[#1185] feat(server-common): Server supports Kerberos authentication #1614
Conversation
|
|
Added. |
|
@mchades @jerryshao @yuqi1129 @diqiu50 @FANNG1 @Clearvive Could you help me review this pr? |
| String challenge = AuthConstants.AUTHORIZATION_NEGOTIATE_HEADER + authenticateToken; | ||
| throw new UnauthorizedException("GssContext isn't established", challenge); | ||
| } | ||
| // Usually principal names are in the form 'user/instance@REALM' or 'user@REALM'. |
There was a problem hiding this comment.
I simplify the logic of convertion from principal to user.
| @Override | ||
| public void initialize(Config config) throws RuntimeException { | ||
| try { | ||
| String principal = config.get(KerberosConfig.PRINCIPAL); |
There was a problem hiding this comment.
We don't support * principal.
There was a problem hiding this comment.
Please add this to the comment.
| if (!keytabFile.exists()) { | ||
| throw new IllegalArgumentException("Keytab doesn't exist: " + keytab); | ||
| } | ||
|
|
There was a problem hiding this comment.
We remove the validation of rule names.
docs/security.md
Outdated
| | `gravitino.authenticator.oauth.tokenPath` | The path for token of the default OAuth server. | (none) | Yes if use `oauth` as the authenticator | 0.3.0 | | ||
| | Configuration item | Description | Default value | Required | Since version | | ||
| |---------------------------------------------------|-----------------------------------------------------------------------------|-------------------|--------------------------------------------|---------------| | ||
| | `gravitino.authenticator` | The authenticator which Gravitino uses, setting as `simple` or `oauth`. | `simple` | No | 0.3.0 | |
There was a problem hiding this comment.
Do you need to update this?
| for (String challenge : ue.getChallenges()) { | ||
| resp.setHeader(AuthConstants.HTTP_CHALLENGE_HEADER, challenge); | ||
| } | ||
| } |
There was a problem hiding this comment.
Please add more comment here about the reason of this change.
| @Override | ||
| public void initialize(Config config) throws RuntimeException { | ||
| try { | ||
| String principal = config.get(KerberosConfig.PRINCIPAL); |
There was a problem hiding this comment.
Please add this to the comment.
| @@ -78,7 +78,8 @@ project.extra["extraJvmArgs"] = if (extra["jdkVersion"] in listOf("8", "11")) { | |||
| "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", | |||
| "--add-opens", "java.base/sun.nio.cs=ALL-UNNAMED", | |||
| "--add-opens", "java.base/sun.security.action=ALL-UNNAMED", | |||
| "--add-opens", "java.base/sun.util.calendar=ALL-UNNAMED" | |||
| "--add-opens", "java.base/sun.util.calendar=ALL-UNNAMED", | |||
| "--add-opens", "java.security.jgss/sun.security.krb5=ALL-UNNAMED" | |||
There was a problem hiding this comment.
I think you should also update the start script under "bin".
| // Referred from Apache Hadoop KerberosTestUtils.java | ||
| // hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/\ | ||
| // authentication/KerberosTestUtils.java | ||
| public class KerberosUtils { |
There was a problem hiding this comment.
Still the same thing here, please point out which part did you modify for what purpose.
| Subject subject = new Subject(false, principals, new HashSet<>(), new HashSet<>()); | ||
| loginContext = | ||
| new LoginContext("", subject, null, new KerberosConfiguration(principal, keyTabFile)); | ||
| loginContext.login(); |
There was a problem hiding this comment.
Do we have to login everytime, is it a typical implementation?
There was a problem hiding this comment.
Split this into two methods.
| String principal = config.get(KerberosConfig.PRINCIPAL); | ||
| String keytab = config.get(KerberosConfig.KEYTAB); | ||
| File keytabFile = new File(keytab); | ||
| if (!keytabFile.exists()) { |
There was a problem hiding this comment.
You should also check the permission file.
| new PrivilegedExceptionAction<Principal>() { | ||
| @Override | ||
| public Principal run() throws Exception { | ||
| return validClientToken(serverPrincipal, clientToken); |
|
|
||
| // Referred from Apache Hadoop KerberosUtil.java | ||
| // hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/\ | ||
| // security/authentication/util/KerberosUtil.java |
There was a problem hiding this comment.
Also here, please point out which part did you modify for what purpose?
| getNumericOidInstance("1.2.840.113554.1.2.2.1"); | ||
|
|
||
| // numeric oids will never generate a GSSException for a malformed oid. | ||
| // use to initialize statics. |
There was a problem hiding this comment.
Capitalize the first letter.
| } | ||
| } | ||
|
|
||
| public static LoginContext login(String principal, String keyTabFile) throws LoginException { |
There was a problem hiding this comment.
Do you need a logout method?
There was a problem hiding this comment.
I will call LoginContext.logout
| } | ||
| } | ||
|
|
||
| private Principal validateClientToken(String serverPrincipal, byte[] clientToken) |
There was a problem hiding this comment.
This method doesn't only validate the token, but also return the user principal if the check is passed. I would suggest use a better method name.
There was a problem hiding this comment.
How about retrievePrincipalFromToken?
What changes were proposed in this pull request?
Server supports Kerberos authentication. I referred to the implementation of Hadoop.
I will submit another pr about the client.
Why are the changes needed?
Fix: #1185.
Does this PR introduce any user-facing change?
Added the document.
How was this patch tested?
Add a new UT.