The AuthenticationFilter filter is Hadoop Auth's server side component.
This filter must be configured in front of all the web application resources that required authenticated requests. For example:
The Hadoop Auth and dependent JAR files must be in the web application classpath (commonly the WEB-INF/lib directory).
Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define the SLF4J API dependency but it does not define the dependency on a concrete logging implementation, this must be addded explicitly to the web application. For example, if the web applicationan uses Log4j, the SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application classpath as well as the Log4j configuration file.
IMPORTANT: A KDC must be configured and running.
To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be configured with the following init parameters:
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <filter-name>kerberosFilter</filter-name> <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class> <init-param> <param-name>type</param-name> <param-value>kerberos</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> <init-param> <param-name>cookie.domain</param-name> <param-value>.foo.com</param-value> </init-param> <init-param> <param-name>cookie.path</param-name> <param-value>/</param-value> </init-param> <init-param> <param-name>kerberos.principal</param-name> <param-value>HTTP/localhost@LOCALHOST</param-value> </init-param> <init-param> <param-name>kerberos.keytab</param-name> <param-value>/tmp/auth.keytab</param-value> </init-param> </filter> <filter-mapping> <filter-name>kerberosFilter</filter-name> <url-pattern>/kerberos/*</url-pattern> </filter-mapping> ... </web-app>
To use Pseudo/Simple as the authentication mechanism (trusting the value of the query string parameter 'user.name'), the authentication filter must be configured with the following init parameters:
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <filter-name>simpleFilter</filter-name> <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class> <init-param> <param-name>type</param-name> <param-value>simple</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> <init-param> <param-name>cookie.domain</param-name> <param-value>.foo.com</param-value> </init-param> <init-param> <param-name>cookie.path</param-name> <param-value>/</param-value> </init-param> <init-param> <param-name>simple.anonymous.allowed</param-name> <param-value>false</param-value> </init-param> </filter> <filter-mapping> <filter-name>simpleFilter</filter-name> <url-pattern>/simple/*</url-pattern> </filter-mapping> ... </web-app>
IMPORTANT: A KDC must be configured and running.
The AltKerberos authentication mechanism is a partially implemented derivative of the Kerberos SPNEGO authentication mechanism which allows a "mixed" form of authentication where Kerberos SPNEGO is used by non-browsers while an alternate form of authentication (to be implemented by the user) is used for browsers. To use AltKerberos as the authentication mechanism (besides providing an implementation), the authentication filter must be configured with the following init parameters, in addition to the previously mentioned Kerberos SPNEGO ones:
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <filter-name>kerberosFilter</filter-name> <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class> <init-param> <param-name>type</param-name> <param-value>org.my.subclass.of.AltKerberosAuthenticationHandler</param-value> </init-param> <init-param> <param-name>alt-kerberos.non-browser.user-agents</param-name> <param-value>java,curl,wget,perl</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> <init-param> <param-name>cookie.domain</param-name> <param-value>.foo.com</param-value> </init-param> <init-param> <param-name>cookie.path</param-name> <param-value>/</param-value> </init-param> <init-param> <param-name>kerberos.principal</param-name> <param-value>HTTP/localhost@LOCALHOST</param-value> </init-param> <init-param> <param-name>kerberos.keytab</param-name> <param-value>/tmp/auth.keytab</param-value> </init-param> </filter> <filter-mapping> <filter-name>kerberosFilter</filter-name> <url-pattern>/kerberos/*</url-pattern> </filter-mapping> ... </web-app>
The SignerSecretProvider is used to provide more advanced behaviors for the secret used for signing the HTTP Cookies.
These are the relevant configuration properties:
The following configuration properties are specific to the zookeeper implementation:
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <!-- AuthenticationHandler configs not shown --> <init-param> <param-name>signer.secret.provider</param-name> <param-value>string</param-value> </init-param> <init-param> <param-name>signature.secret</param-name> <param-value>my_secret</param-value> </init-param> </filter> ... </web-app>
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <!-- AuthenticationHandler configs not shown --> <init-param> <param-name>signer.secret.provider</param-name> <param-value>random</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> </filter> ... </web-app>
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <!-- AuthenticationHandler configs not shown --> <init-param> <param-name>signer.secret.provider</param-name> <param-value>zookeeper</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> <init-param> <param-name>signer.secret.provider.zookeeper.connection.string</param-name> <param-value>zoo1:2181,zoo2:2181,zoo3:2181</param-value> </init-param> <init-param> <param-name>signer.secret.provider.zookeeper.path</param-name> <param-value>/myapp/secrets</param-value> </init-param> <init-param> <param-name>signer.secret.provider.zookeeper.use.kerberos.acls</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>signer.secret.provider.zookeeper.kerberos.keytab</param-name> <param-value>/tmp/auth.keytab</param-value> </init-param> <init-param> <param-name>signer.secret.provider.zookeeper.kerberos.principal</param-name> <param-value>HTTP/localhost@LOCALHOST</param-value> </init-param> </filter> ... </web-app>