Search in sources :

Example 26 with AuthSchemeProvider

use of org.apache.http.auth.AuthSchemeProvider in project zeppelin by apache.

the class BaseLivyInterpreter method createRestTemplate.

private RestTemplate createRestTemplate() {
    String keytabLocation = getProperty("zeppelin.livy.keytab");
    String principal = getProperty("zeppelin.livy.principal");
    boolean isSpnegoEnabled = StringUtils.isNotEmpty(keytabLocation) && StringUtils.isNotEmpty(principal);
    HttpClient httpClient = null;
    if (livyURL.startsWith("https:")) {
        try {
            SSLContext sslContext = getSslContext();
            SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
            HttpClientBuilder httpClientBuilder = HttpClients.custom().setSSLSocketFactory(csf);
            if (isSpnegoEnabled) {
                RequestConfig reqConfig = new RequestConfig() {

                    @Override
                    public boolean isAuthenticationEnabled() {
                        return true;
                    }
                };
                httpClientBuilder.setDefaultRequestConfig(reqConfig);
                Credentials credentials = new Credentials() {

                    @Override
                    public String getPassword() {
                        return null;
                    }

                    @Override
                    public Principal getUserPrincipal() {
                        return null;
                    }
                };
                CredentialsProvider credsProvider = new BasicCredentialsProvider();
                credsProvider.setCredentials(AuthScope.ANY, credentials);
                httpClientBuilder.setDefaultCredentialsProvider(credsProvider);
                Registry<AuthSchemeProvider> authSchemeProviderRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
                httpClientBuilder.setDefaultAuthSchemeRegistry(authSchemeProviderRegistry);
            }
            httpClient = httpClientBuilder.build();
        } catch (Exception e) {
            throw new RuntimeException("Failed to create SSL HttpClient", e);
        }
    }
    RestTemplate restTemplate;
    if (isSpnegoEnabled) {
        if (httpClient == null) {
            restTemplate = new KerberosRestTemplate(keytabLocation, principal);
        } else {
            restTemplate = new KerberosRestTemplate(keytabLocation, principal, httpClient);
        }
    } else {
        if (httpClient == null) {
            restTemplate = new RestTemplate();
        } else {
            restTemplate = new RestTemplate(new HttpComponentsClientHttpRequestFactory(httpClient));
        }
    }
    restTemplate.getMessageConverters().add(0, new StringHttpMessageConverter(StandardCharsets.UTF_8));
    return restTemplate;
}
Also used : RequestConfig(org.apache.http.client.config.RequestConfig) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) SSLContext(javax.net.ssl.SSLContext) HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory) InterpreterException(org.apache.zeppelin.interpreter.InterpreterException) RestClientException(org.springframework.web.client.RestClientException) HttpServerErrorException(org.springframework.web.client.HttpServerErrorException) HttpClientErrorException(org.springframework.web.client.HttpClientErrorException) StringHttpMessageConverter(org.springframework.http.converter.StringHttpMessageConverter) KerberosRestTemplate(org.springframework.security.kerberos.client.KerberosRestTemplate) HttpClient(org.apache.http.client.HttpClient) RestTemplate(org.springframework.web.client.RestTemplate) KerberosRestTemplate(org.springframework.security.kerberos.client.KerberosRestTemplate) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) HttpComponentsClientHttpRequestFactory(org.springframework.http.client.HttpComponentsClientHttpRequestFactory) Credentials(org.apache.http.auth.Credentials)

Example 27 with AuthSchemeProvider

use of org.apache.http.auth.AuthSchemeProvider in project knox by apache.

the class KnoxSession method createClient.

@SuppressForbidden
protected CloseableHttpClient createClient(ClientContext clientContext) throws GeneralSecurityException {
    // SSL
    HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
    TrustStrategy trustStrategy = null;
    if (clientContext.connection().secure()) {
        hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
    } else {
        trustStrategy = TrustSelfSignedStrategy.INSTANCE;
        System.out.println("**************** WARNING ******************\n" + "This is an insecure client instance and may\n" + "leave the interactions subject to a man in\n" + "the middle attack. Please use the login()\n" + "method instead of loginInsecure() for any\n" + "sensitive or production usecases.\n" + "*******************************************");
    }
    KeyStore trustStore = getTrustStore(clientContext);
    SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(trustStore, trustStrategy).build();
    Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", new SSLConnectionSocketFactory(sslContext, hostnameVerifier)).build();
    // Pool
    PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager(registry);
    connectionManager.setMaxTotal(clientContext.pool().maxTotal());
    connectionManager.setDefaultMaxPerRoute(clientContext.pool().defaultMaxPerRoute());
    ConnectionConfig connectionConfig = ConnectionConfig.custom().setBufferSize(clientContext.connection().bufferSize()).build();
    connectionManager.setDefaultConnectionConfig(connectionConfig);
    SocketConfig socketConfig = SocketConfig.custom().setSoKeepAlive(clientContext.socket().keepalive()).setSoLinger(clientContext.socket().linger()).setSoReuseAddress(clientContext.socket().reuseAddress()).setSoTimeout(clientContext.socket().timeout()).setTcpNoDelay(clientContext.socket().tcpNoDelay()).build();
    connectionManager.setDefaultSocketConfig(socketConfig);
    // Auth
    URI uri = URI.create(clientContext.url());
    host = new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
    /* kerberos auth */
    if (clientContext.kerberos().enable()) {
        isKerberos = true;
        /* set up system properties */
        if (!StringUtils.isBlank(clientContext.kerberos().krb5Conf())) {
            System.setProperty("java.security.krb5.conf", clientContext.kerberos().krb5Conf());
        }
        if (!StringUtils.isBlank(clientContext.kerberos().jaasConf())) {
            File f = new File(clientContext.kerberos().jaasConf());
            if (f.exists()) {
                try {
                    jaasConfigURL = f.getCanonicalFile().toURI().toURL();
                    LOG.jaasConfigurationLocation(jaasConfigURL.toExternalForm());
                } catch (IOException e) {
                    LOG.failedToLocateJAASConfiguration(e.getMessage());
                }
            } else {
                LOG.jaasConfigurationDoesNotExist(f.getAbsolutePath());
            }
        }
        // Fall back to the default JAAS config
        if (jaasConfigURL == null) {
            LOG.usingDefaultJAASConfiguration();
            jaasConfigURL = getClass().getResource(DEFAULT_JAAS_FILE);
            LOG.jaasConfigurationLocation(jaasConfigURL.toExternalForm());
        }
        if (clientContext.kerberos().debug()) {
            System.setProperty("sun.security.krb5.debug", "true");
            System.setProperty("sun.security.jgss.debug", "true");
        }
        // (KNOX-2001) Log a warning if the useSubjectCredsOnly restriction is "relaxed"
        String useSubjectCredsOnly = System.getProperty("javax.security.auth.useSubjectCredsOnly");
        if (useSubjectCredsOnly != null && !Boolean.parseBoolean(useSubjectCredsOnly)) {
            LOG.useSubjectCredsOnlyIsFalse();
        }
        final Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
        return HttpClients.custom().setConnectionManager(connectionManager).setDefaultAuthSchemeRegistry(authSchemeRegistry).setDefaultCredentialsProvider(EMPTY_CREDENTIALS_PROVIDER).build();
    } else {
        AuthCache authCache = new BasicAuthCache();
        BasicScheme authScheme = new BasicScheme();
        authCache.put(host, authScheme);
        context = new BasicHttpContext();
        context.setAttribute(org.apache.http.client.protocol.HttpClientContext.AUTH_CACHE, authCache);
        CredentialsProvider credentialsProvider = null;
        if (clientContext.username() != null && clientContext.password() != null) {
            credentialsProvider = new BasicCredentialsProvider();
            credentialsProvider.setCredentials(new AuthScope(host.getHostName(), host.getPort()), new UsernamePasswordCredentials(clientContext.username(), clientContext.password()));
        }
        return HttpClients.custom().setConnectionManager(connectionManager).setDefaultCredentialsProvider(credentialsProvider).build();
    }
}
Also used : TrustStrategy(org.apache.http.conn.ssl.TrustStrategy) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) BasicHttpContext(org.apache.http.protocol.BasicHttpContext) BasicAuthCache(org.apache.http.impl.client.BasicAuthCache) SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory) URI(java.net.URI) SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory) ConnectionSocketFactory(org.apache.http.conn.socket.ConnectionSocketFactory) PlainConnectionSocketFactory(org.apache.http.conn.socket.PlainConnectionSocketFactory) HttpHost(org.apache.http.HttpHost) ConnectionConfig(org.apache.http.config.ConnectionConfig) BasicScheme(org.apache.http.impl.auth.BasicScheme) SocketConfig(org.apache.http.config.SocketConfig) AuthCache(org.apache.http.client.AuthCache) BasicAuthCache(org.apache.http.impl.client.BasicAuthCache) SSLContext(javax.net.ssl.SSLContext) IOException(java.io.IOException) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) KeyStore(java.security.KeyStore) NoopHostnameVerifier(org.apache.http.conn.ssl.NoopHostnameVerifier) HostnameVerifier(javax.net.ssl.HostnameVerifier) PoolingHttpClientConnectionManager(org.apache.http.impl.conn.PoolingHttpClientConnectionManager) UsernamePasswordCredentials(org.apache.http.auth.UsernamePasswordCredentials) AuthScope(org.apache.http.auth.AuthScope) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) File(java.io.File) SuppressForbidden(de.thetaphi.forbiddenapis.SuppressForbidden)

Example 28 with AuthSchemeProvider

use of org.apache.http.auth.AuthSchemeProvider in project knox by apache.

the class DefaultHttpClientFactory method createHttpClient.

@Override
public HttpClient createHttpClient(FilterConfig filterConfig) {
    final String serviceRole = filterConfig.getInitParameter(PARAMETER_SERVICE_ROLE);
    HttpClientBuilder builder;
    GatewayConfig gatewayConfig = (GatewayConfig) filterConfig.getServletContext().getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
    GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
    if (gatewayConfig != null && gatewayConfig.isMetricsEnabled()) {
        MetricsService metricsService = services.getService(ServiceType.METRICS_SERVICE);
        builder = metricsService.getInstrumented(HttpClientBuilder.class);
    } else {
        builder = HttpClients.custom();
    }
    // Conditionally set a custom SSLContext
    SSLContext sslContext = createSSLContext(services, filterConfig, serviceRole);
    if (sslContext != null) {
        builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslContext));
    }
    if (Boolean.parseBoolean(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
        CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY, new UseJaasCredentials());
        Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new KnoxSpnegoAuthSchemeFactory(true)).build();
        builder.setDefaultAuthSchemeRegistry(authSchemeRegistry).setDefaultCookieStore(new HadoopAuthCookieStore(gatewayConfig)).setDefaultCredentialsProvider(credentialsProvider);
    } else {
        builder.setDefaultCookieStore(new NoCookieStore());
    }
    builder.setKeepAliveStrategy(DefaultConnectionKeepAliveStrategy.INSTANCE);
    builder.setConnectionReuseStrategy(DefaultConnectionReuseStrategy.INSTANCE);
    builder.setRedirectStrategy(new NeverRedirectStrategy());
    builder.setRetryHandler(new NeverRetryHandler());
    int maxConnections = getMaxConnections(filterConfig);
    builder.setMaxConnTotal(maxConnections);
    builder.setMaxConnPerRoute(maxConnections);
    builder.setDefaultRequestConfig(getRequestConfig(filterConfig, serviceRole));
    // See KNOX-1530 for details
    builder.disableContentCompression();
    if (doesRetryParamExist(filterConfig)) {
        int retryCount = Integer.parseInt(filterConfig.getInitParameter(PARAMETER_RETRY_COUNT));
        /* do we want to retry non-idempotent requests? default no */
        boolean retryNonIdempotent = DEFAULT_PARAMETER_RETRY_NON_SAFE_REQUEST;
        if (filterConfig.getInitParameter(PARAMETER_RETRY_NON_SAFE_REQUEST) != null) {
            retryNonIdempotent = Boolean.parseBoolean(filterConfig.getInitParameter(PARAMETER_RETRY_NON_SAFE_REQUEST));
        }
        builder.setRetryHandler(new DefaultHttpRequestRetryHandler(retryCount, retryNonIdempotent));
    }
    return builder.build();
}
Also used : GatewayServices(org.apache.knox.gateway.services.GatewayServices) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) MetricsService(org.apache.knox.gateway.services.metrics.MetricsService) DefaultHttpRequestRetryHandler(org.apache.http.impl.client.DefaultHttpRequestRetryHandler) HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder) SSLContext(javax.net.ssl.SSLContext) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) GatewayConfig(org.apache.knox.gateway.config.GatewayConfig)

Aggregations

AuthSchemeProvider (org.apache.http.auth.AuthSchemeProvider)28 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)20 CredentialsProvider (org.apache.http.client.CredentialsProvider)19 AuthScope (org.apache.http.auth.AuthScope)12 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)11 HttpClientBuilder (org.apache.http.impl.client.HttpClientBuilder)11 HttpHost (org.apache.http.HttpHost)10 RequestConfig (org.apache.http.client.config.RequestConfig)10 SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)10 Credentials (org.apache.http.auth.Credentials)8 UsernamePasswordCredentials (org.apache.http.auth.UsernamePasswordCredentials)8 BasicSchemeFactory (org.apache.http.impl.auth.BasicSchemeFactory)7 HttpResponse (org.apache.http.HttpResponse)6 IOException (java.io.IOException)5 PoolingHttpClientConnectionManager (org.apache.http.impl.conn.PoolingHttpClientConnectionManager)5 File (java.io.File)4 MalformedURLException (java.net.MalformedURLException)4 SSLContext (javax.net.ssl.SSLContext)4 DigestSchemeFactory (org.apache.http.impl.auth.DigestSchemeFactory)4 PrivilegedActionException (java.security.PrivilegedActionException)3