001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.security; 019 020import org.apache.hadoop.http.HttpServer2; 021import org.apache.hadoop.security.authentication.server.AuthenticationFilter; 022import org.apache.hadoop.conf.Configuration; 023import org.apache.hadoop.http.FilterContainer; 024import org.apache.hadoop.http.FilterInitializer; 025import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; 026 027import java.io.IOException; 028import java.util.HashMap; 029import java.util.Map; 030 031/** 032 * Initializes hadoop-auth AuthenticationFilter which provides support for 033 * Kerberos HTTP SPNEGO authentication. 034 * <p/> 035 * It enables anonymous access, simple/speudo and Kerberos HTTP SPNEGO 036 * authentication for Hadoop JobTracker, NameNode, DataNodes and 037 * TaskTrackers. 038 * <p/> 039 * Refer to the <code>core-default.xml</code> file, after the comment 040 * 'HTTP Authentication' for details on the configuration options. 041 * All related configuration properties have 'hadoop.http.authentication.' 042 * as prefix. 043 */ 044public class AuthenticationFilterInitializer extends FilterInitializer { 045 046 static final String PREFIX = "hadoop.http.authentication."; 047 048 /** 049 * Initializes hadoop-auth AuthenticationFilter. 050 * <p/> 051 * Propagates to hadoop-auth AuthenticationFilter configuration all Hadoop 052 * configuration properties prefixed with "hadoop.http.authentication." 053 * 054 * @param container The filter container 055 * @param conf Configuration for run-time parameters 056 */ 057 @Override 058 public void initFilter(FilterContainer container, Configuration conf) { 059 Map<String, String> filterConfig = getFilterConfigMap(conf, PREFIX); 060 061 container.addFilter("authentication", 062 AuthenticationFilter.class.getName(), 063 filterConfig); 064 } 065 066 public static Map<String, String> getFilterConfigMap(Configuration conf, 067 String prefix) { 068 Map<String, String> filterConfig = new HashMap<String, String>(); 069 070 //setting the cookie path to root '/' so it is used for all resources. 071 filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/"); 072 073 for (Map.Entry<String, String> entry : conf) { 074 String name = entry.getKey(); 075 if (name.startsWith(prefix)) { 076 String value = conf.get(name); 077 name = name.substring(prefix.length()); 078 filterConfig.put(name, value); 079 } 080 } 081 082 //Resolve _HOST into bind address 083 String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); 084 String principal = filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); 085 if (principal != null) { 086 try { 087 principal = SecurityUtil.getServerPrincipal(principal, bindAddress); 088 } 089 catch (IOException ex) { 090 throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.toString(), ex); 091 } 092 filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal); 093 } 094 return filterConfig; 095 } 096 097}