HDDS-3282. ozone.http.filter.initializers can't be set properly for S… (

#724)
apache · May 6, 2020 · 4a9fde5 · 4a9fde5
1 parent 8576072
commit 4a9fde5
Show file tree

Hide file tree

Showing 24 changed files with 303 additions and 352 deletions.
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
@@ -245,16 +245,20 @@ private HddsConfigKeys() {
   public static final String HDDS_DATANODE_HTTP_BIND_HOST_DEFAULT = "0.0.0.0";
   public static final int HDDS_DATANODE_HTTP_BIND_PORT_DEFAULT = 9882;
   public static final int HDDS_DATANODE_HTTPS_BIND_PORT_DEFAULT = 9883;
+
+  public static final String OZONE_DATANODE_HTTP_AUTH_CONFIG_PREFIX =
+      "hdds.datanode.http.auth.";
+  public static final String HDDS_DATANODE_HTTP_AUTH_TYPE =
+      OZONE_DATANODE_HTTP_AUTH_CONFIG_PREFIX + "type";
   public static final String
       HDDS_DATANODE_HTTP_KERBEROS_PRINCIPAL_KEY =
-      "hdds.datanode.http.kerberos.principal";
+      OZONE_DATANODE_HTTP_AUTH_CONFIG_PREFIX +  "kerberos.principal";
   public static final String
       HDDS_DATANODE_HTTP_KERBEROS_KEYTAB_FILE_KEY =
-      "hdds.datanode.http.kerberos.keytab";
+      OZONE_DATANODE_HTTP_AUTH_CONFIG_PREFIX + "kerberos.keytab";
 
   public static final String HDDS_DATANODE_RATIS_SERVER_REQUEST_TIMEOUT =
       "hdds.datanode.ratis.server.request.timeout";
   public static final String
       HDDS_DATANODE_RATIS_SERVER_REQUEST_TIMEOUT_DEFAULT = "2m";
-
 }
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
@@ -424,10 +424,15 @@ public final class OzoneConfigKeys {
   public static final int OZONE_FREON_HTTPS_BIND_PORT_DEFAULT = 9885;
   public static final String
       OZONE_FREON_HTTP_KERBEROS_PRINCIPAL_KEY =
-      "ozone.freon.http.kerberos.principal";
+      "ozone.freon.http.auth.kerberos.principal";
   public static final String
       OZONE_FREON_HTTP_KERBEROS_KEYTAB_FILE_KEY =
-      "ozone.freon.http.kerberos.keytab";
+      "ozone.freon.http.auth.kerberos.keytab";
+  public static final String OZONE_FREON_HTTP_AUTH_TYPE =
+      "ozone.freon.http.auth.type";
+  public static final String OZONE_FREON_HTTP_AUTH_CONFIG_PREFIX =
+      "ozone.freon.http.auth.";
+
 
   public static final String OZONE_NETWORK_TOPOLOGY_AWARE_READ_KEY =
       "ozone.network.topology.aware.read";

diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -1434,16 +1434,6 @@
     </description>
   </property>
 
-  <property>
-    <name>ozone.s3g.authentication.kerberos.principal</name>
-    <value/>
-    <tag>OZONE, S3GATEWAY</tag>
-    <description>The server principal used by Ozone S3Gateway server. This is
-      typically set to
-      HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix
-      HTTP/ by convention.</description>
-  </property>
-
   <property>
     <name>ozone.s3g.domain.name</name>
     <value/>
@@ -1500,7 +1490,17 @@
   </property>
 
   <property>
-    <name>ozone.s3g.keytab.file</name>
+    <name>ozone.s3g.http.auth.kerberos.principal</name>
+    <value/>
+    <tag>OZONE, S3GATEWAY</tag>
+    <description>The server principal used by Ozone S3Gateway server. This is
+      typically set to
+      HTTP/_HOST@REALM.TLD The SPNEGO server principal begins with the prefix
+      HTTP/ by convention.</description>
+  </property>
+
+  <property>
+    <name>ozone.s3g.http.auth.kerberos.keytab</name>
     <value/>
     <tag>OZONE, S3GATEWAY</tag>
     <description>The keytab file used by the S3Gateway server to login as its
@@ -1785,14 +1785,14 @@
     <description>The OzoneManager service principal. Ex om/_HOST@REALM.COM</description>
   </property>
   <property>
-    <name>ozone.om.http.kerberos.principal</name>
+    <name>ozone.om.http.auth.kerberos.principal</name>
     <value>HTTP/_HOST@EXAMPLE.COM</value>
     <description>
       OzoneManager http server kerberos principal.
     </description>
   </property>
   <property>
-    <name>ozone.om.http.kerberos.keytab</name>
+    <name>ozone.om.http.auth.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
     <description>
       OzoneManager http server kerberos keytab.
@@ -2024,15 +2024,15 @@
     </description>
   </property>
   <property>
-    <name>ozone.freon.http.kerberos.principal</name>
+    <name>ozone.freon.http.auth.kerberos.principal</name>
     <value>HTTP/_HOST@EXAMPLE.COM</value>
     <tag>SECURITY</tag>
     <description>
      Security principal used by freon.
     </description>
   </property>
   <property>
-    <name>ozone.freon.http.kerberos.keytab</name>
+    <name>ozone.freon.http.auth.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
     <tag>SECURITY</tag>
     <description>
@@ -2086,15 +2086,15 @@
   </property>
 
   <property>
-    <name>hdds.datanode.http.kerberos.principal</name>
+    <name>hdds.datanode.http.auth.kerberos.principal</name>
     <value>HTTP/_HOST@EXAMPLE.COM</value>
     <tag>HDDS, SECURITY, MANAGEMENT</tag>
     <description>
       The kerberos principal for the datanode http server.
     </description>
   </property>
   <property>
-    <name>hdds.datanode.http.kerberos.keytab</name>
+    <name>hdds.datanode.http.auth.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
     <tag>HDDS, SECURITY, MANAGEMENT</tag>
     <description>
@@ -2220,31 +2220,62 @@
     </description>
   </property>
   <property>
-    <name>ozone.recon.keytab.file</name>
-    <value/>
-    <tag>RECON, SECURITY</tag>
-    <description>
-      DEPRECATED. Use "ozone.recon.http.kerberos.keytab.file" instead.
-      The keytab file for HTTP Kerberos authentication in Recon.
-    </description>
-  </property>
-  <property>
-    <name>ozone.recon.http.kerberos.keytab.file</name>
+    <name>ozone.recon.http.auth.kerberos.keytab</name>
     <value/>
     <tag>RECON, SECURITY</tag>
     <description>
       The keytab file for HTTP Kerberos authentication in Recon.
     </description>
   </property>
   <property>
-    <name>ozone.recon.authentication.kerberos.principal</name>
+    <name>ozone.recon.http.auth.kerberos.principal</name>
     <value/>
     <tag>RECON</tag>
     <description>The server principal used by Ozone Recon server. This is
       typically set to HTTP/_HOST@REALM.TLD The SPNEGO server principal
       begins with the prefix HTTP/ by convention.
     </description>
   </property>
+  <property>
+    <name>hdds.datanode.http.auth.type </name>
+    <value>simple</value>
+    <tag>DATANODE, SECURITY</tag>
+    <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
+      will be used for http authentication.
+    </description>
+  </property>
+  <property>
+    <name>ozone.freon.http.auth.type </name>
+    <value>simple</value>
+    <tag>FREON, SECURITY</tag>
+    <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
+      will be used for http authentication.
+    </description>
+  </property>
+  <property>
+    <name>ozone.om.http.auth.type </name>
+    <value>simple</value>
+    <tag>OM, SECURITY</tag>
+    <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
+      will be used for http authentication.
+    </description>
+  </property>
+  <property>
+    <name>ozone.recon.http.auth.type </name>
+    <value>simple</value>
+    <tag>RECON, SECURITY</tag>
+    <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
+      will be used for http authentication.
+    </description>
+  </property>
+  <property>
+    <name>ozone.s3g.http.auth.type </name>
+    <value>simple</value>
+    <tag>S3G, SECURITY</tag>
+    <description> simple or kerberos. If kerberos is set, Kerberos SPNEOGO
+      will be used for http authentication.
+    </description>
+  </property>
   <property>
     <name>ozone.recon.container.db.cache.size.mb</name>
     <value>128</value>

diff --git a/...-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeHttpServer.java b/...-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeHttpServer.java
@@ -83,4 +83,14 @@ protected String getSpnegoPrincipal() {
   protected String getEnabledKey() {
     return HddsConfigKeys.HDDS_DATANODE_HTTP_ENABLED_KEY;
   }
+
+  @Override
+  protected String getHttpAuthType() {
+    return HddsConfigKeys.HDDS_DATANODE_HTTP_AUTH_TYPE;
+  }
+
+  @Override
+  protected String getHttpAuthConfigPrefix() {
+    return HddsConfigKeys.OZONE_DATANODE_HTTP_AUTH_CONFIG_PREFIX;
+  }
 }
diff --git a/hadoop-hdds/docs/content/security/SecureOzone.md b/hadoop-hdds/docs/content/security/SecureOzone.md
@@ -164,11 +164,11 @@ All these settings should be made in ozone-site.xml.
         </thead>
         <tbody>
           <tr>
-            <td>ozone.s3g.authentication.kerberos.principal</th>
+            <td>ozone.s3g.http.auth.kerberos.principal</th>
             <td>S3 Gateway principal. <br/> e.g. HTTP/_HOST@EXAMPLE.COM</td>
           </tr>
           <tr>
-            <td>ozone.s3g.keytab.file</th>
+            <td>ozone.s3g.http.auth.kerberos.keytab</th>
             <td>The keytab file used by S3 gateway</td>
           </tr>
         </tbody>

diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
@@ -36,7 +36,6 @@
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.ozone.OzoneConfigKeys;
 import org.apache.hadoop.ozone.OzoneSecurityUtil;
-import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
 
@@ -47,9 +46,14 @@
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_CLIENT_HTTPS_NEED_AUTH_DEFAULT;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_CLIENT_HTTPS_NEED_AUTH_KEY;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_DEFAULT;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SERVER_HTTPS_KEYPASSWORD_KEY;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY;
+
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -95,8 +99,29 @@ public BaseHttpServer(ConfigurationSource conf, String name)
       conf.set("hadoop.prometheus.endpoint.enabled", "false");
 
       HttpServer2.Builder builder = newHttpServer2BuilderForOzone(
-          conf, httpAddress, httpsAddress,
-          name, getSpnegoPrincipal(), getKeytabFile());
+          conf, httpAddress, httpsAddress, name);
+
+      boolean isSecurityEnabled = UserGroupInformation.isSecurityEnabled() &&
+          OzoneSecurityUtil.isHttpSecurityEnabled(conf);
+      LOG.info("Hadoop Security Enabled: {} " +
+              "Ozone Security Enabled: {} " +
+              "Ozone HTTP Security Enabled: {} ",
+          UserGroupInformation.isSecurityEnabled(),
+          conf.getBoolean(OZONE_SECURITY_ENABLED_KEY,
+              OZONE_SECURITY_ENABLED_DEFAULT),
+          conf.getBoolean(OZONE_HTTP_SECURITY_ENABLED_KEY,
+              OZONE_HTTP_SECURITY_ENABLED_DEFAULT));
+
+      if (isSecurityEnabled) {
+        String httpAuthType = conf.get(getHttpAuthType(), "simple");
+        LOG.info("HttpAuthType: {} = {}", getHttpAuthType(), httpAuthType);
+        if (httpAuthType.equals("kerberos")) {
+          builder.setSecurityEnabled(true);
+          builder.authFilterConfigurationPrefix(getHttpAuthConfigPrefix());
+          builder.setUsernameConfKey(getSpnegoPrincipal());
+          builder.setKeytabConfKey(getKeytabFile());
+        }
+      }
 
       final boolean xFrameEnabled = conf.getBoolean(
           DFSConfigKeysLegacy.DFS_XFRAME_OPTION_ENABLED,
@@ -162,26 +187,14 @@ public BaseHttpServer(ConfigurationSource conf, String name)
    */
   public static HttpServer2.Builder newHttpServer2BuilderForOzone(
       ConfigurationSource conf, final InetSocketAddress httpAddr,
-      final InetSocketAddress httpsAddr, String name, String spnegoUserNameKey,
-      String spnegoKeytabFileKey) throws IOException {
+      final InetSocketAddress httpsAddr, String name) throws IOException {
     HttpConfig.Policy policy = getHttpPolicy(conf);
-    boolean isSecurityEnabled = UserGroupInformation.isSecurityEnabled() &&
-        OzoneSecurityUtil.isHttpSecurityEnabled(conf);
 
     HttpServer2.Builder builder = new HttpServer2.Builder().setName(name)
         .setConf(conf).setACL(new AccessControlList(conf.get(
-            OZONE_ADMINISTRATORS, " ")))
-        .setSecurityEnabled(isSecurityEnabled)
-        .setUsernameConfKey(spnegoUserNameKey)
-        .setKeytabConfKey(spnegoKeytabFileKey);
+            OZONE_ADMINISTRATORS, " ")));
 
     // initialize the webserver for uploading/downloading files.
-    if (isSecurityEnabled) {
-      LOG.info("Starting web server as: "
-          + SecurityUtil.getServerPrincipal(conf.get(spnegoUserNameKey),
-          httpAddr.getHostName()));
-    }
-
     if (policy.isHttpEnabled()) {
       if (httpAddr.getPort() == 0) {
         builder.setFindPort(true);
@@ -220,6 +233,12 @@ protected void addServlet(String servletName, String pathSpec,
     httpServer.addServlet(servletName, pathSpec, clazz);
   }
 
+  protected void addInternalServlet(String servletName, String pathSpec,
+      Class<? extends HttpServlet> clazz) {
+    httpServer.addInternalServlet(servletName, pathSpec, clazz);
+  }
+
+
   /**
    * Returns the WebAppContext associated with this HttpServer.
    *
@@ -332,25 +351,6 @@ public static HttpServer2.Builder loadSslConfToHttpServerBuilder(
             sslConf.get("ssl.server.exclude.cipher.list"));
   }
 
-
-  /**
-   * Get SPNEGO keytab Key from configuration.
-   *
-   * @param conf       Configuration
-   * @param defaultKey default key to be used for config lookup
-   * @return DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY if the key is not empty
-   * else return defaultKey
-   */
-  public static String getSpnegoKeytabKey(ConfigurationSource conf,
-      String defaultKey) {
-    String value =
-        conf.get(
-            DFSConfigKeysLegacy.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY);
-    return (value == null || value.isEmpty()) ?
-        defaultKey :
-        DFSConfigKeysLegacy.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY;
-  }
-
   /**
    * Leverages the Configuration.getPassword method to attempt to get
    * passwords from the CredentialProvider API before falling back to
@@ -437,4 +437,8 @@ public InetSocketAddress getHttpsAddress() {
 
   protected abstract String getEnabledKey();
 
+  protected abstract String getHttpAuthType();
+
+  protected abstract String getHttpAuthConfigPrefix();
+
 }