Hello Andrew Sherman, Todd Lipcon, Impala Public Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/13672 to look at the new patch set (#5). Change subject: IMPALA-8584: Add cookie support to the HTTP HS2 server ...................................................................... IMPALA-8584: Add cookie support to the HTTP HS2 server This patch modifies the HTTP HS2 server to accept cookies for authentication in order to avoid having to authenticate every request through LDAP or Kerberos. It adds a flag, --max_cookie_lifetime_s, that determines how long generated cookies are valid for. Setting the flag to 0 disables cookie support. The cookies include a SHA256 HMAC signature that it used to verify them. They also have a timestamp that is used to determine if they have expired. If a cookie is successfully verified and hasn't expired, the username contained in the cookie is set on the connection. Each impalad uses its own key to generate the signature, so clients that reconnect to a different impalad will have to reauthenticate. On a single impalad cookies are valid across sessions and connections. A new cookie is generated and sent back with the Set-Cookie header on each request that was authenticated without using a cookie. Cookies are of the form: impala.hs2.auth=<cookie>;HttpOnly;MaxAge=<max_cookie_lifetime_s> <optional ';Secure' flag> where: cookie = <signature>&<username>&<create timestamp>&<random number> and 'signature' is the SHA256 HMAC of the rest of the cookie The 'Secure' flag, which indicates to clients that the cookie should only be sent over secure connections, is omitted if '--ldap_passwords_in_clear_ok' is true. This is intended only for testing. It also adds the metrics: impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-success impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-failure Testing: - Added tests to the FE LDAP tests that use the metrics to verify successful and failed cookie attempts. Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4 --- M be/src/rpc/CMakeLists.txt M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc A be/src/rpc/cookie-util.cc A be/src/rpc/cookie-util.h M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M be/src/util/openssl-util.cc M be/src/util/openssl-util.h M common/thrift/metrics.json M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapJdbcTest.java M fe/src/test/java/org/apache/impala/service/JdbcTestBase.java 13 files changed, 502 insertions(+), 103 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/72/13672/5 -- To view, visit http://gerrit.cloudera.org:8080/13672 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4 Gerrit-Change-Number: 13672 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall <tmarsh...@cloudera.com> Gerrit-Reviewer: Andrew Sherman <asher...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Thomas Tauber-Marshall <tmarsh...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org>