(aCertString, "UTF-8");
- // set to cookie with a key that can be recognized later in the
server side.
- conn.addRequestProperty("Cookie", "NEWAUTH=" + encodedStr);
-
- // extract token from connection and set to token
- AuthenticatedURL.extractToken(conn, token);
-
- }
-</verbatim>
-
-The following shows an example of a singleton class which can be used at a
class of Authenticator to set and get configuration which is required for
authentication purpose.
-
-<verbatim>
- public static class TheAuthenticatorConf {
- private static final TheAuthenticatorConf instance = new
TheAuthenticatorConf();
- private final Map<String, String> map = new HashMap<String,
String>();
-
- private TheAuthenticatorConf() {
- }
-
- public static TheAuthenticatorConf getInstance() {
- return instance;
- }
-
- public void put(String key, String value) {
- map.put(key, value);
- }
-
- public String get(String key) {
- return map.get(key);
- }
-
- public void clear() {
- map.clear();
- }
- }
-</verbatim>
+For more information have a look at the appropriate
+[[https://hadoop.apache.org/docs/r2.7.2/hadoop-auth/index.html][Hadoop
documentation]].
---++ Provide Custom Authentication to Oozie Client
-Apache Oozie contains a default class
=org.apache.oozie.client.AuthOozieClient= to support Kerberos HTTP SPNEGO
authentication, pseudo/simple authentication and anonymous access for client
connections.
+Apache Oozie contains a default class
=org.apache.oozie.client.AuthOozieClient= to support Kerberos HTTP SPNEGO
authentication,
+pseudo/simple authentication and anonymous access for client connections.
-To provide other authentication mechanisms, a Oozie client should extend from
=AuthOozieClient= and provide the following methods should be overridden by
derived classes to provide custom authentication:
+To provide other authentication mechanisms, an Oozie client should extend from
=AuthOozieClient= and provide the following
+methods should be overridden by derived classes to provide custom
authentication:
* getAuthenticator() : return corresponding Authenticator based on value
specified by user at =auth= command option.
- * createConnection() : create a singleton class at Authenticator to allow
client set and get key-value configuration for authentication.
-
----++ Provide Custom Server AuthenticationHandler
-
-In server side, a custom authentication requires a extended
AuthenticationHandler to retrieve authentication token or certificate from http
request and verify it. After successful verification, an =AuthenticationToken=
is created with user name and current authentication type. With this token,
this request can be proceeded for response.
-
-The following methods should be overridden by derived AuthenticationHandler.
-<verbatim>
-
- public AuthenticationToken authenticate(HttpServletRequest request,
HttpServletResponse response)
- throws IOException, AuthenticationException {
-
- // the certificate or token can be retrieved from request and
verified.
-
- // use the information from the legal certificate or token to
create AuthenticationToken
- AuthenticationToken token = new AuthenticationToken(userName,
principal, type);
-
- return token;
- }
-</verbatim>
+ * createConnection() : create a singleton class at Authenticator to allow
client set and get key-value configuration for
+ authentication.
---++ Provide Custom Authentication to Oozie Server
-To accept custom authentication in Oozie server, a filter extends from
AuthenticationFilter must be provided. This filter delegates to the configured
authentication handler for authentication and once it obtains an
=AuthenticationToken= from it, sets a signed HTTP cookie with the token. If
HTTP cookie is provided with different key name, its cookie value can be
retrieved by overriding =getToken()= method. Please note, only when
=getToken()= return NULL, a custom authentication can be invoked and processed
in =AuthenticationFilter.doFilter()=.
+To accept custom authentication in Oozie server, a filter extends from
AuthenticationFilter must be provided. This filter
+delegates to the configured authentication handler for authentication and once
it obtains an =AuthenticationToken= from it, sets
+a signed HTTP cookie with the token. If HTTP cookie is provided with different
key name, its cookie value can be retrieved by
+overriding =getToken()= method. Please note, only when =getToken()= return
NULL, a custom authentication can be invoked and
+processed in =AuthenticationFilter.doFilter()=.
The following method explains how to read it and return NULL token.
<verbatim>
http://git-wip-us.apache.org/repos/asf/oozie/blob/636e434e/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index f831645..0995972 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
-- Oozie 4.3.1 release
+OOZIE-2825 Custom Authentication doc page is not well formatted (Jan Hentschel
via rkanter)
OOZIE-2747 README.txt is out of date (Jan Hentschel via rkanter)
OOZIE-2923 Improve Spark options parsing (andras.piros via gezapeti)
OOZIE-2886 Ensure consistent versioning of hadoop jars in sharelibs (dbist13
via rkanter)
