Examples with AuthenticationFilterInitializer - org.apache.hadoop.security.AuthenticationFilterInitializer

Example 1 with AuthenticationFilterInitializer

use of org.apache.hadoop.security.AuthenticationFilterInitializer in project hadoop by apache.

the class ResourceManager method startWepApp.

protected void startWepApp() {
    // Use the customized yarn filter instead of the standard kerberos filter to
    // allow users to authenticate using delegation tokens
    // 4 conditions need to be satisfied -
    // 1. security is enabled
    // 2. http auth type is set to kerberos
    // 3. "yarn.resourcemanager.webapp.use-yarn-filter" override is set to true
    // 4. hadoop.http.filter.initializers container AuthenticationFilterInitializer
    Configuration conf = getConfig();
    boolean enableCorsFilter = conf.getBoolean(YarnConfiguration.RM_WEBAPP_ENABLE_CORS_FILTER, YarnConfiguration.DEFAULT_RM_WEBAPP_ENABLE_CORS_FILTER);
    boolean useYarnAuthenticationFilter = conf.getBoolean(YarnConfiguration.RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER, YarnConfiguration.DEFAULT_RM_WEBAPP_DELEGATION_TOKEN_AUTH_FILTER);
    String authPrefix = "hadoop.http.authentication.";
    String authTypeKey = authPrefix + "type";
    String filterInitializerConfKey = "hadoop.http.filter.initializers";
    String actualInitializers = "";
    Class<?>[] initializersClasses = conf.getClasses(filterInitializerConfKey);
    // setup CORS
    if (enableCorsFilter) {
        conf.setBoolean(HttpCrossOriginFilterInitializer.PREFIX + HttpCrossOriginFilterInitializer.ENABLED_SUFFIX, true);
    }
    boolean hasHadoopAuthFilterInitializer = false;
    boolean hasRMAuthFilterInitializer = false;
    if (initializersClasses != null) {
        for (Class<?> initializer : initializersClasses) {
            if (initializer.getName().equals(AuthenticationFilterInitializer.class.getName())) {
                hasHadoopAuthFilterInitializer = true;
            }
            if (initializer.getName().equals(RMAuthenticationFilterInitializer.class.getName())) {
                hasRMAuthFilterInitializer = true;
            }
        }
        if (UserGroupInformation.isSecurityEnabled() && useYarnAuthenticationFilter && hasHadoopAuthFilterInitializer && conf.get(authTypeKey, "").equals(KerberosAuthenticationHandler.TYPE)) {
            ArrayList<String> target = new ArrayList<String>();
            for (Class<?> filterInitializer : initializersClasses) {
                if (filterInitializer.getName().equals(AuthenticationFilterInitializer.class.getName())) {
                    if (hasRMAuthFilterInitializer == false) {
                        target.add(RMAuthenticationFilterInitializer.class.getName());
                    }
                    continue;
                }
                target.add(filterInitializer.getName());
            }
            actualInitializers = StringUtils.join(",", target);
            LOG.info("Using RM authentication filter(kerberos/delegation-token)" + " for RM webapp authentication");
            RMAuthenticationFilter.setDelegationTokenSecretManager(getClientRMService().rmDTSecretManager);
            conf.set(filterInitializerConfKey, actualInitializers);
        }
    }
    // if security is not enabled and the default filter initializer has not 
    // been set, set the initializer to include the
    // RMAuthenticationFilterInitializer which in turn will set up the simple
    // auth filter.
    String initializers = conf.get(filterInitializerConfKey);
    if (!UserGroupInformation.isSecurityEnabled()) {
        if (initializersClasses == null || initializersClasses.length == 0) {
            conf.set(filterInitializerConfKey, RMAuthenticationFilterInitializer.class.getName());
            conf.set(authTypeKey, "simple");
        } else if (initializers.equals(StaticUserWebFilter.class.getName())) {
            conf.set(filterInitializerConfKey, RMAuthenticationFilterInitializer.class.getName() + "," + initializers);
            conf.set(authTypeKey, "simple");
        }
    }
    Builder<ApplicationMasterService> builder = WebApps.$for("cluster", ApplicationMasterService.class, masterService, "ws").with(conf).withHttpSpnegoPrincipalKey(YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY).withHttpSpnegoKeytabKey(YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY).withCSRFProtection(YarnConfiguration.RM_CSRF_PREFIX).withXFSProtection(YarnConfiguration.RM_XFS_PREFIX).at(webAppAddress);
    String proxyHostAndPort = WebAppUtils.getProxyHostAndPort(conf);
    if (WebAppUtils.getResolvedRMWebAppURLWithoutScheme(conf).equals(proxyHostAndPort)) {
        if (HAUtil.isHAEnabled(conf)) {
            fetcher = new AppReportFetcher(conf);
        } else {
            fetcher = new AppReportFetcher(conf, getClientRMService());
        }
        builder.withServlet(ProxyUriUtils.PROXY_SERVLET_NAME, ProxyUriUtils.PROXY_PATH_SPEC, WebAppProxyServlet.class);
        builder.withAttribute(WebAppProxy.FETCHER_ATTRIBUTE, fetcher);
        String[] proxyParts = proxyHostAndPort.split(":");
        builder.withAttribute(WebAppProxy.PROXY_HOST_ATTRIBUTE, proxyParts[0]);
    }
    WebAppContext uiWebAppContext = null;
    if (getConfig().getBoolean(YarnConfiguration.YARN_WEBAPP_UI2_ENABLE, YarnConfiguration.DEFAULT_YARN_WEBAPP_UI2_ENABLE)) {
        String webPath = UI2_WEBAPP_NAME;
        String onDiskPath = getConfig().get(YarnConfiguration.YARN_WEBAPP_UI2_WARFILE_PATH);
        if (null == onDiskPath) {
            String war = "hadoop-yarn-ui-" + VersionInfo.getVersion() + ".war";
            URLClassLoader cl = (URLClassLoader) ClassLoader.getSystemClassLoader();
            URL url = cl.findResource(war);
            if (null == url) {
                onDiskPath = "";
            } else {
                onDiskPath = url.getFile();
            }
            LOG.info("New web UI war file name:" + war + ", and path:" + onDiskPath);
        }
        uiWebAppContext = new WebAppContext();
        uiWebAppContext.setContextPath(webPath);
        uiWebAppContext.setWar(onDiskPath);
    }
    webApp = builder.start(new RMWebApp(this), uiWebAppContext);
}

Also used : Configuration(org.apache.hadoop.conf.Configuration) YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration) ArrayList(java.util.ArrayList) RMAuthenticationFilterInitializer(org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilterInitializer) RMAuthenticationFilterInitializer(org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilterInitializer) AuthenticationFilterInitializer(org.apache.hadoop.security.AuthenticationFilterInitializer) URL(java.net.URL) WebAppContext(org.eclipse.jetty.webapp.WebAppContext) AppReportFetcher(org.apache.hadoop.yarn.server.webproxy.AppReportFetcher) URLClassLoader(java.net.URLClassLoader) RMWebApp(org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebApp)

Aggregations

URL (java.net.URL)1 URLClassLoader (java.net.URLClassLoader)1 ArrayList (java.util.ArrayList)1 Configuration (org.apache.hadoop.conf.Configuration)1 AuthenticationFilterInitializer (org.apache.hadoop.security.AuthenticationFilterInitializer)1 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)1 RMWebApp (org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebApp)1 RMAuthenticationFilterInitializer (org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilterInitializer)1 AppReportFetcher (org.apache.hadoop.yarn.server.webproxy.AppReportFetcher)1 WebAppContext (org.eclipse.jetty.webapp.WebAppContext)1