Package org.apache.hadoop.security.token.delegation.web

Class MultiSchemeDelegationTokenAuthenticationHandler

java.lang.Object
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler
org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler
All Implemented Interfaces:
org.apache.hadoop.security.authentication.server.AuthenticationHandler, org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler
@Private @Evolving public class MultiSchemeDelegationTokenAuthenticationHandler extends DelegationTokenAuthenticationHandler implements org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler
A CompositeAuthenticationHandler that supports multiple HTTP authentication schemes along with Delegation Token functionality. e.g. server can support multiple authentication mechanisms such as Kerberos (SPENGO) and LDAP. During the authentication phase, server will specify all possible authentication schemes and let client choose the appropriate scheme. Please refer to RFC-2616 and HADOOP-12082 for more details. Internally it uses MultiSchemeAuthenticationHandler implementation. This handler also provides an option to enable delegation token management functionality for only a specified subset of authentication schemes. This is required to ensure that only schemes with strongest level of security should be used for delegation token management.

In addition to the wrapped AuthenticationHandler configuration properties, this handler supports the following properties prefixed with the type of the wrapped AuthenticationHandler:

  • delegation-token.token-kind: the token kind for generated tokens (no default, required property).
  • delegation-token.update-interval.sec: secret manager master key update interval in seconds (default 1 day).
  • delegation-token.max-lifetime.sec: maximum life of a delegation token in seconds (default 7 days).
  • delegation-token.renewal-interval.sec: renewal interval for delegation tokens in seconds (default 1 day).
  • delegation-token.removal-scan-interval.sec: delegation tokens removal scan interval in seconds (default 1 hour).
  • delegation.http.schemes: A comma separated list of HTTP authentication mechanisms (e.g. Negotiate, Basic) etc. to be allowed for delegation token management operations.

  • Field Details

  • Constructor Details

    • MultiSchemeDelegationTokenAuthenticationHandler

      public MultiSchemeDelegationTokenAuthenticationHandler()

  • Method Details

    • getTokenTypes

      public Collection<String> getTokenTypes()
      Specified by:
      getTokenTypes in interface org.apache.hadoop.security.authentication.server.CompositeAuthenticationHandler

    • init

      public void init(Properties config) throws javax.servlet.ServletException
      Specified by:
      init in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler
      Overrides:
      init in class DelegationTokenAuthenticationHandler
      Throws:
      javax.servlet.ServletException

    • authenticate

      public org.apache.hadoop.security.authentication.server.AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      This method is overridden to restrict HTTP authentication schemes available for delegation token management functionality. The authentication schemes to be used for delegation token management are configured using DELEGATION_TOKEN_SCHEMES_PROPERTY The basic logic here is to check if the current request is for delegation token management. If yes then check if the request contains an "Authorization" header. If it is missing, then return the HTTP 401 response with WWW-Authenticate header for each scheme configured for delegation token management. It is also possible for a client to preemptively send Authorization header for a scheme not configured for delegation token management. We detect this case and return the HTTP 401 response with WWW-Authenticate header for each scheme configured for delegation token management. If a client has sent a request with "Authorization" header for a scheme configured for delegation token management, then it is forwarded to underlying MultiSchemeAuthenticationHandler for actual authentication. Finally all other requests (excluding delegation token management) are forwarded to underlying MultiSchemeAuthenticationHandler for actual authentication.
      Specified by:
      authenticate in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler
      Overrides:
      authenticate in class DelegationTokenAuthenticationHandler
      Parameters:
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      the authentication token for the authenticated request.
      Throws:
      IOException - thrown if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - thrown if the authentication failed.