Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/13672 )
Change subject: IMPALA-8584: Add cookie support to the HTTP HS2 server ...................................................................... IMPALA-8584: Add cookie support to the HTTP HS2 server This patch modifies the HTTP HS2 server to accept cookies for authentication in order to avoid having to authenticate every request through LDAP or Kerberos. It adds a flag, --max_cookie_lifetime_s, that determines how long generated cookies are valid for. Setting the flag to 0 disables cookie support. The cookies include a SHA256 HMAC signature that it used to verify them. They also have a timestamp that is used to determine if they have expired. If a cookie is successfully verified and hasn't expired, the username contained in the cookie is set on the connection. Each impalad uses its own key to generate the signature, so clients that reconnect to a different impalad will have to reauthenticate. On a single impalad cookies are valid across sessions and connections. A new cookie is generated and sent back with the Set-Cookie header on each request that was authenticated without using a cookie. Cookies are of the form: impala.hs2.auth=<cookie>;HttpOnly;MaxAge=<max_cookie_lifetime_s> <optional ';Secure' flag> where: cookie = <signature>&<username>&<create timestamp>&<random number> and 'signature' is the SHA256 HMAC of the rest of the cookie The 'Secure' flag, which indicates to clients that the cookie should only be sent over secure connections, is omitted if '--ldap_passwords_in_clear_ok' is true. This is intended only for testing. It also adds the metrics: impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-success impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-failure Testing: - Added tests to the FE LDAP tests that use the metrics to verify successful and failed cookie attempts. Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4 Reviewed-on: http://gerrit.cloudera.org:8080/13672 Reviewed-by: Thomas Tauber-Marshall <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M be/src/rpc/CMakeLists.txt M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc A be/src/rpc/cookie-util.cc A be/src/rpc/cookie-util.h M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M be/src/util/openssl-util.cc M be/src/util/openssl-util.h M common/thrift/metrics.json M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapJdbcTest.java M fe/src/test/java/org/apache/impala/service/JdbcTestBase.java 13 files changed, 541 insertions(+), 106 deletions(-) Approvals: Thomas Tauber-Marshall: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/13672 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4 Gerrit-Change-Number: 13672 Gerrit-PatchSet: 9 Gerrit-Owner: Thomas Tauber-Marshall <[email protected]> Gerrit-Reviewer: Andrew Sherman <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Thomas Tauber-Marshall <[email protected]> Gerrit-Reviewer: Tim Armstrong <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]>
