Browse Source
* fix bug #3165 get resource.storage.type value toUpperCase * fix bug #3176 optimize Gets the value of this property “resource.storage.type” * fix When you request the URL through applicationID to get the application status, you cannot get it if Kerberos authentication is enabled * fix When you request the URL through applicationID to get the application status, you cannot get it if Kerberos authentication is enabled * fix When you request the URL through applicationID to get the application status, you cannot get it if Kerberos authentication is enabled * fix miss * add KerberosHttpClient fix kerberos bug * fix map init * add juint test * Extraction of public methods * Extraction of public methods * Fix code quality * Fix code quality * Fix code quality * Fix code quality * Fix code quality * Fix code quality * Fix code quality * rebuild test * rebuild test * check style * check style * check style * revert UT POM * Kerberos judgment goes up to hadoopUtils * fix merge * Remove connection pool shutdown Co-authored-by: dailidong <dailidong66@gmail.com>pull/3/MERGE
6 changed files with 296 additions and 45 deletions
@ -0,0 +1,156 @@ |
|||||||
|
/* |
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
* contributor license agreements. See the NOTICE file distributed with |
||||||
|
* this work for additional information regarding copyright ownership. |
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
* (the "License"); you may not use this file except in compliance with |
||||||
|
* the License. You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
package org.apache.dolphinscheduler.common.utils; |
||||||
|
|
||||||
|
import org.apache.dolphinscheduler.common.Constants; |
||||||
|
import org.apache.http.auth.AuthSchemeProvider; |
||||||
|
import org.apache.http.auth.AuthScope; |
||||||
|
import org.apache.http.auth.Credentials; |
||||||
|
import org.apache.http.client.config.AuthSchemes; |
||||||
|
import org.apache.http.client.methods.HttpGet; |
||||||
|
import org.apache.http.config.Lookup; |
||||||
|
import org.apache.http.config.RegistryBuilder; |
||||||
|
import org.apache.http.impl.auth.SPNegoSchemeFactory; |
||||||
|
import org.apache.http.impl.client.BasicCredentialsProvider; |
||||||
|
import org.apache.http.impl.client.CloseableHttpClient; |
||||||
|
import org.apache.http.impl.client.HttpClientBuilder; |
||||||
|
import org.slf4j.Logger; |
||||||
|
import org.slf4j.LoggerFactory; |
||||||
|
|
||||||
|
import javax.security.auth.Subject; |
||||||
|
import javax.security.auth.kerberos.KerberosPrincipal; |
||||||
|
import javax.security.auth.login.AppConfigurationEntry; |
||||||
|
import javax.security.auth.login.Configuration; |
||||||
|
import javax.security.auth.login.LoginContext; |
||||||
|
import javax.security.auth.login.LoginException; |
||||||
|
import java.security.Principal; |
||||||
|
import java.security.PrivilegedAction; |
||||||
|
import java.util.HashMap; |
||||||
|
import java.util.HashSet; |
||||||
|
import java.util.Map; |
||||||
|
import java.util.Set; |
||||||
|
|
||||||
|
/** |
||||||
|
* kerberos http client |
||||||
|
*/ |
||||||
|
public class KerberosHttpClient { |
||||||
|
|
||||||
|
public static final Logger logger = LoggerFactory.getLogger(KerberosHttpClient.class); |
||||||
|
|
||||||
|
private String principal; |
||||||
|
private String keyTabLocation; |
||||||
|
|
||||||
|
public KerberosHttpClient(String principal, String keyTabLocation) { |
||||||
|
super(); |
||||||
|
this.principal = principal; |
||||||
|
this.keyTabLocation = keyTabLocation; |
||||||
|
} |
||||||
|
|
||||||
|
public KerberosHttpClient(String principal, String keyTabLocation, boolean isDebug) { |
||||||
|
this(principal, keyTabLocation); |
||||||
|
if (isDebug) { |
||||||
|
System.setProperty("sun.security.spnego.debug", "true"); |
||||||
|
System.setProperty("sun.security.krb5.debug", "true"); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
public KerberosHttpClient(String principal, String keyTabLocation, String krb5Location, boolean isDebug) { |
||||||
|
this(principal, keyTabLocation, isDebug); |
||||||
|
System.setProperty("java.security.krb5.conf", krb5Location); |
||||||
|
} |
||||||
|
|
||||||
|
private static CloseableHttpClient buildSpengoHttpClient() { |
||||||
|
HttpClientBuilder builder = HttpClientBuilder.create(); |
||||||
|
Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create() |
||||||
|
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build(); |
||||||
|
builder.setDefaultAuthSchemeRegistry(authSchemeRegistry); |
||||||
|
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); |
||||||
|
credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials() { |
||||||
|
@Override |
||||||
|
public Principal getUserPrincipal() { |
||||||
|
return null; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public String getPassword() { |
||||||
|
return null; |
||||||
|
} |
||||||
|
}); |
||||||
|
builder.setDefaultCredentialsProvider(credentialsProvider); |
||||||
|
return builder.build(); |
||||||
|
} |
||||||
|
|
||||||
|
public String get(final String url, final String userId) { |
||||||
|
logger.info("Calling KerberosHttpClient {} {} {}", this.principal, this.keyTabLocation, url); |
||||||
|
Configuration config = new Configuration() { |
||||||
|
@SuppressWarnings("serial") |
||||||
|
@Override |
||||||
|
public AppConfigurationEntry[] getAppConfigurationEntry(String name) { |
||||||
|
Map<String, Object> options = new HashMap<>(9); |
||||||
|
options.put("useTicketCache", "false"); |
||||||
|
options.put("useKeyTab", "true"); |
||||||
|
options.put("keyTab", keyTabLocation); |
||||||
|
options.put("refreshKrb5Config", "true"); |
||||||
|
options.put("principal", principal); |
||||||
|
options.put("storeKey", "true"); |
||||||
|
options.put("doNotPrompt", "true"); |
||||||
|
options.put("isInitiator", "true"); |
||||||
|
options.put("debug", "true"); |
||||||
|
return new AppConfigurationEntry[] { |
||||||
|
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", |
||||||
|
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; |
||||||
|
} |
||||||
|
}; |
||||||
|
Set<Principal> princ = new HashSet<>(1); |
||||||
|
princ.add(new KerberosPrincipal(userId)); |
||||||
|
Subject sub = new Subject(false, princ, new HashSet<>(), new HashSet<>()); |
||||||
|
|
||||||
|
LoginContext lc; |
||||||
|
try { |
||||||
|
lc = new LoginContext("", sub, null, config); |
||||||
|
lc.login(); |
||||||
|
Subject serviceSubject = lc.getSubject(); |
||||||
|
return Subject.doAs(serviceSubject, (PrivilegedAction<String>) () -> { |
||||||
|
CloseableHttpClient httpClient = buildSpengoHttpClient(); |
||||||
|
HttpGet httpget = new HttpGet(url); |
||||||
|
return HttpUtils.getResponseContentString(httpget, httpClient); |
||||||
|
}); |
||||||
|
} catch (LoginException le) { |
||||||
|
logger.error("Kerberos authentication failed ", le); |
||||||
|
} |
||||||
|
return null; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* get http request content by kerberosClient |
||||||
|
* |
||||||
|
* @param url url |
||||||
|
* @return http get request response content |
||||||
|
*/ |
||||||
|
public static String get(String url) { |
||||||
|
|
||||||
|
String responseContent; |
||||||
|
KerberosHttpClient kerberosHttpClient = new KerberosHttpClient( |
||||||
|
PropertyUtils.getString(Constants.LOGIN_USER_KEY_TAB_USERNAME), |
||||||
|
PropertyUtils.getString(Constants.LOGIN_USER_KEY_TAB_PATH), |
||||||
|
PropertyUtils.getString(Constants.JAVA_SECURITY_KRB5_CONF_PATH), true); |
||||||
|
responseContent = kerberosHttpClient.get(url, PropertyUtils.getString(Constants.LOGIN_USER_KEY_TAB_USERNAME)); |
||||||
|
return responseContent; |
||||||
|
|
||||||
|
} |
||||||
|
|
||||||
|
} |
@ -0,0 +1,46 @@ |
|||||||
|
/* |
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
* contributor license agreements. See the NOTICE file distributed with |
||||||
|
* this work for additional information regarding copyright ownership. |
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
* (the "License"); you may not use this file except in compliance with |
||||||
|
* the License. You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
package org.apache.dolphinscheduler.common.utils; |
||||||
|
|
||||||
|
import org.apache.dolphinscheduler.common.Constants; |
||||||
|
import org.junit.Assert; |
||||||
|
import org.junit.Test; |
||||||
|
import org.slf4j.Logger; |
||||||
|
import org.slf4j.LoggerFactory; |
||||||
|
|
||||||
|
/** |
||||||
|
* KerberosHttpClient test |
||||||
|
*/ |
||||||
|
public class KerberosHttpClientTest { |
||||||
|
public static final Logger logger = LoggerFactory.getLogger(KerberosHttpClientTest.class); |
||||||
|
private HadoopUtils hadoopUtils = HadoopUtils.getInstance(); |
||||||
|
|
||||||
|
@Test |
||||||
|
public void get() { |
||||||
|
try { |
||||||
|
String applicationUrl = hadoopUtils.getApplicationUrl("application_1542010131334_0029"); |
||||||
|
String responseContent; |
||||||
|
KerberosHttpClient kerberosHttpClient = new KerberosHttpClient(PropertyUtils.getString(Constants.LOGIN_USER_KEY_TAB_USERNAME), |
||||||
|
PropertyUtils.getString(Constants.LOGIN_USER_KEY_TAB_PATH), PropertyUtils.getString(Constants.JAVA_SECURITY_KRB5_CONF_PATH), true); |
||||||
|
responseContent = kerberosHttpClient.get(applicationUrl, |
||||||
|
PropertyUtils.getString(Constants.LOGIN_USER_KEY_TAB_USERNAME)); |
||||||
|
Assert.assertNull(responseContent); |
||||||
|
} catch (Exception e) { |
||||||
|
logger.error(e.getMessage(), e); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
Loading…
Reference in new issue