New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Druid Extension to enable Authentication using Kerberos. #3853

Merged
merged 13 commits into from Feb 2, 2017

Conversation

Projects
None yet
4 participants
@nishantmonu51
Member

nishantmonu51 commented Jan 17, 2017

Druid Extension to enable Authentication for Druid Nodes using Kerberos.
It uses the simple and protected GSSAPI negotiation mechanism, SPNEGO(https://en.wikipedia.org/wiki/SPNEGO) for authentication via HTTP.
For internal node communication it also adds a wrapper around existing HTTP client to add GSSAPI authentication headers.

@nishantmonu51 nishantmonu51 added this to the 0.10.0 milestone Jan 17, 2017

Show outdated Hide outdated distribution/pom.xml Outdated

nishantmonu51 added some commits Jan 16, 2017

Add extension for supporting kerberos security
- This PR adds an extension for supporting druid authentication via
Kerberos.
- Working on the docs.
@nishantmonu51

This comment has been minimized.

Show comment
Hide comment
@nishantmonu51

nishantmonu51 Jan 23, 2017

Member

@b-slim Thanks for the review. handled review comments and resolved conflicts.
@himanshug can you also take a look at it ?

Member

nishantmonu51 commented Jan 23, 2017

@b-slim Thanks for the review. handled review comments and resolved conflicts.
@himanshug can you also take a look at it ?

@himanshug

This comment has been minimized.

Show comment
Hide comment
@himanshug

himanshug Jan 23, 2017

Contributor

looks good to me besides existing comments.

Contributor

himanshug commented Jan 23, 2017

looks good to me besides existing comments.

@b-slim

This comment has been minimized.

Show comment
Hide comment
@b-slim

b-slim Jan 25, 2017

Contributor
Contributor

b-slim commented Jan 25, 2017

@nishantmonu51

This comment has been minimized.

Show comment
Hide comment
@nishantmonu51

nishantmonu51 Jan 25, 2017

Member

@b-slim: Nice catch, fixed the locking.

Member

nishantmonu51 commented Jan 25, 2017

@b-slim: Nice catch, fixed the locking.

@nishantmonu51

This comment has been minimized.

Show comment
Hide comment
@nishantmonu51

nishantmonu51 Jan 30, 2017

Member

@b-slim: Have added cookie handling and added more detailed docs to include curl commands and browser configs required to access coordinator and overlord console.

Member

nishantmonu51 commented Jan 30, 2017

@b-slim: Have added cookie handling and added more detailed docs to include curl commands and browser configs required to access coordinator and overlord console.

3. Now you can access druid HTTP endpoints using curl command as follows -
```
curl --negotiate -u:anyUser -b ~/cookies.txt -c ~/cookies.txt -X POST -H'Content-Type: application/json' <HTTP_END_POINT>

This comment has been minimized.

@b-slim

b-slim Feb 1, 2017

Contributor

can we mention that negotiate is needed only once ?

@b-slim

b-slim Feb 1, 2017

Contributor

can we mention that negotiate is needed only once ?

This comment has been minimized.

@nishantmonu51

nishantmonu51 Feb 1, 2017

Member

IMO, user should always specify negotiate. Fwiw, adding this will not mean that authentication handshake will be always done.
Above curl command works like this -

  1. sends request to that to the server with the cookies for that domain if any.
  2. If the server accepts the cookie it will return a 200 OK
  3. If the cookie is found to be invalid (multiple reasons - someone restarted the server before the cookie expired, the cookie expired) It will send a response otherwise 401 Unauthorized.
  4. The client on receiving 401 now will perform the SPNego negotiate mechanism.

Will add comment about the use of cookies.

@nishantmonu51

nishantmonu51 Feb 1, 2017

Member

IMO, user should always specify negotiate. Fwiw, adding this will not mean that authentication handshake will be always done.
Above curl command works like this -

  1. sends request to that to the server with the cookies for that domain if any.
  2. If the server accepts the cookie it will return a 200 OK
  3. If the cookie is found to be invalid (multiple reasons - someone restarted the server before the cookie expired, the cookie expired) It will send a response otherwise 401 Unauthorized.
  4. The client on receiving 401 now will perform the SPNego negotiate mechanism.

Will add comment about the use of cookies.

params.put(AuthenticationFilter.AUTH_TYPE, "kerberos");
params.put("kerberos.name.rules", config.getAuthToLocal());
if (config.getCookieSignatureSecret() != null) {
params.put("signature.secret", config.getCookieSignatureSecret());

This comment has been minimized.

@b-slim

b-slim Feb 1, 2017

Contributor

@nishantmonu51 not sure where the random string will be generated ?

@b-slim

b-slim Feb 1, 2017

Contributor

@nishantmonu51 not sure where the random string will be generated ?

This comment has been minimized.

@b-slim

b-slim Feb 1, 2017

Contributor
@b-slim

This comment has been minimized.

Show comment
Hide comment
@b-slim

b-slim Feb 1, 2017

Contributor

👍

Contributor

b-slim commented Feb 1, 2017

👍

@b-slim b-slim closed this Feb 1, 2017

@b-slim b-slim reopened this Feb 1, 2017

@nishantmonu51

This comment has been minimized.

Show comment
Hide comment
@nishantmonu51

nishantmonu51 Feb 1, 2017

Member

@himanshug: Handled review comments from slim, Please check again.

Member

nishantmonu51 commented Feb 1, 2017

@himanshug: Handled review comments from slim, Please check again.

@himanshug himanshug merged commit a457cde into apache:master Feb 2, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@gianm gianm added the Release Notes label Feb 23, 2017

@gianm gianm referenced this pull request Feb 28, 2017

Closed

Druid 0.10.0 release notes #3944

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment