Package org.apache.hadoop.security.token.delegation.web

Class MultiSchemeDelegationTokenAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler

org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler

All Implemented Interfaces:

org.apache.hadoop.security.authentication.server.AuthenticationHandler, org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler

@Private
@Evolving
public class MultiSchemeDelegationTokenAuthenticationHandler
extends DelegationTokenAuthenticationHandler
implements org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler

A CompositeAuthenticationHandler that supports multiple HTTP authentication schemes along with Delegation Token functionality. e.g. server can support multiple authentication mechanisms such as Kerberos (SPENGO) and LDAP. During the authentication phase, server will specify all possible authentication schemes and let client choose the appropriate scheme. Please refer to RFC-2616 and HADOOP-12082 for more details. Internally it uses MultiSchemeAuthenticationHandler implementation. This handler also provides an option to enable delegation token management functionality for only a specified subset of authentication schemes. This is required to ensure that only schemes with strongest level of security should be used for delegation token management.

In addition to the wrapped AuthenticationHandler configuration properties, this handler supports the following properties prefixed with the type of the wrapped AuthenticationHandler:

• delegation-token.token-kind: the token kind for generated tokens (no default, required property).
• delegation-token.update-interval.sec: secret manager master key update interval in seconds (default 1 day).
• delegation-token.max-lifetime.sec: maximum life of a delegation token in seconds (default 7 days).
• delegation-token.renewal-interval.sec: renewal interval for delegation tokens in seconds (default 1 day).
• delegation-token.removal-scan-interval.sec: delegation tokens removal scan interval in seconds (default 1 hour).
• delegation.http.schemes: A comma separated list of HTTP authentication mechanisms (e.g. Negotiate, Basic) etc. to be allowed for delegation token management operations.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	DELEGATION_TOKEN_SCHEMES_PROPERTY

Fields inherited from class org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler

DELEGATION_TOKEN_UGI_ATTRIBUTE, JSON_MAPPER_PREFIX, PREFIX, TOKEN_KIND, TYPE_POSTFIX

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor	Description
MultiSchemeDelegationTokenAuthenticationHandler()

Method Summary

Modifier and Type	Method	Description
org.apache.hadoop.security.authentication.server.AuthenticationToken	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	This method is overridden to restrict HTTP authentication schemes available for delegation token management functionality.
java.util.Collection<java.lang.String>	getTokenTypes()
void	init(java.util.Properties config)

Methods inherited from class org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler

destroy, getType, initJsonFactory, initTokenManager, isManagementOperation, managementOperation, setExternalDelegationTokenSecretManager

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

destroy, getType, managementOperation

Field Detail

DELEGATION_TOKEN_SCHEMES_PROPERTY

public static final java.lang.String DELEGATION_TOKEN_SCHEMES_PROPERTY

See Also:

Constant Field Values

Constructor Detail

MultiSchemeDelegationTokenAuthenticationHandler

public MultiSchemeDelegationTokenAuthenticationHandler()

Method Detail

getTokenTypes

public java.util.Collection<java.lang.String> getTokenTypes()

Specified by:

getTokenTypes in interface org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler

init

public void init(java.util.Properties config)
          throws javax.servlet.ServletException

Specified by:

init in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

Overrides:

init in class DelegationTokenAuthenticationHandler

Throws:

javax.servlet.ServletException

authenticate

public org.apache.hadoop.security.authentication.server.AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
                                                                                         javax.servlet.http.HttpServletResponse response)
                                                                                  throws java.io.IOException,
                                                                                         org.apache.hadoop.security.authentication.client.AuthenticationException

This method is overridden to restrict HTTP authentication schemes available for delegation token management functionality. The authentication schemes to be used for delegation token management are configured using DELEGATION_TOKEN_SCHEMES_PROPERTY The basic logic here is to check if the current request is for delegation token management. If yes then check if the request contains an "Authorization" header. If it is missing, then return the HTTP 401 response with WWW-Authenticate header for each scheme configured for delegation token management. It is also possible for a client to preemptively send Authorization header for a scheme not configured for delegation token management. We detect this case and return the HTTP 401 response with WWW-Authenticate header for each scheme configured for delegation token management. If a client has sent a request with "Authorization" header for a scheme configured for delegation token management, then it is forwarded to underlying MultiSchemeAuthenticationHandler for actual authentication. Finally all other requests (excluding delegation token management) are forwarded to underlying MultiSchemeAuthenticationHandler for actual authentication.

Specified by:

authenticate in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

Overrides:

authenticate in class DelegationTokenAuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

the authentication token for the authenticated request.

Throws:

java.io.IOException - thrown if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - thrown if the authentication failed.