apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
2486c5dff3
kyuubi/docs/deployment
History
Fei Wang 1e23e7a93c [KYUUBI #1978] Support NEGOTIATE/BASIC authorization for restful frontend service 
### _Why are the changes needed?_

to close #1978

Support both NEGOTIATE and BASIC authentication for restful frontend service.

At first, I involve two auth schemes, FYI [hadoop/HttpConstants.java](https://github.com/apache/hadoop/blob/trunk/hadoop-common-project%2Fhadoop-auth%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fhadoop%2Fsecurity%2Fauthentication%2Fserver%2FHttpConstants.java)
- BASIC: mapping to NOSASL, NONE, LDAP, CUSTOM authentication
- NEGOTIATE: mapping to KERBEROS authentication

BTW, hadoop also supports `Digest` auth scheme.

Two authentication handlers:
- BasicAuthenticationHandler(reuse existing passwdAuthenticationProvider(LDAP/CUSTOM))
- KerberosAuthenticationHandler(refer [hadoop/KerberosAuthenticationHandler.java](https://github.com/apache/hadoop/blob/trunk/hadoop-common-project%2Fhadoop-auth%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fhadoop%2Fsecurity%2Fauthentication%2Fserver%2FKerberosAuthenticationHandler.java) and [hadoop/KerberosUtil.java](https://github.com/apache/hadoop/blob/trunk/hadoop-common-project%2Fhadoop-auth%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fhadoop%2Fsecurity%2Fauthentication%2Futil%2FKerberosUtil.java))

#### AuthenticationFilter
- redirect the http request according to the authentication scheme specified in `Authorization` header.

For basic authentication
The value of Authorization header is `BASIC ${encodeBase64(user + ":" + password)}`.
Then using the passwdAuthenticationProvider to authenticate `user` and `password`.

For SPNEGO(kerberos) authentication.
The value of Authorization header is `NEGOTIATE ${encodeBase64(clientToken)}`.
Then checking whether the clientToken is valid.

And currently, the AuthenticationFilter take affect for all the requests with pathSpec `/api/*`.

### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request

Closes #2049 from turboFei/kyuubi_1978_kerberos.

Closes #1978

c8b6362b [Fei Wang] refactor
cedec70f [Fei Wang] add spnego unit test
c1d45cde [Fei Wang] rename package to http.authentication
3d0b220b [Fei Wang] address comments
296f181e [Fei Wang] fix ut
f9371e14 [Fei Wang] spnego and basic auth

Authored-by: Fei Wang <fwang12@ebay.com>
Signed-off-by: Fei Wang <fwang12@ebay.com>
2022-03-10 21:04:20 +08:00
..
spark [KYUUBI #1215][DOC] Document incremental collection 2022-03-08 20:49:51 +08:00
engine_lifecycle.md [KYUUBI #1557] [DOC] The TTL Of Kyuubi Engines 2021-12-15 10:02:02 +08:00
engine_on_kubernetes.md [KYUUBI #1454] Add Doc About Deploy Kyuubi On Kubernetes 2021-11-29 14:15:19 +08:00
engine_on_yarn.md [KYUUBI #1454] Add Doc About Deploy Kyuubi On Kubernetes 2021-11-29 14:15:19 +08:00
engine_share_level.md [KYUUBI #1399] [DOCS] Add doc for engine share level 2021-11-16 19:58:25 +08:00
high_availability_guide.md [KYUUBI #1527] [DOC] Improve High Availability Guide 2021-12-09 13:58:00 +08:00
hive_metastore.md [KYUUBI #1347] [DOC] Fix miscellaneous doc typos 2021-11-08 09:27:37 +08:00
index.rst [KYUUBI #1557] [DOC] The TTL Of Kyuubi Engines 2021-12-15 10:02:02 +08:00
kyuubi_on_kubernetes.md [KYUUBI #1876] Set Spark 3.2.1 as default 2022-02-16 00:54:25 +08:00
settings.md [KYUUBI #1978] Support NEGOTIATE/BASIC authorization for restful frontend service 2022-03-10 21:04:20 +08:00