Author: tucu
Date: Tue Nov 29 23:45:14 2011
New Revision: 1208146
URL: http://svn.apache.org/viewvc?rev=1208146&view=rev
Log:
OOZIE-77. Oozie should support Kerberos authentication on its HTTP REST API.
(tucu)
Added:
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/AuthFilter.java
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestAuthFilterAuthOozieClient.java
Modified:
incubator/oozie/trunk/client/pom.xml
incubator/oozie/trunk/client/src/main/bin/oozie
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
incubator/oozie/trunk/core/pom.xml
incubator/oozie/trunk/core/src/main/conf/oozie-log4j.properties
incubator/oozie/trunk/core/src/main/conf/oozie-site.xml
incubator/oozie/trunk/core/src/main/resources/oozie-default.xml
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/DagServletTestCase.java
incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki
incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki
incubator/oozie/trunk/pom.xml
incubator/oozie/trunk/release-log.txt
incubator/oozie/trunk/webapp/pom.xml
incubator/oozie/trunk/webapp/src/main/webapp/WEB-INF/web.xml
Modified: incubator/oozie/trunk/client/pom.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/client/pom.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/client/pom.xml (original)
+++ incubator/oozie/trunk/client/pom.xml Tue Nov 29 23:45:14 2011
@@ -7,9 +7,9 @@
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
-
+
http://www.apache.org/licenses/LICENSE-2.0
-
+
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -56,6 +56,18 @@
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-auth</artifactId>
+ <scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
</dependencies>
<build>
@@ -120,6 +132,6 @@
</build>
</profile>
</profiles>
-
+
</project>
Modified: incubator/oozie/trunk/client/src/main/bin/oozie
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/bin/oozie?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/client/src/main/bin/oozie (original)
+++ incubator/oozie/trunk/client/src/main/bin/oozie Tue Nov 29 23:45:14 2011
@@ -7,9 +7,9 @@
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
-#
+#
# http://www.apache.org/licenses/LICENSE-2.0
-#
+#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -46,7 +46,6 @@ else
JAVA_BIN=${JAVA_HOME}/bin/java
fi
-JAVA_PROPERTIES=""
while [[ ${1} =~ ^\-D ]]; do
JAVA_PROPERTIES="${JAVA_PROPERTIES} ${1}"
shift
Modified:
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
---
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
(original)
+++
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
Tue Nov 29 23:45:14 2011
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -48,6 +48,7 @@ import org.apache.commons.cli.OptionGrou
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.oozie.BuildInfo;
+import org.apache.oozie.client.AuthOozieClient;
import org.apache.oozie.client.BundleJob;
import org.apache.oozie.client.CoordinatorAction;
import org.apache.oozie.client.CoordinatorJob;
@@ -145,6 +146,9 @@ public class OozieCLI {
* @param args options and arguments for the Oozie CLI.
*/
public static void main(String[] args) {
+ if
(!System.getProperties().contains(AuthOozieClient.USE_AUTH_TOKEN_CACHE_SYS_PROP))
{
+ System.setProperty(AuthOozieClient.USE_AUTH_TOKEN_CACHE_SYS_PROP,
"true");
+ }
System.exit(new OozieCLI().run(args));
}
@@ -493,7 +497,7 @@ public class OozieCLI {
return changeValue;
}
- private void addHeader(OozieClient wc) {
+ protected void addHeader(OozieClient wc) {
for (Map.Entry entry : System.getProperties().entrySet()) {
String key = (String) entry.getKey();
if (key.startsWith(WS_HEADER_PREFIX)) {
@@ -513,10 +517,7 @@ public class OozieCLI {
* @throws OozieCLIException thrown if the OozieClient could not be
configured.
*/
protected OozieClient createOozieClient(CommandLine commandLine) throws
OozieCLIException {
- OozieClient wc = new OozieClient(getOozieUrl(commandLine));
- addHeader(wc);
- setDebugMode(wc);
- return wc;
+ return createXOozieClient(commandLine);
}
/**
@@ -529,7 +530,7 @@ public class OozieCLI {
* @throws OozieCLIException thrown if the XOozieClient could not be
configured.
*/
protected XOozieClient createXOozieClient(CommandLine commandLine) throws
OozieCLIException {
- XOozieClient wc = new XOozieClient(getOozieUrl(commandLine));
+ XOozieClient wc = new AuthOozieClient(getOozieUrl(commandLine));
addHeader(wc);
setDebugMode(wc);
return wc;
Added:
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java?rev=1208146&view=auto
==============================================================================
---
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java
(added)
+++
incubator/oozie/trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java
Tue Nov 29 23:45:14 2011
@@ -0,0 +1,208 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.oozie.client;
+
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import
org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.Authenticator;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.Writer;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+/**
+ * This subclass of {@link XOozieClient} supports Kerberos HTTP SPNEGO and
simple authentication.
+ */
+public class AuthOozieClient extends XOozieClient {
+
+ /**
+ * Java system property to specify a custom Authenticator implementation.
+ */
+ public static final String AUTHENTICATOR_CLASS_SYS_PROP =
"authenticator.class";
+
+ /**
+ * Java system property that, if set the authentication token will be
cached in the user home directory in a hidden
+ * file <code>.oozie-auth-token</code> with user read/write permissions
only.
+ */
+ public static final String USE_AUTH_TOKEN_CACHE_SYS_PROP =
"oozie.auth.token.cache";
+
+ /**
+ * File constant that defines the location of the authentication token
cache file.
+ * <p/>
+ * It resolves to <code>${user.home}/.oozie-auth-token</code>.
+ */
+ public static final File AUTH_TOKEN_CACHE_FILE = new
File(System.getProperty("user.home"), ".oozie-auth-token");
+
+ /**
+ * Create an instance of the AuthOozieClient.
+ *
+ * @param oozieUrl the Oozie URL
+ */
+ public AuthOozieClient(String oozieUrl) {
+ super(oozieUrl);
+ }
+
+ /**
+ * Create an authenticated connection to the Oozie server.
+ * <p/>
+ * It uses Hadoop-auth client authentication which by default supports
+ * Kerberos HTTP SPNEGO, Pseudo/Simple and anonymous.
+ * <p/>
+ * if the Java system property {@link #USE_AUTH_TOKEN_CACHE_SYS_PROP} is
set to true Hadoop-auth
+ * authentication token will be cached/used in/from the
'.oozie-auth-token' file in the user
+ * home directory.
+ *
+ * @param url the URL to open a HTTP connection to.
+ * @param method the HTTP method for the HTTP connection.
+ * @return an authenticated connection to the Oozie server.
+ * @throws IOException if an IO error occurred.
+ * @throws OozieClientException if an oozie client error occurred.
+ */
+ @Override
+ protected HttpURLConnection createConnection(URL url, String method)
throws IOException, OozieClientException {
+ boolean useAuthFile =
System.getProperty(USE_AUTH_TOKEN_CACHE_SYS_PROP,
"false").equalsIgnoreCase("true");
+ AuthenticatedURL.Token readToken = new AuthenticatedURL.Token();
+ AuthenticatedURL.Token currentToken = new AuthenticatedURL.Token();
+
+ if (useAuthFile) {
+ readToken = readAuthToken();
+ if (readToken != null) {
+ currentToken = new
AuthenticatedURL.Token(readToken.toString());
+ }
+ }
+
+ if (currentToken.isSet()) {
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ conn.setRequestMethod("OPTIONS");
+ AuthenticatedURL.injectToken(conn, currentToken);
+ if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED)
{
+ AUTH_TOKEN_CACHE_FILE.delete();
+ currentToken = new AuthenticatedURL.Token();
+ }
+ }
+
+ if (!currentToken.isSet()) {
+ Authenticator authenticator = getAuthenticator();
+ try {
+ new AuthenticatedURL(authenticator).openConnection(url,
currentToken);
+ }
+ catch (AuthenticationException ex) {
+ AUTH_TOKEN_CACHE_FILE.delete();
+ throw new
OozieClientException(OozieClientException.AUTHENTICATION,
+ "Could not authenticate, " +
ex.getMessage(), ex);
+ }
+ }
+ if (useAuthFile && !currentToken.equals(readToken)) {
+ writeAuthToken(currentToken);
+ }
+ HttpURLConnection conn = super.createConnection(url, method);
+
+ AuthenticatedURL.injectToken(conn, currentToken);
+ return conn;
+ }
+
+
+ /**
+ * Read a authentication token cached in the user home directory.
+ * <p/>
+ *
+ * @return the authentication token cached in the user home directory,
NULL if none.
+ */
+ protected AuthenticatedURL.Token readAuthToken() {
+ AuthenticatedURL.Token authToken = null;
+ if (AUTH_TOKEN_CACHE_FILE.exists()) {
+ try {
+ BufferedReader reader = new BufferedReader(new
FileReader(AUTH_TOKEN_CACHE_FILE));
+ String line = reader.readLine();
+ reader.close();
+ if (line != null) {
+ authToken = new AuthenticatedURL.Token(line);
+ }
+ }
+ catch (IOException ex) {
+ //NOP
+ }
+ }
+ return authToken;
+ }
+
+ /**
+ * Write the current authenthication token to the user home directory.
+ * <p/>
+ * The file is written with user only read/write permissions.
+ * <p/>
+ * If the file cannot be updated or the user only ready/write permissions
cannot be set the file is deleted.
+ *
+ * @param authToken the authentication token to cache.
+ */
+ protected void writeAuthToken(AuthenticatedURL.Token authToken) {
+ try {
+ Writer writer = new FileWriter(AUTH_TOKEN_CACHE_FILE);
+ writer.write(authToken.toString());
+ writer.close();
+ // sets read-write permissions to owner only
+ AUTH_TOKEN_CACHE_FILE.setReadable(false, false);
+ AUTH_TOKEN_CACHE_FILE.setReadable(true, true);
+ AUTH_TOKEN_CACHE_FILE.setWritable(true, true);
+ }
+ catch (Exception ex) {
+ // if case of any error we just delete the cache, if user-only
+ // write permissions are not properly set a security exception
+ // is thrown and the file will be deleted.
+ AUTH_TOKEN_CACHE_FILE.delete();
+ }
+ }
+
+ /**
+ * Return the Hadoop-auth Authenticator to use.
+ * <p/>
+ * It looks for value of the {@link #AUTHENTICATOR_CLASS_SYS_PROP} Java
system property, if not set it uses
+ * Hadoop-auth <code>KerberosAuthenticator</code> which supports both
Kerberos HTTP SPNEGO and Pseudo/simple
+ * authentication.
+ *
+ * @return the Authenticator to use, <code>NULL</code> if none.
+ *
+ * @throws OozieClientException thrown if the authenticator could not be
instatiated.
+ */
+ protected Authenticator getAuthenticator() throws OozieClientException {
+ String className = System.getProperty(AUTHENTICATOR_CLASS_SYS_PROP,
KerberosAuthenticator.class.getName());
+ if (className != null) {
+ try {
+ ClassLoader cl =
Thread.currentThread().getContextClassLoader();
+ Class klass = (cl != null) ? cl.loadClass(className) :
getClass().getClassLoader().loadClass(className);
+ return (Authenticator) klass.newInstance();
+ }
+ catch (Exception ex) {
+ throw new
OozieClientException(OozieClientException.AUTHENTICATION,
+ "Could not instantiate
Authenticator [" + className + "], " +
+ ex.getMessage(), ex);
+ }
+ }
+ else {
+ throw new OozieClientException(OozieClientException.AUTHENTICATION,
+ "Authenticator class not found [" +
className + "]");
+ }
+ }
+
+}
Modified: incubator/oozie/trunk/core/pom.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/pom.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/core/pom.xml (original)
+++ incubator/oozie/trunk/core/pom.xml Tue Nov 29 23:45:14 2011
@@ -84,12 +84,6 @@
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <scope>test</scope>
- </dependency>
-
- <dependency>
<groupId>com.googlecode.json-simple</groupId>
<artifactId>json-simple</artifactId>
<scope>compile</scope>
@@ -161,6 +155,11 @@
<dependency>
<groupId>javax.mail</groupId>
<artifactId>mail</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-auth</artifactId>
<scope>compile</scope>
</dependency>
@@ -177,6 +176,12 @@
</dependency>
<dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ <scope>compile</scope>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.oozie</groupId>
<artifactId>oozie-sharelib-pig</artifactId>
<scope>provided</scope>
Modified: incubator/oozie/trunk/core/src/main/conf/oozie-log4j.properties
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/conf/oozie-log4j.properties?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/conf/oozie-log4j.properties (original)
+++ incubator/oozie/trunk/core/src/main/conf/oozie-log4j.properties Tue Nov 29
23:45:14 2011
@@ -6,9 +6,9 @@
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
-#
+#
# http://www.apache.org/licenses/LICENSE-2.0
-#
+#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -71,3 +71,4 @@ log4j.logger.org.apache.oozie=DEBUG, ooz
log4j.logger.org.apache.hadoop=WARN, oozie
log4j.logger.org.mortbay=WARN, oozie
log4j.logger.org.hsqldb=WARN, oozie
+log4j.logger.org.apache.hadoop.security.authentication.server=DEBUG, oozie
Modified: incubator/oozie/trunk/core/src/main/conf/oozie-site.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/conf/oozie-site.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/conf/oozie-site.xml (original)
+++ incubator/oozie/trunk/core/src/main/conf/oozie-site.xml Tue Nov 29 23:45:14
2011
@@ -247,5 +247,71 @@
</description>
</property>
+ <property>
+ <name>oozie.authentication.type</name>
+ <value>simple</value>
+ <description>
+ Defines authentication used for Oozie HTTP endpoint.
+ Supported values are: simple | kerberos |
#AUTHENTICATION_HANDLER_CLASSNAME#
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.token.validity</name>
+ <value>36000</value>
+ <description>
+ Indicates how long (in seconds) an authentication token is valid
before it has
+ to be renewed.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.signature.secret</name>
+ <value>oozie</value>
+ <description>
+ The signature secret for signing the authentication tokens.
+ If not set a random secret is generated at startup time.
+ In order to authentiation to work correctly across multiple hosts
+ the secret must be the same across al the hosts.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.cookie.domain</name>
+ <value></value>
+ <description>
+ The domain to use for the HTTP cookie that stores the authentication
token.
+ In order to authentiation to work correctly across multiple hosts
+ the domain must be correctly set.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.simple.anonymous.allowed</name>
+ <value>true</value>
+ <description>
+ Indicates if anonymous requests are allowed.
+ This setting is meaningful only when using 'simple' authentication.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.kerberos.principal</name>
+ <value>HTTP/localhost@${local.realm}</value>
+ <description>
+ Indicates the Kerberos principal to be used for HTTP endpoint.
+ The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO
specification.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.kerberos.keytab</name>
+ <value>${oozie.service.HadoopAccessorService.keytab.file}</value>
+ <description>
+ Location of the keytab file with the credentials for the principal.
+ Referring to the same keytab file Oozie uses for its Kerberos
credentials for Hadoop.
+ </description>
+ </property>
+
</configuration>
Added:
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/AuthFilter.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/AuthFilter.java?rev=1208146&view=auto
==============================================================================
---
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/AuthFilter.java
(added)
+++
incubator/oozie/trunk/core/src/main/java/org/apache/oozie/servlet/AuthFilter.java
Tue Nov 29 23:45:14 2011
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.oozie.servlet;
+
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.oozie.service.Services;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * Authentication filter that extends Hadoop-auth AuthenticationFilter to
override
+ * the configuration loading.
+ */
+public class AuthFilter extends AuthenticationFilter {
+ private static final String OOZIE_PREFIX = "oozie.authentication.";
+
+ private HttpServlet optionsServlet;
+
+ /**
+ * Initialize the filter.
+ *
+ * @param filterConfig filter configuration.
+ * @throws ServletException thrown if the filter could not be initialized.
+ */
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ super.init(filterConfig);
+ optionsServlet = new HttpServlet() {};
+ optionsServlet.init();
+ }
+
+ /**
+ * Destroy the filter.
+ */
+ @Override
+ public void destroy() {
+ optionsServlet.destroy();
+ super.destroy();
+ }
+
+ /**
+ * Returns the configuration from Oozie configuration to be used by the
authentication filter.
+ * <p/>
+ * All properties from Oozie configuration which name starts with {@link
#OOZIE_PREFIX} will
+ * be returned. The keys of the returned properties are trimmed from the
{@link #OOZIE_PREFIX}
+ * prefix, for example the Oozie configuration property name
'oozie.authentication.type' will
+ * be just 'type'.
+ *
+ * @param configPrefix configuration prefix, this parameter is ignored by
this implementation.
+ * @param filterConfig filter configuration, this parameter is ignored by
this implementation.
+ * @return all Oozie configuration properties prefixed with {@link
#OOZIE_PREFIX}, without the
+ * prefix.
+ */
+ @Override
+ protected Properties getConfiguration(String configPrefix, FilterConfig
filterConfig) {
+ Properties props = new Properties();
+ Configuration conf = Services.get().getConf();
+
+ //setting the cookie path to root '/' so it is used for all resources.
+ props.setProperty(AuthenticationFilter.COOKIE_PATH, "/");
+
+ for (Map.Entry<String, String> entry : conf) {
+ String name = entry.getKey();
+ if (name.startsWith(OOZIE_PREFIX)) {
+ String value = conf.get(name);
+ name = name.substring(OOZIE_PREFIX.length());
+ props.setProperty(name, value);
+ }
+ }
+
+ return props;
+ }
+
+ /**
+ * Enforces authentication using Hadoop-auth AuthenticationFilter.
+ * <p/>
+ * This method is overriden to respond to HTTP OPTIONS requests for
authenticated calls, regardless
+ * of the target servlet supporting OPTIONS or not and to inject the
authenticated user name as
+ * request attribute for Oozie to retrieve the user id.
+ *
+ * @param request http request.
+ * @param response http response.
+ * @param filterChain filter chain.
+ * @throws IOException thrown if an IO error occurs.
+ * @throws ServletException thrown if a servlet error occurs.
+ */
+ @Override
+ public void doFilter(final ServletRequest request, final ServletResponse
response, final FilterChain filterChain)
+ throws IOException, ServletException {
+
+ FilterChain filterChainWrapper = new FilterChain() {
+ @Override
+ public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse)
+ throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)
servletRequest;
+ if (httpRequest.getMethod().equals("OPTIONS")) {
+ optionsServlet.service(request, response);
+ }
+ else {
+ httpRequest.setAttribute(JsonRestServlet.USER_NAME,
httpRequest.getRemoteUser());
+ filterChain.doFilter(servletRequest, servletResponse);
+ }
+ }
+ };
+
+ super.doFilter(request, response, filterChainWrapper);
+ }
+
+}
Modified: incubator/oozie/trunk/core/src/main/resources/oozie-default.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/main/resources/oozie-default.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/core/src/main/resources/oozie-default.xml (original)
+++ incubator/oozie/trunk/core/src/main/resources/oozie-default.xml Tue Nov 29
23:45:14 2011
@@ -1400,4 +1400,71 @@
</description>
</property>
+ <!-- Oozie Authentication -->
+
+ <property>
+ <name>oozie.authentication.type</name>
+ <value>simple</value>
+ <description>
+ Defines authentication used for Oozie HTTP endpoint.
+ Supported values are: simple | kerberos |
#AUTHENTICATION_HANDLER_CLASSNAME#
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.token.validity</name>
+ <value>36000</value>
+ <description>
+ Indicates how long (in seconds) an authentication token is valid
before it has
+ to be renewed.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.signature.secret</name>
+ <value>oozie</value>
+ <description>
+ The signature secret for signing the authentication tokens.
+ If not set a random secret is generated at startup time.
+ In order to authentiation to work correctly across multiple hosts
+ the secret must be the same across al the hosts.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.cookie.domain</name>
+ <value></value>
+ <description>
+ The domain to use for the HTTP cookie that stores the authentication
token.
+ In order to authentiation to work correctly across multiple hosts
+ the domain must be correctly set.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.simple.anonymous.allowed</name>
+ <value>true</value>
+ <description>
+ Indicates if anonymous requests are allowed when using 'simple'
authentication.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.kerberos.principal</name>
+ <value>HTTP/localhost@${local.realm}</value>
+ <description>
+ Indicates the Kerberos principal to be used for HTTP endpoint.
+ The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO
specification.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.authentication.kerberos.keytab</name>
+ <value>${oozie.service.HadoopAccessorService.keytab.file}</value>
+ <description>
+ Location of the keytab file with the credentials for the principal.
+ Referring to the same keytab file Oozie uses for its Kerberos
credentials for Hadoop.
+ </description>
+ </property>
+
</configuration>
Modified:
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/DagServletTestCase.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/DagServletTestCase.java?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
---
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/DagServletTestCase.java
(original)
+++
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/DagServletTestCase.java
Tue Nov 29 23:45:14 2011
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -80,6 +80,8 @@ public abstract class DagServletTestCase
for (int i = 0; i < servletPath.length; i++) {
container.addServletEndpoint(servletPath[i], servletClass[i]);
}
+ container.addFilter("*", AuthFilter.class);
+ setSystemProperty("user.name", getTestUser());
container.start();
assertions.call();
}
Added:
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestAuthFilterAuthOozieClient.java
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestAuthFilterAuthOozieClient.java?rev=1208146&view=auto
==============================================================================
---
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestAuthFilterAuthOozieClient.java
(added)
+++
incubator/oozie/trunk/core/src/test/java/org/apache/oozie/servlet/TestAuthFilterAuthOozieClient.java
Tue Nov 29 23:45:14 2011
@@ -0,0 +1,195 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.oozie.servlet;
+
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import
org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
+import org.apache.oozie.cli.OozieCLI;
+import org.apache.oozie.client.AuthOozieClient;
+import org.apache.oozie.client.HeaderTestingVersionServlet;
+import org.apache.oozie.client.XOozieClient;
+import org.apache.oozie.service.ForTestAuthorizationService;
+import org.apache.oozie.service.ForTestWorkflowStoreService;
+import org.apache.oozie.service.Services;
+import org.apache.oozie.test.EmbeddedServletContainer;
+import org.apache.oozie.test.XTestCase;
+import org.apache.oozie.util.IOUtils;
+
+import java.io.FileReader;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.Callable;
+
+/**
+ *
+ */
+public class TestAuthFilterAuthOozieClient extends XTestCase {
+ private EmbeddedServletContainer container;
+
+ protected String getContextURL() {
+ return container.getContextURL();
+ }
+
+ protected URL createURL(String servletPath, String resource, Map<String,
String> parameters) throws Exception {
+ StringBuilder sb = new StringBuilder();
+ sb.append(container.getServletURL(servletPath));
+ if (resource != null && resource.length() > 0) {
+ sb.append("/").append(resource);
+ }
+ if (parameters.size() > 0) {
+ String separator = "?";
+ for (Map.Entry<String, String> param : parameters.entrySet()) {
+ sb.append(separator).append(URLEncoder.encode(param.getKey(),
"UTF-8")).append("=")
+ .append(URLEncoder.encode(param.getValue(), "UTF-8"));
+ separator = "&";
+ }
+ }
+ return new URL(sb.toString());
+ }
+
+ protected void runTest(Callable<Void> assertions) throws Exception {
+ Services services = new Services();
+ try {
+ services.init();
+ Services.get().setService(ForTestAuthorizationService.class);
+ Services.get().setService(ForTestWorkflowStoreService.class);
+ Services.get().setService(MockDagEngineService.class);
+ Services.get().setService(MockCoordinatorEngineService.class);
+ container = new EmbeddedServletContainer("oozie");
+ container.addServletEndpoint("/versions",
HeaderTestingVersionServlet.class);
+ String version = "/v" + XOozieClient.WS_PROTOCOL_VERSION;
+ container.addServletEndpoint(version + "/admin/*",
V1AdminServlet.class);
+ container.addFilter("/*", AuthFilter.class);
+ container.start();
+ assertions.call();
+ }
+ finally {
+ if (container != null) {
+ container.stop();
+ }
+ services.destroy();
+ container = null;
+ }
+ }
+
+ public static class Authenticator4Test extends PseudoAuthenticator {
+
+ private static boolean USED = false;
+
+ @Override
+ public void authenticate(URL url, AuthenticatedURL.Token token) throws
IOException, AuthenticationException {
+ USED = true;
+ super.authenticate(url, token);
+ }
+ }
+
+ public void testClientWithAnonymous() throws Exception {
+ setSystemProperty("oozie.authentication.simple.anonymous.allowed",
"true");
+ runTest(new Callable<Void>() {
+ public Void call() throws Exception {
+ String oozieUrl = getContextURL();
+ String[] args = new String[]{"admin", "-status", "-oozie",
oozieUrl};
+ assertEquals(0, new OozieCLI().run(args));
+ return null;
+ }
+ });
+ }
+
+ public void testClientWithoutAnonymous() throws Exception {
+ setSystemProperty("oozie.authentication.simple.anonymous.allowed",
"false");
+ runTest(new Callable<Void>() {
+ public Void call() throws Exception {
+ String oozieUrl = getContextURL();
+ String[] args = new String[]{"admin", "-status", "-oozie",
oozieUrl};
+ assertEquals(0, new OozieCLI().run(args));
+ return null;
+ }
+ });
+ }
+
+ public void testClientWithCustomAuthenticator() throws Exception {
+ setSystemProperty("authenticator.class",
Authenticator4Test.class.getName());
+ setSystemProperty("oozie.authentication.simple.anonymous.allowed",
"false");
+ Authenticator4Test.USED = false;
+ runTest(new Callable<Void>() {
+ public Void call() throws Exception {
+ String oozieUrl = getContextURL();
+ String[] args = new String[]{"admin", "-status", "-oozie",
oozieUrl};
+ assertEquals(0, new OozieCLI().run(args));
+ return null;
+ }
+ });
+ assertTrue(Authenticator4Test.USED);
+ }
+
+
+ public void testClientAuthTokenCache() throws Exception {
+ //not using cache
+ setSystemProperty("oozie.authentication.simple.anonymous.allowed",
"false");
+ AuthOozieClient.AUTH_TOKEN_CACHE_FILE.delete();
+ assertFalse(AuthOozieClient.AUTH_TOKEN_CACHE_FILE.exists());
+ runTest(new Callable<Void>() {
+ public Void call() throws Exception {
+ String oozieUrl = getContextURL();
+ String[] args = new String[]{"admin", "-status", "-oozie",
oozieUrl};
+ assertEquals(0, new OozieCLI().run(args));
+ return null;
+ }
+ });
+ assertFalse(AuthOozieClient.AUTH_TOKEN_CACHE_FILE.exists());
+
+ //using cache
+ setSystemProperty("oozie.auth.token.cache", "true");
+ setSystemProperty("oozie.authentication.simple.anonymous.allowed",
"false");
+ setSystemProperty("oozie.authentication.signature.secret", "secret");
+ AuthOozieClient.AUTH_TOKEN_CACHE_FILE.delete();
+ assertFalse(AuthOozieClient.AUTH_TOKEN_CACHE_FILE.exists());
+ runTest(new Callable<Void>() {
+ public Void call() throws Exception {
+ String oozieUrl = getContextURL();
+ String[] args = new String[]{"admin", "-status", "-oozie",
oozieUrl};
+ assertEquals(0, new OozieCLI().run(args));
+ return null;
+ }
+ });
+ assertTrue(AuthOozieClient.AUTH_TOKEN_CACHE_FILE.exists());
+ String currentCache = IOUtils.getReaderAsString(new
FileReader(AuthOozieClient.AUTH_TOKEN_CACHE_FILE), -1);
+
+ //re-using cache
+ setSystemProperty("oozie.auth.token.cache", "true");
+ setSystemProperty("oozie.authentication.simple.anonymous.allowed",
"false");
+ setSystemProperty("oozie.authentication.signature.secret", "secret");
+ runTest(new Callable<Void>() {
+ public Void call() throws Exception {
+ String oozieUrl = getContextURL();
+ String[] args = new String[]{"admin", "-status", "-oozie",
oozieUrl};
+ assertEquals(0, new OozieCLI().run(args));
+ return null;
+ }
+ });
+ assertTrue(AuthOozieClient.AUTH_TOKEN_CACHE_FILE.exists());
+ String newCache = IOUtils.getReaderAsString(new
FileReader(AuthOozieClient.AUTH_TOKEN_CACHE_FILE), -1);
+ assertEquals(currentCache, newCache);
+ }
+
+}
Modified: incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki (original)
+++ incubator/oozie/trunk/docs/src/site/twiki/AG_Install.twiki Tue Nov 29
23:45:14 2011
@@ -184,11 +184,65 @@ Oozie logs in 4 different files:
The embedded Tomcat and embedded Derby log files are also written to Oozie's
=logs/= directory.
----+++ Oozie Authentication Configuration
+---+++ Oozie User Authentication Configuration
+
+Oozie supports Kerberos HTTP SPNEGO authentication, pseudo/simple
authentication and anonymous access
+for client connections.
+
+Anonymous access (*default*) does not require the user to authenticate and the
user ID is obtained from
+the job properties on job submission operations, other operations are
anonymous.
+
+Pseudo/simple authentication requires the user to specify the user name on the
request, this is done by
+the PseudoAuthenticator class by injecting the =user.name= parameter in the
query string of all requests.
+The =user.name= parameter value is taken from the client process Java System
property =user.name=.
+
+Kerberos HTTP SPNEGO authentication requires the user to perform a Kerberos
HTTP SPNEGO authentication sequence.
+
+If Pseudo/simple or Kerberos HTTP SPNEGO authentication mechanisms are used,
Oozie will return the user an
+authentication token HTTP Cookie that can be used in later requests as identy
proof.
+
+Oozie uses Apache Hadoop-Auth (Java HTTP SPENGO) library for authentication.
+This library can be extended to support other authentication mechanisms.
+
+Oozie user authentication is configured using the following configuration
properties (default values shown):
+
+<verbatim>
+ oozie.authentication.type=simple
+ oozie.authentication.token.validity=36000
+ oozie.authentication.signature.secret=
+ oozie.authentication.cookie.domain=
+ oozie.authentication.simple.anonymous.allowed=true
+ oozie.authentication.kerberos.principal=HTTP/localhost@${local.realm}
+
oozie.authentication.kerberos.keytab=${oozie.service.HadoopAccessorService.keytab.file}
+</verbatim>
+
+The =type= defines authentication used for Oozie HTTP endpoint, the supported
values are:
+simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#.
+
+The =token.validity= indicates how long (in seconds) an authentication token
is valid before it has
+to be renewed.
+
+The =signature.secret= is the signature secret for signing the authentication
tokens. If not set a random
+secret is generated at startup time.
+
+The =oozie.authentication.cookie.domain= The domain to use for the HTTP cookie
that stores the
+authentication token. In order to authentiation to work correctly across all
Hadoop nodes web-consoles
+the domain must be correctly set.
+
+The =simple.anonymous.allowed= indicates if anonymous requests are allowed.
This setting is meaningful
+only when using 'simple' authentication.
+
+The =kerberos.principal= indicates the Kerberos principal to be used for HTTP
endpoint.
+The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO
specification.
+
+The =kerberos.keytab= indicates the location of the keytab file with the
credentials for the principal.
+It should be the same keytab file Oozie uses for its Kerberos credentials for
Hadoop.
+
+---+++ Oozie Hadoop Authentication Configuration
Oozie can work with Hadoop 20 with Security distribution which supports
Kerberos authentication.
-Oozie authentication is configured using the following configuration
properties (default values shown):
+Oozie Hadoop authentication is configured using the following configuration
properties (default values shown):
<verbatim>
oozie.service.HadoopAccessorService.kerberos.enabled=false
Modified: incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki
(original)
+++ incubator/oozie/trunk/docs/src/site/twiki/DG_CommandLineTool.twiki Tue Nov
29 23:45:14 2011
@@ -21,9 +21,9 @@ usage:
custom headers for Oozie web services can be specified using
'-Dheader:NAME=VALUE'
oozie help : display usage
-
+.
oozie version : show client version
-
+.
oozie job <OPTIONS> : job operations
-action <arg> coordinator rerun on action ids
(requires -rerun); coordinator log retrieval on action ids (requires -log)
-change <arg> change a coordinator/bundle job
@@ -52,7 +52,7 @@ usage:
-value <arg> new endtime/concurrency/pausetime value
for changing a
coordinator job; new pausetime value for
changing a bundle job
-verbose verbose mode
-
+.
oozie jobs <OPTIONS> : jobs status
-filter <arg> user=<U>;name=<N>;group=<G>;status=<S>;...
-jobtype <arg> job type ('Supported in Oozie-2.0 or later
versions ONLY -
@@ -62,7 +62,7 @@ usage:
-offset <arg> jobs offset (default '1')
-oozie <arg> Oozie URL
-verbose verbose mode
-
+.
oozie admin <OPTIONS> : admin operations
-oozie <arg> Oozie URL
-queuedump show Oozie server queue elements
@@ -70,14 +70,14 @@ usage:
-systemmode <arg> Supported in Oozie-2.0 or later versions
ONLY. Change oozie
system mode
[NORMAL|NOWEBSERVICE|SAFEMODE]
-version show Oozie server build version
-
+.
oozie validate <ARGS> : validate a workflow XML file
-
+.
oozie sla <OPTIONS> : sla operations (Supported in Oozie-2.0 or later)
-len <arg> number of results (default '100')
-offset <arg> start offset (default '0')
-oozie <arg> Oozie URL
-
+.
oozie pig <OPTIONS> -X <ARGS> : submit a pig job, everything after '-X'
are pass-through parameters to pig
-config <arg> job configuration file '.properties'
-D <property=value> set/override value for given property
@@ -87,6 +87,28 @@ usage:
---++ Common CLI Options
+---+++ Authentication
+
+The =oozie= CLI automatically perform authentication if the Oozie server
requests it. By default it supports both
+pseudo/simple authentication and Kerberos HTTP SPNEGO authentication.
+
+For pseudo/simple authentication the =oozie= CLI uses the user name of the
current OS user.
+
+For Kerberos HTTP SPNEGO authentication the =oozie= CLI uses the default
principal for the OS Kerberos cache
+(normally the principal that did =kinit=).
+
+Oozie uses Apache Hadoop-Auth (Java HTTP SPENGO) library for authentication.
+This library can be extended to support other authentication mechanisms.
+
+Once authentication is performed successfully the received authentication
token is cached in the user home directory
+in the =.oozie-auth-token= file with owner-only permissions. Subsequent
requests reuse the cached token while valid.
+
+The use of the cache file can be disabled by invoking the =oozie= CLI with the
=-Doozie.auth.token.cache=false=
+option.
+
+To use an custom authentication mechanism, a Hadoop-Auth =Authenticator=
implementation must be specified with the
+ =-Dauthenticator.class= = =CLASS= option.
+
---+++ Oozie URL
All =oozie= CLI sub-commands expect the <code>-oozie OOZIE_URL</code> option
indicating the URL of the Oozie system
@@ -244,7 +266,7 @@ Valid value names are:
Repeated value names are not allowed. An empty string "" can be used to reset
pause time to none.
-After the command is executed the job's pause time should be changed.
+After the command is executed the job's pause time should be changed.
---+++ Rerunning a Workflow Job
@@ -496,7 +518,7 @@ Job ID
------------------------------------------------------------------------------------------------------------------------------------
0000001-110322105610515-oozie-chao-B BUNDLE-TEST RUNNING 2012-01-15
00:24 2011-03-22 18:06 joe users
------------------------------------------------------------------------------------------------------------------------------------
-0000000-110322105610515-oozie-chao-B BUNDLE-TEST
DONEWITHERROR2012-01-15 00:24 2011-03-22 17:58 joe users
+0000000-110322105610515-oozie-chao-B BUNDLE-TEST
DONEWITHERROR2012-01-15 00:24 2011-03-22 17:58 joe users
------------------------------------------------------------------------------------------------------------------------------------
</verbatim>
Modified: incubator/oozie/trunk/pom.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/pom.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/pom.xml (original)
+++ incubator/oozie/trunk/pom.xml Tue Nov 29 23:45:14 2011
@@ -275,7 +275,7 @@
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
- <version>1.3</version>
+ <version>1.4</version>
</dependency>
<dependency>
@@ -540,6 +540,12 @@
<version>r09</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-auth</artifactId>
+ <version>0.23.0-SNAPSHOT</version>
+ </dependency>
+
</dependencies>
</dependencyManagement>
Modified: incubator/oozie/trunk/release-log.txt
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/release-log.txt?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/release-log.txt (original)
+++ incubator/oozie/trunk/release-log.txt Tue Nov 29 23:45:14 2011
@@ -1,5 +1,6 @@
-- Oozie 3.2.0 release
+OOZIE-77. Oozie should support Kerberos authentication on its HTTP REST API.
(tucu)
OOZIE-622. Remove system sharelib tests from TestLiteWorkflowAppService. (tucu)
OOZIE-68 Add Hive action. (tucu)
OOZIE-608 Fix test failure for testCoordChangeXCommand, testCoordChangeEndTime
Unit
Modified: incubator/oozie/trunk/webapp/pom.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/webapp/pom.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/webapp/pom.xml (original)
+++ incubator/oozie/trunk/webapp/pom.xml Tue Nov 29 23:45:14 2011
@@ -47,6 +47,61 @@
<dependencies>
<dependency>
<groupId>org.apache.oozie</groupId>
+ <artifactId>oozie-core</artifactId>
+ <scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>commons-httpclient</groupId>
+ <artifactId>commons-httpclient</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>tomcat</groupId>
+ <artifactId>jasper-compiler</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>tomcat</groupId>
+ <artifactId>jasper-runtime</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>javax.servlet</groupId>
+ <artifactId>jsp-api</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging-api</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>jetty</groupId>
+ <artifactId>org.mortbay.jetty</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>jetty</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>jsp-api-2.1</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>servlet-api-2.5</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.oozie</groupId>
<artifactId>oozie-docs</artifactId>
<type>war</type>
<scope>compile</scope>
Modified: incubator/oozie/trunk/webapp/src/main/webapp/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/incubator/oozie/trunk/webapp/src/main/webapp/WEB-INF/web.xml?rev=1208146&r1=1208145&r2=1208146&view=diff
==============================================================================
--- incubator/oozie/trunk/webapp/src/main/webapp/WEB-INF/web.xml (original)
+++ incubator/oozie/trunk/webapp/src/main/webapp/WEB-INF/web.xml Tue Nov 29
23:45:14 2011
@@ -146,4 +146,64 @@
<welcome-file>index.html</welcome-file>
</welcome-file-list>
+ <filter>
+ <filter-name>authenticationfilter</filter-name>
+ <filter-class>org.apache.oozie.servlet.AuthFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/versions/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v0/admin/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v1/admin/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v0/jobs</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v1/jobs</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v0/job/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/v1/job/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/index.html</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>*.js</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/ext-2.2/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>authenticationfilter</filter-name>
+ <url-pattern>/docs/*</url-pattern>
+ </filter-mapping>
+
</web-app>
