Package org.apache.hadoop.security.token.delegation.web

Class DelegationTokenAuthenticationFilter

java.lang.Object
org.apache.hadoop.security.authentication.server.AuthenticationFilter
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter
All Implemented Interfaces:
javax.servlet.Filter
@Private @Evolving public class DelegationTokenAuthenticationFilter extends org.apache.hadoop.security.authentication.server.AuthenticationFilter
The DelegationTokenAuthenticationFilter filter is a AuthenticationFilter with Hadoop Delegation Token support.

By default it uses it own instance of the AbstractDelegationTokenSecretManager. For situations where an external AbstractDelegationTokenSecretManager is required (i.e. one that shares the secret with AbstractDelegationTokenSecretManager instance running in other services), the external AbstractDelegationTokenSecretManager must be set as an attribute in the ServletContext of the web application using the DELEGATION_TOKEN_SECRET_MANAGER_ATTR attribute name ( 'hadoop.http.delegation-token-secret-manager').

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    DELEGATION_TOKEN_SECRET_MANAGER_ATTR
    Sets an external DelegationTokenSecretManager instance to manage creation and verification of Delegation Tokens.
    static final String
    PROXYUSER_PREFIX
     

    Fields inherited from class org.apache.hadoop.security.authentication.server.AuthenticationFilter

    AUTH_TOKEN_MAX_INACTIVE_INTERVAL, AUTH_TOKEN_VALIDITY, AUTH_TYPE, CONFIG_PREFIX, COOKIE_DOMAIN, COOKIE_PATH, COOKIE_PERSISTENT, SIGNATURE_SECRET, SIGNATURE_SECRET_FILE, SIGNER_SECRET_PROVIDER, SIGNER_SECRET_PROVIDER_ATTRIBUTE

  • Constructor Summary

    Constructors
    Constructor
    Description
    DelegationTokenAuthenticationFilter()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    doFilter(javax.servlet.FilterChain filterChain, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
     
    protected Properties
    getConfiguration(String configPrefix, javax.servlet.FilterConfig filterConfig)
    It delegates to AuthenticationFilter.getConfiguration(String, FilterConfig) and then overrides the AuthenticationHandler to use if authentication type is set to simple or kerberos in order to use the corresponding implementation with delegation token support.
    protected Configuration
    getProxyuserConfiguration(javax.servlet.FilterConfig filterConfig)
    Returns the proxyuser configuration.
    void
    init(javax.servlet.FilterConfig filterConfig)
     
    protected void
    initializeAuthHandler(String authHandlerClassName, javax.servlet.FilterConfig filterConfig)
     
    protected void
    setAuthHandlerClass(Properties props)
    Set AUTH_TYPE property to the name of the corresponding authentication handler class based on the input properties.
    protected void
    setHandlerAuthMethod(SaslRpcServer.AuthMethod authMethod)
     

    Methods inherited from class org.apache.hadoop.security.authentication.server.AuthenticationFilter

    constructSecretProvider, createAuthCookie, destroy, doFilter, getAuthenticationHandler, getConfiguration, getCookieDomain, getCookiePath, getMaxInactiveInterval, getRequestURL, getToken, getValidity, initializeSecretProvider, isCookiePersistent, isCustomSignerSecretProvider, isRandomSecret, verifyTokenType

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • DELEGATION_TOKEN_SECRET_MANAGER_ATTR

      public static final String DELEGATION_TOKEN_SECRET_MANAGER_ATTR
      Sets an external DelegationTokenSecretManager instance to manage creation and verification of Delegation Tokens.

      This is useful for use cases where secrets must be shared across multiple services.

      See Also:

    • PROXYUSER_PREFIX

      public static final String PROXYUSER_PREFIX
      See Also:

  • Constructor Details

    • DelegationTokenAuthenticationFilter

      public DelegationTokenAuthenticationFilter()

  • Method Details

    • getConfiguration

      protected Properties getConfiguration(String configPrefix, javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      It delegates to AuthenticationFilter.getConfiguration(String, FilterConfig) and then overrides the AuthenticationHandler to use if authentication type is set to simple or kerberos in order to use the corresponding implementation with delegation token support.
      Overrides:
      getConfiguration in class org.apache.hadoop.security.authentication.server.AuthenticationFilter
      Parameters:
      configPrefix - parameter not used.
      filterConfig - parameter not used.
      Returns:
      hadoop-auth de-prefixed configuration for the filter and handler.
      Throws:
      javax.servlet.ServletException

    • setAuthHandlerClass

      protected void setAuthHandlerClass(Properties props) throws javax.servlet.ServletException
      Set AUTH_TYPE property to the name of the corresponding authentication handler class based on the input properties.
      Parameters:
      props - input properties.
      Throws:
      javax.servlet.ServletException - servlet exception.

    • getProxyuserConfiguration

      protected Configuration getProxyuserConfiguration(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      Returns the proxyuser configuration. All returned properties must start with proxyuser.'

      Subclasses may override this method if the proxyuser configuration is read from other place than the filter init parameters.

      Parameters:
      filterConfig - filter configuration object
      Returns:
      the proxyuser configuration properties.
      Throws:
      javax.servlet.ServletException - thrown if the configuration could not be created.

    • init

      public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Filter
      Overrides:
      init in class org.apache.hadoop.security.authentication.server.AuthenticationFilter
      Throws:
      javax.servlet.ServletException

    • initializeAuthHandler

      protected void initializeAuthHandler(String authHandlerClassName, javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      Overrides:
      initializeAuthHandler in class org.apache.hadoop.security.authentication.server.AuthenticationFilter
      Throws:
      javax.servlet.ServletException

    • setHandlerAuthMethod

      protected void setHandlerAuthMethod(SaslRpcServer.AuthMethod authMethod)

    • doFilter

      protected void doFilter(javax.servlet.FilterChain filterChain, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, javax.servlet.ServletException
      Overrides:
      doFilter in class org.apache.hadoop.security.authentication.server.AuthenticationFilter
      Throws:
      IOException
      javax.servlet.ServletException