This is an automated email from the ASF dual-hosted git repository. elserj pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/phoenix-queryserver.git
The following commit(s) were added to refs/heads/master by this push: new fc9ed81 PHOENIX-5393 Add _HOST expansion to SPNEGO login fc9ed81 is described below commit fc9ed816ab26cbf8b92af2df559b56a552016887 Author: Josh Elser <els...@apache.org> AuthorDate: Wed Jul 17 13:35:50 2019 -0400 PHOENIX-5393 Add _HOST expansion to SPNEGO login Closes #6 --- .../phoenix/queryserver/server/QueryServer.java | 30 ++++++--- .../queryserver/server/QueryServerTest.java | 75 ++++++++++++++++++++++ 2 files changed, 97 insertions(+), 8 deletions(-) diff --git a/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java index 4766394..5f39362 100644 --- a/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java +++ b/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java @@ -286,18 +286,12 @@ public final class QueryServer extends Configured implements Tool, Runnable { } @VisibleForTesting - void configureSpnegoAuthentication(HttpServer.Builder builder, UserGroupInformation ugi) { + void configureSpnegoAuthentication(HttpServer.Builder builder, UserGroupInformation ugi) throws IOException { String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB); File keytab = new File(keytabPath); String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null); - String httpPrincipal = - getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null); - // Backwards compat for a configuration key change - if (httpPrincipal == null) { - httpPrincipal = - getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null); - } + String httpPrincipal = getSpnegoPrincipal(getConf()); File httpKeytab = null; if (null != httpKeytabPath) { httpKeytab = new File(httpKeytabPath); @@ -316,6 +310,26 @@ public final class QueryServer extends Configured implements Tool, Runnable { } } + /** + * Returns the Kerberos principal to use for SPNEGO, substituting {@code _HOST} + * if it is present as the "instance" component of the Kerberos principal. It returns + * the configured principal as-is if {@code _HOST} is not the "instance". + */ + String getSpnegoPrincipal(Configuration conf) throws IOException { + String httpPrincipal = conf.get( + QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null); + // Backwards compat for a configuration key change + if (httpPrincipal == null) { + httpPrincipal = conf.get( + QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null); + } + + String hostname = Strings.domainNamePointerToHostName(DNS.getDefaultHost( + conf.get(QueryServices.QUERY_SERVER_DNS_INTERFACE_ATTRIB, "default"), + conf.get(QueryServices.QUERY_SERVER_DNS_NAMESERVER_ATTRIB, "default"))); + return SecurityUtil.getServerPrincipal(httpPrincipal, hostname); + } + @VisibleForTesting UserGroupInformation getUserGroupInformation() throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); diff --git a/queryserver/src/test/java/org/apache/phoenix/queryserver/server/QueryServerTest.java b/queryserver/src/test/java/org/apache/phoenix/queryserver/server/QueryServerTest.java new file mode 100644 index 0000000..243e713 --- /dev/null +++ b/queryserver/src/test/java/org/apache/phoenix/queryserver/server/QueryServerTest.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.phoenix.queryserver.server; + +import static org.junit.Assert.assertEquals; + +import java.io.IOException; +import java.net.InetAddress; + +import org.apache.hadoop.conf.Configuration; +import org.apache.phoenix.query.QueryServices; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +public class QueryServerTest { + + private static String getSpnegoPrincipal(String instance) { + return "HTTP/" + instance + "@EXAMPLE.COM"; + } + + private static String EXPECTED_HOSTNAME; + private QueryServer qs; + private Configuration conf; + + @BeforeClass + public static void setupOnce() throws IOException { + EXPECTED_HOSTNAME = InetAddress.getLocalHost().getCanonicalHostName(); + } + + @Before + public void setup() { + this.conf = new Configuration(false); + this.qs = new QueryServer(); + } + + @Test + public void testHostExpansion() throws IOException { + conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, getSpnegoPrincipal("_HOST")); + + assertEquals(getSpnegoPrincipal(EXPECTED_HOSTNAME), qs.getSpnegoPrincipal(conf)); + } + + @Test + public void testHostExpansionWithOldName() throws IOException { + conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, getSpnegoPrincipal("_HOST")); + + assertEquals(getSpnegoPrincipal(EXPECTED_HOSTNAME), qs.getSpnegoPrincipal(conf)); + } + + @Test + public void testHostExpansionWithOldAndNewNames() throws IOException { + conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, getSpnegoPrincipal("_HOST")); + // When we provide both names, the new property should take priority + conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, "fake_" + getSpnegoPrincipal("_HOST")); + + assertEquals(getSpnegoPrincipal(EXPECTED_HOSTNAME), qs.getSpnegoPrincipal(conf)); + } + +}