> On Sept. 20, 2016, 1:26 p.m., Nate Cole wrote: > > ambari-server/pom.xml, lines 1403-1411 > > <https://reviews.apache.org/r/52068/diff/1/?file=1504184#file1504184line1403> > > > > How will this affect the size of Ambari? The KerberosName class is > > pretty lightweight, so hopefully we don't need all of Hadoop Client for > > this. Also, what's the reliance on ZK?
Good queston. We are importing this to get the Auth-to-local parser functionality provided by the hadoop classes. I originally wrote my own (that worked well) but was persuaded to use the one from the Hadoop libs for "consistency". In any case, the dependency seems like a single JAR: ``` +- org.apache.hadoop:hadoop-auth:jar:2.7.2:compile | - org.apache.zookeeper:zookeeper:jar:3.4.6:compile | +- jline:jline:jar:2.11:compile (version managed from 0.9.94) | - io.netty:netty:jar:3.7.0.Final:compile ``` I am not sure what the deal is with Zookeep, so I excluded it... - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/52068/#review149684 ----------------------------------------------------------- On Sept. 20, 2016, 10:41 a.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/52068/ > ----------------------------------------------------------- > > (Updated Sept. 20, 2016, 10:41 a.m.) > > > Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate > Cole. > > > Bugs: AMBARI-18406 > https://issues.apache.org/jira/browse/AMBARI-18406 > > > Repository: ambari > > > Description > ------- > > Users should be able to authenticate to use Ambari by providing a Kerberos > token using SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism. This > includes access to the Ambari REST API as well as the Ambari web-based UI. > > The implementation should support the ability to perform the full SPNEGO > handshake as well as access requests directly providing the appropriate HTTP > header containing the Kerberos token. For example: > > ``` > Authorization: Negotiate YIICcgY...r/vJcLO > ``` > In the full handshake model > - The client requests access to a web resource > - The server responds with an HTTP 401 status (`Unauthorized`), including the > header `WWW-Authenticate: Negotiate` > - The client generates the Kerberos data and creates a new request containing > the authentication header - `Authorization: Negotiate YIICcgY...r/vJcLO` > > Since Ambari needs to generally return a HTTP status of 403 ({{Forbidden}}) > when authentication is needed, a _hint_ must be sent along with the request > indicate to Ambari that Kerberos authentication is desired. If this _hint_ > is received, then Ambari will respond with the appropriate status and header > to initiate SPNEGO with the client. This _hint_ is an Ambari-specific header > named "X-Negotiate-Authentication" with the value of "true": > > ``` > X-Negotiate-Authentication: true > ``` > > No matter what the handshake mechanism is (or lack of), once the Kerberos > token is received by Ambari, Ambari is to parse and validate the token. If a > failure occurs, Ambari is to respond with the appropriate HTTP status and > related header(s). Upon success, the user's principal name is retrieved and > converted into a _local_ user name. The use of an auth-to-local rule set > processor may be needed to perform this translation. Using this _local_ > username, an appropriate Ambari user account is located and used as the > authenticated users identity - details, privileges, etc.... Failure to find > an appropriate Ambari user account is to result in an authentication failure > response. > > > Diffs > ----- > > ambari-project/pom.xml 2615b46 > ambari-server/pom.xml 323ce22 > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > b2fa4c0 > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java > c4d21fc > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java > 5bc5cd8 > > ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java > 2028f46 > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java > b6b0713 > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java > 96540ef > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java > e31e6ff > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java > db210e0 > ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml a86973c > > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java > 3c97ce9 > > ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java > PRE-CREATION > > Diff: https://reviews.apache.org/r/52068/diff/ > > > Testing > ------- > > Manual testing > > # Local test results: > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 1:10:14.923s > [INFO] Finished at: Mon Sep 19 19:27:33 EDT 2016 > [INFO] Final Memory: 72M/692M > [INFO] > ------------------------------------------------------------------------ > > # Jenkins test results: PENDING > > > Thanks, > > Robert Levas > >
