Repository: sqoop Updated Branches: refs/heads/sqoop2 f4beb543e -> bca7671f8
SQOOP-2002: Sqoop2: Refactor existing security component (Richard Zhou via Abraham Elmahrek) Project: http://git-wip-us.apache.org/repos/asf/sqoop/repo Commit: http://git-wip-us.apache.org/repos/asf/sqoop/commit/bca7671f Tree: http://git-wip-us.apache.org/repos/asf/sqoop/tree/bca7671f Diff: http://git-wip-us.apache.org/repos/asf/sqoop/diff/bca7671f Branch: refs/heads/sqoop2 Commit: bca7671f852192275b412d9f62ff90f4d1e943f5 Parents: f4beb54 Author: Abraham Elmahrek <[email protected]> Authored: Mon Jan 12 10:11:34 2015 -0800 Committer: Abraham Elmahrek <[email protected]> Committed: Mon Jan 12 10:11:34 2015 -0800 ---------------------------------------------------------------------- .../sqoop/security/AuthenticationConstants.java | 109 ------------------ .../sqoop/security/AuthenticationError.java | 58 ---------- .../security/AuthenticationHandlerFactory.java | 46 -------- .../sqoop/security/AuthenticationManager.java | 6 +- .../sqoop/security/SecurityConstants.java | 114 +++++++++++++++++++ .../apache/sqoop/security/SecurityError.java | 58 ++++++++++ .../apache/sqoop/security/SecurityFactory.java | 46 ++++++++ dist/src/main/server/conf/sqoop.properties | 26 ++--- docs/src/site/sphinx/SecurityGuideOnSqoop2.rst | 6 +- .../KerberosAuthenticationHandler.java | 90 +++++++++++++++ .../SimpleAuthenticationHandler.java | 43 +++++++ .../security/KerberosAuthenticationHandler.java | 87 -------------- .../security/SimpleAuthenticationHandler.java | 41 ------- .../sqoop/filter/SqoopAuthenticationFilter.java | 35 +++--- 14 files changed, 387 insertions(+), 378 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java b/core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java deleted file mode 100644 index ec2f32d..0000000 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java +++ /dev/null @@ -1,109 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sqoop.security; - -import org.apache.sqoop.core.ConfigurationConstants; - -/** - * Constants that are used in authentication module. - */ -public final class AuthenticationConstants { - - /** - * All authentication related configuration is prefixed with this: - * <tt>org.apache.sqoop.authentication.</tt> - */ - public static final String PREFIX_AUTHENTICATION_CONFIG = - ConfigurationConstants.PREFIX_GLOBAL_CONFIG + "authentication."; - - /** - * The config specifies the sqoop authentication type (SIMPLE, KERBEROS). - * The default type is SIMPLE - * <tt>org.apache.sqoop.authentication.type</tt>. - */ - public static final String AUTHENTICATION_TYPE = - PREFIX_AUTHENTICATION_CONFIG + "type"; - - /** - * The config specifies the sqoop authentication handler class. - * The default type is org.apache.sqoop.security.SimpleAuthenticationHandler - * <tt>org.apache.sqoop.authentication.handler</tt>. - */ - public static final String AUTHENTICATION_HANDLER = - PREFIX_AUTHENTICATION_CONFIG + "handler"; - - /** - * The config enables or disables anonymous authentication. - * <tt>org.apache.sqoop.authentication.anonymous</tt>. - */ - public static final String AUTHENTICATION_ANONYMOUS = - PREFIX_AUTHENTICATION_CONFIG + "anonymous"; - - /** - * All kerberos authentication related configuration is prefixed with this: - * <tt>org.apache.sqoop.authentication.kerberos.</tt> - */ - public static final String PREFIX_AUTHENTICATION_KERBEROS_CONFIG = - PREFIX_AUTHENTICATION_CONFIG + "kerberos."; - - /** - * The config specifies the kerberos principal. - * <tt>org.apache.sqoop.authentication.kerberos.principal</tt>. - */ - public static final String AUTHENTICATION_KERBEROS_PRINCIPAL = - PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "principal"; - - /** - * The config specifies the kerberos keytab. - * <tt>org.apache.sqoop.authentication.kerberos.principal</tt>. - */ - public static final String AUTHENTICATION_KERBEROS_KEYTAB = - PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "keytab"; - - /** - * All kerberos authentication for http related configuration is prefixed with this: - * <tt>org.apache.sqoop.authentication.kerberos.http.</tt> - */ - public static final String PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG = - PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "http."; - - /** - * The config specifies the kerberos principal for http. - * <tt>org.apache.sqoop.authentication.kerberos.http.principal</tt>. - */ - public static final String AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL = - PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "principal"; - - /** - * The config specifies the kerberos keytab for http. - * <tt>org.apache.sqoop.authentication.kerberos.http.principal</tt>. - */ - public static final String AUTHENTICATION_KERBEROS_HTTP_KEYTAB = - PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "keytab"; - - /** - * The config specifies the token kind in delegation token. - */ - public static final String TOKEN_KIND = "sqoop_token_kind"; - - public static enum TYPE {SIMPLE, KERBEROS} - - private AuthenticationConstants() { - // Instantiation of this class is prohibited - } -} http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/AuthenticationError.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationError.java b/core/src/main/java/org/apache/sqoop/security/AuthenticationError.java deleted file mode 100644 index abb5c90..0000000 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationError.java +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sqoop.security; - -import org.apache.sqoop.common.ErrorCode; - -public enum AuthenticationError implements ErrorCode { - - /** An unknown error has occurred. */ - AUTH_0000("An unknown error has occurred"), - - /** The system was not able to find Kerberos keytab in sqoop configuration. */ - AUTH_0001("Unable to find Kerberos keytab"), - - /** The system was not able to find Kerberos principal in sqoop configuration. */ - AUTH_0002("Unable to find Kerberos principal"), - - /** The system was not able to login using Kerberos keytab and principal in sqoop configuration. */ - AUTH_0003("Unable to login using Kerberos keytab and principal"), - - /** Invalid authentication type {simple, Kerberos}. */ - AUTH_0004("Invalid authentication type"), - - /** The system was not able to find Kerberos keytab for http in sqoop configuration. */ - AUTH_0005("Unable to find Kerberos keytab for http"), - - /** The system was not able to find Kerberos principal for http in sqoop configuration. */ - AUTH_0006("Unable to find Kerberos principal for http"); - - private final String message; - - private AuthenticationError(String message) { - this.message = message; - } - - public String getCode() { - return name(); - } - - public String getMessage() { - return message; - } -} http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java b/core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java deleted file mode 100644 index b62fe18..0000000 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sqoop.security; - -import org.apache.sqoop.common.SqoopException; -import org.apache.sqoop.utils.ClassUtils; - -/** - * Create authentication manager. - */ -public class AuthenticationHandlerFactory { - - public static AuthenticationHandler getAuthenticationHandler(String handler) throws ClassNotFoundException, IllegalAccessException, InstantiationException { - - Class<?> handlerClass = ClassUtils.loadClass(handler); - - if (handlerClass == null) { - throw new SqoopException(AuthenticationError.AUTH_0004, - "Authentication Handler Class: " + handler); - } - - AuthenticationHandler newHandler; - try { - newHandler = (AuthenticationHandler) handlerClass.newInstance(); - } catch (Exception ex) { - throw new SqoopException(AuthenticationError.AUTH_0004, - "Authentication Handler Class: " + handler, ex); - } - return newHandler; - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java b/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java index a014ab3..228b9e7 100644 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java +++ b/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java @@ -31,7 +31,7 @@ public class AuthenticationManager implements Reconfigurable { /** * Default authentication handler */ - public static final String DEFAULT_AUTHENTICATION_HANDLER = "org.apache.sqoop.security.SimpleAuthenticationHandler"; + public static final String DEFAULT_AUTHENTICATION_HANDLER = "org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler"; /** @@ -92,9 +92,9 @@ public class AuthenticationManager implements Reconfigurable { } String handler = SqoopConfiguration.getInstance().getContext().getString( - AuthenticationConstants.AUTHENTICATION_HANDLER, + SecurityConstants.AUTHENTICATION_HANDLER, DEFAULT_AUTHENTICATION_HANDLER).trim(); - authenticationHandler = AuthenticationHandlerFactory.getAuthenticationHandler(handler); + authenticationHandler = SecurityFactory.getAuthenticationHandler(handler); authenticationHandler.doInitialize(); authenticationHandler.secureLogin(); http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/SecurityConstants.java b/core/src/main/java/org/apache/sqoop/security/SecurityConstants.java new file mode 100644 index 0000000..a00573a --- /dev/null +++ b/core/src/main/java/org/apache/sqoop/security/SecurityConstants.java @@ -0,0 +1,114 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sqoop.security; + +import org.apache.sqoop.core.ConfigurationConstants; + +/** + * Constants that are used in authentication module. + */ +public final class SecurityConstants { + /** + * All security related configuration is prefixed with this: + * <tt>org.apache.sqoop.security.</tt> + */ + public static final String PREFIX_SECURITY_CONFIG = + ConfigurationConstants.PREFIX_GLOBAL_CONFIG + "security."; + /** + * All authentication related configuration is prefixed with this: + * <tt>org.apache.sqoop.security.authentication.</tt> + */ + public static final String PREFIX_AUTHENTICATION_CONFIG = + PREFIX_SECURITY_CONFIG + "authentication."; + + /** + * The config specifies the sqoop authentication type (SIMPLE, KERBEROS). + * The default type is SIMPLE + * <tt>org.apache.sqoop.security.authentication.type</tt>. + */ + public static final String AUTHENTICATION_TYPE = + PREFIX_AUTHENTICATION_CONFIG + "type"; + + /** + * The config specifies the sqoop authentication handler class. + * The default type is org.apache.sqoop.security.SimpleAuthenticationHandler + * <tt>org.apache.sqoop.security.authentication.handler</tt>. + */ + public static final String AUTHENTICATION_HANDLER = + PREFIX_AUTHENTICATION_CONFIG + "handler"; + + /** + * The config enables or disables anonymous authentication. + * <tt>org.apache.sqoop.security.authentication.anonymous</tt>. + */ + public static final String AUTHENTICATION_ANONYMOUS = + PREFIX_AUTHENTICATION_CONFIG + "anonymous"; + + /** + * All kerberos authentication related configuration is prefixed with this: + * <tt>org.apache.security.sqoop.authentication.kerberos.</tt> + */ + public static final String PREFIX_AUTHENTICATION_KERBEROS_CONFIG = + PREFIX_AUTHENTICATION_CONFIG + "kerberos."; + + /** + * The config specifies the kerberos principal. + * <tt>org.apache.sqoop.security.authentication.kerberos.principal</tt>. + */ + public static final String AUTHENTICATION_KERBEROS_PRINCIPAL = + PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "principal"; + + /** + * The config specifies the kerberos keytab. + * <tt>org.apache.sqoop.security.authentication.kerberos.principal</tt>. + */ + public static final String AUTHENTICATION_KERBEROS_KEYTAB = + PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "keytab"; + + /** + * All kerberos authentication for http related configuration is prefixed with this: + * <tt>org.apache.sqoop.security.authentication.kerberos.http.</tt> + */ + public static final String PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG = + PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "http."; + + /** + * The config specifies the kerberos principal for http. + * <tt>org.apache.sqoop.security.authentication.kerberos.http.principal</tt>. + */ + public static final String AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL = + PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "principal"; + + /** + * The config specifies the kerberos keytab for http. + * <tt>org.apache.sqoop.security.authentication.kerberos.http.principal</tt>. + */ + public static final String AUTHENTICATION_KERBEROS_HTTP_KEYTAB = + PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "keytab"; + + /** + * The config specifies the token kind in delegation token. + */ + public static final String TOKEN_KIND = "sqoop_token_kind"; + + public static enum TYPE {SIMPLE, KERBEROS} + + private SecurityConstants() { + // Instantiation of this class is prohibited + } +} http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/SecurityError.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/SecurityError.java b/core/src/main/java/org/apache/sqoop/security/SecurityError.java new file mode 100644 index 0000000..e4ba221 --- /dev/null +++ b/core/src/main/java/org/apache/sqoop/security/SecurityError.java @@ -0,0 +1,58 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sqoop.security; + +import org.apache.sqoop.common.ErrorCode; + +public enum SecurityError implements ErrorCode { + + /** An unknown error has occurred. */ + AUTH_0000("An unknown error has occurred"), + + /** The system was not able to find Kerberos keytab in sqoop configuration. */ + AUTH_0001("Unable to find Kerberos keytab"), + + /** The system was not able to find Kerberos principal in sqoop configuration. */ + AUTH_0002("Unable to find Kerberos principal"), + + /** The system was not able to login using Kerberos keytab and principal in sqoop configuration. */ + AUTH_0003("Unable to login using Kerberos keytab and principal"), + + /** Invalid authentication type {simple, Kerberos}. */ + AUTH_0004("Invalid authentication type"), + + /** The system was not able to find Kerberos keytab for http in sqoop configuration. */ + AUTH_0005("Unable to find Kerberos keytab for http"), + + /** The system was not able to find Kerberos principal for http in sqoop configuration. */ + AUTH_0006("Unable to find Kerberos principal for http"); + + private final String message; + + private SecurityError(String message) { + this.message = message; + } + + public String getCode() { + return name(); + } + + public String getMessage() { + return message; + } +} http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/core/src/main/java/org/apache/sqoop/security/SecurityFactory.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/sqoop/security/SecurityFactory.java b/core/src/main/java/org/apache/sqoop/security/SecurityFactory.java new file mode 100644 index 0000000..3e6df67 --- /dev/null +++ b/core/src/main/java/org/apache/sqoop/security/SecurityFactory.java @@ -0,0 +1,46 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sqoop.security; + +import org.apache.sqoop.common.SqoopException; +import org.apache.sqoop.utils.ClassUtils; + +/** + * Create authentication manager. + */ +public class SecurityFactory { + + public static AuthenticationHandler getAuthenticationHandler(String handler) throws ClassNotFoundException, IllegalAccessException, InstantiationException { + + Class<?> handlerClass = ClassUtils.loadClass(handler); + + if (handlerClass == null) { + throw new SqoopException(SecurityError.AUTH_0004, + "Authentication Handler Class: " + handler); + } + + AuthenticationHandler newHandler; + try { + newHandler = (AuthenticationHandler) handlerClass.newInstance(); + } catch (Exception ex) { + throw new SqoopException(SecurityError.AUTH_0004, + "Authentication Handler Class: " + handler, ex); + } + return newHandler; + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/dist/src/main/server/conf/sqoop.properties ---------------------------------------------------------------------- diff --git a/dist/src/main/server/conf/sqoop.properties b/dist/src/main/server/conf/sqoop.properties index 2ae1aba..e22e8b0 100755 --- a/dist/src/main/server/conf/sqoop.properties +++ b/dist/src/main/server/conf/sqoop.properties @@ -144,16 +144,16 @@ org.apache.sqoop.execution.engine=org.apache.sqoop.execution.mapreduce.Mapreduce # # Authentication configuration # -#org.apache.sqoop.authentication.type=SIMPLE -#org.apache.sqoop.authentication.handler=org.apache.sqoop.security.SimpleAuthenticationHandler -#org.apache.sqoop.authentication.anonymous=true -#org.apache.sqoop.authentication.type=KERBEROS -#org.apache.sqoop.authentication.handler=org.apache.sqoop.security.KerberosAuthenticationHandler -#org.apache.sqoop.authentication.kerberos.principal=sqoop/_HOST@NOVALOCAL -#org.apache.sqoop.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab -#org.apache.sqoop.authentication.kerberos.http.principal=HTTP/_HOST@NOVALOCAL -#org.apache.sqoop.authentication.kerberos.http.keytab=/home/kerberos/sqoop.keytab -#org.apache.sqoop.authentication.enable.doAs=true -#org.apache.sqoop.authentication.proxyuser.#USER#.users=* -#org.apache.sqoop.authentication.proxyuser.#USER#.groups=* -#org.apache.sqoop.authentication.proxyuser.#USER#.hosts=* \ No newline at end of file +#org.apache.sqoop.security.authentication.type=SIMPLE +#org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler +#org.apache.sqoop.security.authentication.anonymous=true +#org.apache.sqoop.security.authentication.type=KERBEROS +#org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler +#org.apache.sqoop.security.authentication.kerberos.principal=sqoop/_HOST@NOVALOCAL +#org.apache.sqoop.security.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab +#org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/_HOST@NOVALOCAL +#org.apache.sqoop.security.authentication.kerberos.http.keytab=/home/kerberos/sqoop.keytab +#org.apache.sqoop.security.authentication.enable.doAs=true +#org.apache.sqoop.security.authentication.proxyuser.#USER#.users=* +#org.apache.sqoop.security.authentication.proxyuser.#USER#.groups=* +#org.apache.sqoop.security.authentication.proxyuser.#USER#.hosts=* \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst ---------------------------------------------------------------------- diff --git a/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst b/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst index 8f9520e..c38e276 100644 --- a/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst +++ b/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst @@ -30,7 +30,7 @@ Modify Sqoop configuration file, normally in <Sqoop Folder>/server/config/sqoop. :: org.apache.sqoop.authentication.type=SIMPLE - org.apache.sqoop.authentication.handler=org.apache.sqoop.security.SimpleAuthenticationHandler + org.apache.sqoop.authentication.handler=org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler org.apache.sqoop.anonymous=true - Simple authentication is used by default. Commenting out authentication configuration will yield the use of simple authentication. @@ -88,7 +88,7 @@ Modify Sqoop configuration file, normally in <Sqoop Folder>/server/config/sqoop. :: org.apache.sqoop.authentication.type=KERBEROS - org.apache.sqoop.authentication.handler=org.apache.sqoop.security.KerberosAuthenticationHandler + org.apache.sqoop.authentication.handler=org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler org.apache.sqoop.authentication.kerberos.principal=sqoop/_HOST@<REALM> org.apache.sqoop.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab org.apache.sqoop.authentication.kerberos.http.principal=HTTP/_HOST@<REALM> @@ -132,7 +132,7 @@ If the Sqoop server has started successfully with Kerberos authentication, the f :: - 2014-12-04 15:02:58,038 INFO security.KerberosAuthenticationHandler [org.apache.sqoop.security.KerberosAuthenticationHandler.secureLogin(KerberosAuthenticationHandler.java:84)] Using Kerberos authentication, principal [sqoop/[email protected]] keytab [/home/kerberos/sqoop.keytab] + 2014-12-04 15:02:58,038 INFO security.KerberosAuthenticationHandler [org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler.secureLogin(KerberosAuthenticationHandler.java:84)] Using Kerberos authentication, principal [sqoop/[email protected]] keytab [/home/kerberos/sqoop.keytab] If the Sqoop client was able to communicate with the Sqoop server, the following will be in <Sqoop Folder>/server/log/catalina.out: http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java b/security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java new file mode 100644 index 0000000..db89a2d --- /dev/null +++ b/security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java @@ -0,0 +1,90 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sqoop.security.Authentication; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.log4j.Logger; +import org.apache.sqoop.common.MapContext; +import org.apache.sqoop.common.SqoopException; +import org.apache.sqoop.core.SqoopConfiguration; +import org.apache.sqoop.security.AuthenticationHandler; +import org.apache.sqoop.security.SecurityConstants; +import org.apache.sqoop.security.SecurityError; + +import java.io.IOException; + +public class KerberosAuthenticationHandler extends AuthenticationHandler { + + private static final Logger LOG = Logger.getLogger(KerberosAuthenticationHandler.class); + + /** + * Principal for Kerberos option value + */ + private String keytabPrincipal; + + public String getKeytabPrincipal() { + return keytabPrincipal; + } + + /** + * Keytab for Kerberos option value + */ + private String keytabFile; + + public String getKeytabFile() { + return keytabFile; + } + + public void doInitialize() { + securityEnabled = true; + } + + public void secureLogin() { + MapContext mapContext = SqoopConfiguration.getInstance().getContext(); + String keytab = mapContext.getString( + SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim(); + if (keytab.length() == 0) { + throw new SqoopException(SecurityError.AUTH_0001, + SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB); + } + keytabFile = keytab; + + String principal = mapContext.getString( + SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim(); + if (principal.length() == 0) { + throw new SqoopException(SecurityError.AUTH_0002, + SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL); + } + keytabPrincipal = principal; + + Configuration conf = new Configuration(); + conf.set(get_hadoop_security_authentication(), + SecurityConstants.TYPE.KERBEROS.name()); + UserGroupInformation.setConfiguration(conf); + try { + String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); + UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab); + } catch (IOException ex) { + throw new SqoopException(SecurityError.AUTH_0003, ex); + } + LOG.info("Using Kerberos authentication, principal [" + + principal + "] keytab [" + keytab + "]"); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java b/security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java new file mode 100644 index 0000000..94f0feb --- /dev/null +++ b/security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java @@ -0,0 +1,43 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sqoop.security.Authentication; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.log4j.Logger; +import org.apache.sqoop.security.AuthenticationHandler; +import org.apache.sqoop.security.SecurityConstants; + +public class SimpleAuthenticationHandler extends AuthenticationHandler { + + private static final Logger LOG = Logger.getLogger(SimpleAuthenticationHandler.class); + + public void doInitialize() { + securityEnabled = false; + } + + public void secureLogin() { + //no secureLogin, just set configurations + Configuration conf = new Configuration(); + conf.set(get_hadoop_security_authentication(), + SecurityConstants.TYPE.SIMPLE.name()); + UserGroupInformation.setConfiguration(conf); + LOG.info("Using simple/pseudo authentication, principal [" + + System.getProperty("user.name") + "]"); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java b/security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java deleted file mode 100644 index 57531b8..0000000 --- a/security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java +++ /dev/null @@ -1,87 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sqoop.security; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.SecurityUtil; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.log4j.Logger; -import org.apache.sqoop.common.MapContext; -import org.apache.sqoop.common.SqoopException; -import org.apache.sqoop.core.SqoopConfiguration; - -import java.io.IOException; - -public class KerberosAuthenticationHandler extends AuthenticationHandler { - - private static final Logger LOG = Logger.getLogger(KerberosAuthenticationHandler.class); - - /** - * Principal for Kerberos option value - */ - private String keytabPrincipal; - - public String getKeytabPrincipal() { - return keytabPrincipal; - } - - /** - * Keytab for Kerberos option value - */ - private String keytabFile; - - public String getKeytabFile() { - return keytabFile; - } - - public void doInitialize() { - securityEnabled = true; - } - - public void secureLogin() { - MapContext mapContext = SqoopConfiguration.getInstance().getContext(); - String keytab = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim(); - if (keytab.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0001, - AuthenticationConstants.AUTHENTICATION_KERBEROS_KEYTAB); - } - keytabFile = keytab; - - String principal = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim(); - if (principal.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0002, - AuthenticationConstants.AUTHENTICATION_KERBEROS_PRINCIPAL); - } - keytabPrincipal = principal; - - Configuration conf = new Configuration(); - conf.set(get_hadoop_security_authentication(), - AuthenticationConstants.TYPE.KERBEROS.name()); - UserGroupInformation.setConfiguration(conf); - try { - String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); - UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab); - } catch (IOException ex) { - throw new SqoopException(AuthenticationError.AUTH_0003, ex); - } - LOG.info("Using Kerberos authentication, principal [" - + principal + "] keytab [" + keytab + "]"); - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java b/security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java deleted file mode 100644 index c93ff89..0000000 --- a/security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java +++ /dev/null @@ -1,41 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sqoop.security; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.log4j.Logger; - -public class SimpleAuthenticationHandler extends AuthenticationHandler { - - private static final Logger LOG = Logger.getLogger(SimpleAuthenticationHandler.class); - - public void doInitialize() { - securityEnabled = false; - } - - public void secureLogin() { - //no secureLogin, just set configurations - Configuration conf = new Configuration(); - conf.set(get_hadoop_security_authentication(), - AuthenticationConstants.TYPE.SIMPLE.name()); - UserGroupInformation.setConfiguration(conf); - LOG.info("Using simple/pseudo authentication, principal [" - + System.getProperty("user.name") + "]"); - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sqoop/blob/bca7671f/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java b/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java index 2b6ef34..ddca9d4 100644 --- a/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java +++ b/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java @@ -19,7 +19,6 @@ package org.apache.sqoop.filter; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.SecurityUtil; -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter; @@ -29,8 +28,8 @@ import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuth import org.apache.sqoop.common.MapContext; import org.apache.sqoop.common.SqoopException; import org.apache.sqoop.core.SqoopConfiguration; -import org.apache.sqoop.security.AuthenticationConstants; -import org.apache.sqoop.security.AuthenticationError; +import org.apache.sqoop.security.SecurityConstants; +import org.apache.sqoop.security.SecurityError; import javax.servlet.FilterConfig; import javax.servlet.ServletException; @@ -46,46 +45,46 @@ public class SqoopAuthenticationFilter extends DelegationTokenAuthenticationFilt Properties properties = new Properties(); MapContext mapContext = SqoopConfiguration.getInstance().getContext(); String type = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_TYPE, - AuthenticationConstants.TYPE.SIMPLE.name()).trim(); + SecurityConstants.AUTHENTICATION_TYPE, + SecurityConstants.TYPE.SIMPLE.name()).trim(); - if (type.equalsIgnoreCase(AuthenticationConstants.TYPE.KERBEROS.name())) { + if (type.equalsIgnoreCase(SecurityConstants.TYPE.KERBEROS.name())) { properties.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); String keytab = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB).trim(); + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB).trim(); if (keytab.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0005, - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB); + throw new SqoopException(SecurityError.AUTH_0005, + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB); } String principal = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL).trim(); + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL).trim(); if (principal.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0006, - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); + throw new SqoopException(SecurityError.AUTH_0006, + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); } String hostPrincipal = ""; try { hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); } catch (IOException e) { - throw new SqoopException(AuthenticationError.AUTH_0006, - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); + throw new SqoopException(SecurityError.AUTH_0006, + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); } properties.setProperty(KerberosAuthenticationHandler.PRINCIPAL, hostPrincipal); properties.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab); - } else if (type.equalsIgnoreCase(AuthenticationConstants.TYPE.SIMPLE.name())) { + } else if (type.equalsIgnoreCase(SecurityConstants.TYPE.SIMPLE.name())) { properties.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); properties.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, - mapContext.getString(AuthenticationConstants.AUTHENTICATION_ANONYMOUS, "true").trim()); + mapContext.getString(SecurityConstants.AUTHENTICATION_ANONYMOUS, "true").trim()); } else { - throw new SqoopException(AuthenticationError.AUTH_0004, type); + throw new SqoopException(SecurityError.AUTH_0004, type); } properties.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, - AuthenticationConstants.TOKEN_KIND); + SecurityConstants.TOKEN_KIND); return properties; }
