use of org.apache.http.auth.AuthSchemeProvider in project zeppelin by apache.
the class BaseLivyInterpreter method createRestTemplate.
private RestTemplate createRestTemplate() {
String keytabLocation = getProperty("zeppelin.livy.keytab");
String principal = getProperty("zeppelin.livy.principal");
boolean isSpnegoEnabled = StringUtils.isNotEmpty(keytabLocation) && StringUtils.isNotEmpty(principal);
HttpClient httpClient = null;
if (livyURL.startsWith("https:")) {
try {
SSLContext sslContext = getSslContext();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
HttpClientBuilder httpClientBuilder = HttpClients.custom().setSSLSocketFactory(csf);
if (isSpnegoEnabled) {
RequestConfig reqConfig = new RequestConfig() {
@Override
public boolean isAuthenticationEnabled() {
return true;
}
};
httpClientBuilder.setDefaultRequestConfig(reqConfig);
Credentials credentials = new Credentials() {
@Override
public String getPassword() {
return null;
}
@Override
public Principal getUserPrincipal() {
return null;
}
};
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, credentials);
httpClientBuilder.setDefaultCredentialsProvider(credsProvider);
Registry<AuthSchemeProvider> authSchemeProviderRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
httpClientBuilder.setDefaultAuthSchemeRegistry(authSchemeProviderRegistry);
}
httpClient = httpClientBuilder.build();
} catch (Exception e) {
throw new RuntimeException("Failed to create SSL HttpClient", e);
}
}
RestTemplate restTemplate;
if (isSpnegoEnabled) {
if (httpClient == null) {
restTemplate = new KerberosRestTemplate(keytabLocation, principal);
} else {
restTemplate = new KerberosRestTemplate(keytabLocation, principal, httpClient);
}
} else {
if (httpClient == null) {
restTemplate = new RestTemplate();
} else {
restTemplate = new RestTemplate(new HttpComponentsClientHttpRequestFactory(httpClient));
}
}
restTemplate.getMessageConverters().add(0, new StringHttpMessageConverter(StandardCharsets.UTF_8));
return restTemplate;
}
use of org.apache.http.auth.AuthSchemeProvider in project knox by apache.
the class KnoxSession method createClient.
@SuppressForbidden
protected CloseableHttpClient createClient(ClientContext clientContext) throws GeneralSecurityException {
// SSL
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = null;
if (clientContext.connection().secure()) {
hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {
trustStrategy = TrustSelfSignedStrategy.INSTANCE;
System.out.println("**************** WARNING ******************\n" + "This is an insecure client instance and may\n" + "leave the interactions subject to a man in\n" + "the middle attack. Please use the login()\n" + "method instead of loginInsecure() for any\n" + "sensitive or production usecases.\n" + "*******************************************");
}
KeyStore trustStore = getTrustStore(clientContext);
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(trustStore, trustStrategy).build();
Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", new SSLConnectionSocketFactory(sslContext, hostnameVerifier)).build();
// Pool
PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager(registry);
connectionManager.setMaxTotal(clientContext.pool().maxTotal());
connectionManager.setDefaultMaxPerRoute(clientContext.pool().defaultMaxPerRoute());
ConnectionConfig connectionConfig = ConnectionConfig.custom().setBufferSize(clientContext.connection().bufferSize()).build();
connectionManager.setDefaultConnectionConfig(connectionConfig);
SocketConfig socketConfig = SocketConfig.custom().setSoKeepAlive(clientContext.socket().keepalive()).setSoLinger(clientContext.socket().linger()).setSoReuseAddress(clientContext.socket().reuseAddress()).setSoTimeout(clientContext.socket().timeout()).setTcpNoDelay(clientContext.socket().tcpNoDelay()).build();
connectionManager.setDefaultSocketConfig(socketConfig);
// Auth
URI uri = URI.create(clientContext.url());
host = new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
/* kerberos auth */
if (clientContext.kerberos().enable()) {
isKerberos = true;
/* set up system properties */
if (!StringUtils.isBlank(clientContext.kerberos().krb5Conf())) {
System.setProperty("java.security.krb5.conf", clientContext.kerberos().krb5Conf());
}
if (!StringUtils.isBlank(clientContext.kerberos().jaasConf())) {
File f = new File(clientContext.kerberos().jaasConf());
if (f.exists()) {
try {
jaasConfigURL = f.getCanonicalFile().toURI().toURL();
LOG.jaasConfigurationLocation(jaasConfigURL.toExternalForm());
} catch (IOException e) {
LOG.failedToLocateJAASConfiguration(e.getMessage());
}
} else {
LOG.jaasConfigurationDoesNotExist(f.getAbsolutePath());
}
}
// Fall back to the default JAAS config
if (jaasConfigURL == null) {
LOG.usingDefaultJAASConfiguration();
jaasConfigURL = getClass().getResource(DEFAULT_JAAS_FILE);
LOG.jaasConfigurationLocation(jaasConfigURL.toExternalForm());
}
if (clientContext.kerberos().debug()) {
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");
}
// (KNOX-2001) Log a warning if the useSubjectCredsOnly restriction is "relaxed"
String useSubjectCredsOnly = System.getProperty("javax.security.auth.useSubjectCredsOnly");
if (useSubjectCredsOnly != null && !Boolean.parseBoolean(useSubjectCredsOnly)) {
LOG.useSubjectCredsOnlyIsFalse();
}
final Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
return HttpClients.custom().setConnectionManager(connectionManager).setDefaultAuthSchemeRegistry(authSchemeRegistry).setDefaultCredentialsProvider(EMPTY_CREDENTIALS_PROVIDER).build();
} else {
AuthCache authCache = new BasicAuthCache();
BasicScheme authScheme = new BasicScheme();
authCache.put(host, authScheme);
context = new BasicHttpContext();
context.setAttribute(org.apache.http.client.protocol.HttpClientContext.AUTH_CACHE, authCache);
CredentialsProvider credentialsProvider = null;
if (clientContext.username() != null && clientContext.password() != null) {
credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(new AuthScope(host.getHostName(), host.getPort()), new UsernamePasswordCredentials(clientContext.username(), clientContext.password()));
}
return HttpClients.custom().setConnectionManager(connectionManager).setDefaultCredentialsProvider(credentialsProvider).build();
}
}
use of org.apache.http.auth.AuthSchemeProvider in project knox by apache.
the class DefaultHttpClientFactory method createHttpClient.
@Override
public HttpClient createHttpClient(FilterConfig filterConfig) {
final String serviceRole = filterConfig.getInitParameter(PARAMETER_SERVICE_ROLE);
HttpClientBuilder builder;
GatewayConfig gatewayConfig = (GatewayConfig) filterConfig.getServletContext().getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
if (gatewayConfig != null && gatewayConfig.isMetricsEnabled()) {
MetricsService metricsService = services.getService(ServiceType.METRICS_SERVICE);
builder = metricsService.getInstrumented(HttpClientBuilder.class);
} else {
builder = HttpClients.custom();
}
// Conditionally set a custom SSLContext
SSLContext sslContext = createSSLContext(services, filterConfig, serviceRole);
if (sslContext != null) {
builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslContext));
}
if (Boolean.parseBoolean(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UseJaasCredentials());
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new KnoxSpnegoAuthSchemeFactory(true)).build();
builder.setDefaultAuthSchemeRegistry(authSchemeRegistry).setDefaultCookieStore(new HadoopAuthCookieStore(gatewayConfig)).setDefaultCredentialsProvider(credentialsProvider);
} else {
builder.setDefaultCookieStore(new NoCookieStore());
}
builder.setKeepAliveStrategy(DefaultConnectionKeepAliveStrategy.INSTANCE);
builder.setConnectionReuseStrategy(DefaultConnectionReuseStrategy.INSTANCE);
builder.setRedirectStrategy(new NeverRedirectStrategy());
builder.setRetryHandler(new NeverRetryHandler());
int maxConnections = getMaxConnections(filterConfig);
builder.setMaxConnTotal(maxConnections);
builder.setMaxConnPerRoute(maxConnections);
builder.setDefaultRequestConfig(getRequestConfig(filterConfig, serviceRole));
// See KNOX-1530 for details
builder.disableContentCompression();
if (doesRetryParamExist(filterConfig)) {
int retryCount = Integer.parseInt(filterConfig.getInitParameter(PARAMETER_RETRY_COUNT));
/* do we want to retry non-idempotent requests? default no */
boolean retryNonIdempotent = DEFAULT_PARAMETER_RETRY_NON_SAFE_REQUEST;
if (filterConfig.getInitParameter(PARAMETER_RETRY_NON_SAFE_REQUEST) != null) {
retryNonIdempotent = Boolean.parseBoolean(filterConfig.getInitParameter(PARAMETER_RETRY_NON_SAFE_REQUEST));
}
builder.setRetryHandler(new DefaultHttpRequestRetryHandler(retryCount, retryNonIdempotent));
}
return builder.build();
}
Aggregations