001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.security; 019 020import org.apache.hadoop.http.HttpServer2; 021import org.apache.hadoop.security.authentication.server.AuthenticationFilter; 022import org.apache.hadoop.conf.Configuration; 023import org.apache.hadoop.http.FilterContainer; 024import org.apache.hadoop.http.FilterInitializer; 025import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; 026 027import java.io.IOException; 028import java.util.HashMap; 029import java.util.Map; 030 031/** 032 * Initializes {@link AuthenticationWithProxyUserFilter} 033 * which provides support for Kerberos HTTP SPNEGO authentication 034 * and proxy user authentication. 035 * <p/> 036 * It enables anonymous access, simple/speudo and Kerberos HTTP SPNEGO 037 * authentication for Hadoop JobTracker, NameNode, DataNodes and 038 * TaskTrackers. 039 * <p/> 040 * Refer to the <code>core-default.xml</code> file, after the comment 041 * 'HTTP Authentication' for details on the configuration options. 042 * All related configuration properties have 'hadoop.http.authentication.' 043 * as prefix. 044 */ 045public class AuthenticationFilterInitializer extends FilterInitializer { 046 047 static final String PREFIX = "hadoop.http.authentication."; 048 049 /** 050 * Initializes hadoop-auth AuthenticationFilter. 051 * <p/> 052 * Propagates to hadoop-auth AuthenticationFilter configuration all Hadoop 053 * configuration properties prefixed with "hadoop.http.authentication." 054 * 055 * @param container The filter container 056 * @param conf Configuration for run-time parameters 057 */ 058 @Override 059 public void initFilter(FilterContainer container, Configuration conf) { 060 Map<String, String> filterConfig = getFilterConfigMap(conf, PREFIX); 061 062 // extend AuthenticationFilter's feature to 063 // support proxy user operation. 064 container.addFilter("authentication", 065 AuthenticationWithProxyUserFilter.class.getName(), 066 filterConfig); 067 } 068 069 public static Map<String, String> getFilterConfigMap(Configuration conf, 070 String prefix) { 071 Map<String, String> filterConfig = new HashMap<String, String>(); 072 073 //setting the cookie path to root '/' so it is used for all resources. 074 filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); 075 076 for (Map.Entry<String, String> entry : conf) { 077 String name = entry.getKey(); 078 if (name.startsWith(prefix)) { 079 String value = conf.get(name); 080 name = name.substring(prefix.length()); 081 filterConfig.put(name, value); 082 } 083 } 084 085 //Resolve _HOST into bind address 086 String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); 087 String principal = filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); 088 if (principal != null) { 089 try { 090 principal = SecurityUtil.getServerPrincipal(principal, bindAddress); 091 } 092 catch (IOException ex) { 093 throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.toString(), ex); 094 } 095 filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal); 096 } 097 return filterConfig; 098 } 099 100}