Class MultiSchemeDelegationTokenAuthenticationHandler
java.lang.Object
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler
org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler
- All Implemented Interfaces:
org.apache.hadoop.security.authentication.server.AuthenticationHandler,org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler
@Private
@Evolving
public class MultiSchemeDelegationTokenAuthenticationHandler
extends DelegationTokenAuthenticationHandler
implements org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler
A
CompositeAuthenticationHandler that supports multiple HTTP
authentication schemes along with Delegation Token functionality. e.g.
server can support multiple authentication mechanisms such as Kerberos
(SPENGO) and LDAP. During the authentication phase, server will specify
all possible authentication schemes and let client choose the appropriate
scheme. Please refer to RFC-2616 and HADOOP-12082 for more details.
Internally it uses MultiSchemeAuthenticationHandler implementation.
This handler also provides an option to enable delegation token management
functionality for only a specified subset of authentication schemes. This is
required to ensure that only schemes with strongest level of security should
be used for delegation token management.
In addition to the wrapped AuthenticationHandler configuration
properties, this handler supports the following properties prefixed with the
type of the wrapped AuthenticationHandler:
- delegation-token.token-kind: the token kind for generated tokens (no default, required property).
- delegation-token.update-interval.sec: secret manager master key update interval in seconds (default 1 day).
- delegation-token.max-lifetime.sec: maximum life of a delegation token in seconds (default 7 days).
- delegation-token.renewal-interval.sec: renewal interval for delegation tokens in seconds (default 1 day).
- delegation-token.removal-scan-interval.sec: delegation tokens removal scan interval in seconds (default 1 hour).
- delegation.http.schemes: A comma separated list of HTTP authentication mechanisms (e.g. Negotiate, Basic) etc. to be allowed for delegation token management operations.
-
Field Summary
FieldsFields inherited from class org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler
DELEGATION_TOKEN_UGI_ATTRIBUTE, JSON_MAPPER_PREFIX, PREFIX, TOKEN_KIND, TYPE_POSTFIXFields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler
WWW_AUTHENTICATE -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionorg.apache.hadoop.security.authentication.server.AuthenticationTokenauthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) This method is overridden to restrict HTTP authentication schemes available for delegation token management functionality.voidinit(Properties config) Methods inherited from class org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler
destroy, getType, initJsonFactory, initTokenManager, isManagementOperation, managementOperation, setExternalDelegationTokenSecretManagerMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler
destroy, getType, managementOperation
-
Field Details
-
DELEGATION_TOKEN_SCHEMES_PROPERTY
- See Also:
-
-
Constructor Details
-
MultiSchemeDelegationTokenAuthenticationHandler
public MultiSchemeDelegationTokenAuthenticationHandler()
-
-
Method Details
-
getTokenTypes
- Specified by:
getTokenTypesin interfaceorg.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler
-
init
- Specified by:
initin interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler- Overrides:
initin classDelegationTokenAuthenticationHandler- Throws:
javax.servlet.ServletException
-
authenticate
public org.apache.hadoop.security.authentication.server.AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException This method is overridden to restrict HTTP authentication schemes available for delegation token management functionality. The authentication schemes to be used for delegation token management are configured usingDELEGATION_TOKEN_SCHEMES_PROPERTYThe basic logic here is to check if the current request is for delegation token management. If yes then check if the request contains an "Authorization" header. If it is missing, then return the HTTP 401 response with WWW-Authenticate header for each scheme configured for delegation token management. It is also possible for a client to preemptively send Authorization header for a scheme not configured for delegation token management. We detect this case and return the HTTP 401 response with WWW-Authenticate header for each scheme configured for delegation token management. If a client has sent a request with "Authorization" header for a scheme configured for delegation token management, then it is forwarded to underlyingMultiSchemeAuthenticationHandlerfor actual authentication. Finally all other requests (excluding delegation token management) are forwarded to underlyingMultiSchemeAuthenticationHandlerfor actual authentication.- Specified by:
authenticatein interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler- Overrides:
authenticatein classDelegationTokenAuthenticationHandler- Parameters:
request- the HTTP client request.response- the HTTP client response.- Returns:
- the authentication token for the authenticated request.
- Throws:
IOException- thrown if an IO error occurred.org.apache.hadoop.security.authentication.client.AuthenticationException- thrown if the authentication failed.
-