apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
1e23e7a93c
kyuubi/docs
History
Fei Wang 1e23e7a93c [KYUUBI #1978] Support NEGOTIATE/BASIC authorization for restful frontend service 
### _Why are the changes needed?_

to close #1978

Support both NEGOTIATE and BASIC authentication for restful frontend service.

At first, I involve two auth schemes, FYI [hadoop/HttpConstants.java](https://github.com/apache/hadoop/blob/trunk/hadoop-common-project%2Fhadoop-auth%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fhadoop%2Fsecurity%2Fauthentication%2Fserver%2FHttpConstants.java)
- BASIC: mapping to NOSASL, NONE, LDAP, CUSTOM authentication
- NEGOTIATE: mapping to KERBEROS authentication

BTW, hadoop also supports `Digest` auth scheme.

Two authentication handlers:
- BasicAuthenticationHandler(reuse existing passwdAuthenticationProvider(LDAP/CUSTOM))
- KerberosAuthenticationHandler(refer [hadoop/KerberosAuthenticationHandler.java](https://github.com/apache/hadoop/blob/trunk/hadoop-common-project%2Fhadoop-auth%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fhadoop%2Fsecurity%2Fauthentication%2Fserver%2FKerberosAuthenticationHandler.java) and [hadoop/KerberosUtil.java](https://github.com/apache/hadoop/blob/trunk/hadoop-common-project%2Fhadoop-auth%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fhadoop%2Fsecurity%2Fauthentication%2Futil%2FKerberosUtil.java))

#### AuthenticationFilter
- redirect the http request according to the authentication scheme specified in `Authorization` header.

For basic authentication
The value of Authorization header is `BASIC ${encodeBase64(user + ":" + password)}`.
Then using the passwdAuthenticationProvider to authenticate `user` and `password`.

For SPNEGO(kerberos) authentication.
The value of Authorization header is `NEGOTIATE ${encodeBase64(clientToken)}`.
Then checking whether the clientToken is valid.

And currently, the AuthenticationFilter take affect for all the requests with pathSpec `/api/*`.

### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request

Closes #2049 from turboFei/kyuubi_1978_kerberos.

Closes #1978

c8b6362b [Fei Wang] refactor
cedec70f [Fei Wang] add spnego unit test
c1d45cde [Fei Wang] rename package to http.authentication
3d0b220b [Fei Wang] address comments
296f181e [Fei Wang] fix ut
f9371e14 [Fei Wang] spnego and basic auth

Authored-by: Fei Wang <fwang12@ebay.com>
Signed-off-by: Fei Wang <fwang12@ebay.com>
2022-03-10 21:04:20 +08:00
..
_static/css [KYUUBI #2004] Sync contents for CONTRIBUTING & COMMUNITY between web and main repo 2022-03-03 20:40:33 +08:00
appendix [KYUUBI #1347] [DOC] Fix miscellaneous doc typos 2021-11-08 09:27:37 +08:00
client [KYUUBI #1831] [DOCS] Fix the jdbc connection url format doc 2022-01-25 10:03:45 +08:00
community [KYUUBI #2004] Sync contents for CONTRIBUTING & COMMUNITY between web and main repo 2022-03-03 20:40:33 +08:00
deployment [KYUUBI #1978] Support NEGOTIATE/BASIC authorization for restful frontend service 2022-03-10 21:04:20 +08:00
develop_tools [KYUUBI #1970] Replace mirror-cn profile with Apache officially suggested dlcdn 2022-02-24 12:07:46 +08:00
imgs [KYUUBI #2079] Update kyuubi layer source file to add flink and trino… 2022-03-10 09:39:15 +08:00
integrations [KYUUBI #2081] YARN_CONF_DIR shall be added to kyuubi server classpath as HADOOP_CONF_DIR 2022-03-10 15:03:11 +08:00
monitor [KYUUBI #2081] YARN_CONF_DIR shall be added to kyuubi server classpath as HADOOP_CONF_DIR 2022-03-10 15:03:11 +08:00
overview [KYUUBI #1527] [DOC] Improve High Availability Guide 2021-12-09 13:58:00 +08:00
quick_start [KYUUBI #2081] YARN_CONF_DIR shall be added to kyuubi server classpath as HADOOP_CONF_DIR 2022-03-10 15:03:11 +08:00
security [KYUUBI #1550] Provide a specific user guide about connecting to kerberized kyuubi 2021-12-16 17:21:31 +08:00
sql [KYUUBI #1577] Add DropIgnoreNonexistent Rule. 2021-12-20 11:46:25 +08:00
tools [KYUUBI #1335] Spell issue branch 2021-11-05 09:33:32 +08:00
conf.py [KYUUBI #1889] Improve the user experience of the configuration parameters of the document 2022-02-11 09:29:50 +08:00
index.rst [KYUUBI #1526] [DOC] Update kyuubi_layers.drawio to add driver layer 2021-12-08 17:07:11 +08:00
make.bat [KYUUBI #874] [ASF] ASF Publish 2021-08-16 11:48:21 +08:00
Makefile [KYUUBI #874] [ASF] ASF Publish 2021-08-16 11:48:21 +08:00
requirements.txt [KYUUBI #1557] [DOC] The TTL Of Kyuubi Engines 2021-12-15 10:02:02 +08:00