/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.falcon.security;
import org.apache.falcon.regression.core.util.KerberosHelper;
import org.apache.falcon.request.BaseRequest;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
import org.apache.log4j.Logger;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import java.io.IOException;
import java.net.URL;
import java.security.PrivilegedExceptionAction;
import java.util.concurrent.ConcurrentHashMap;
/** Class for obtaining authorization token. */
public final class FalconAuthorizationToken {
private static final String AUTH_URL = "api/options";
private static final KerberosAuthenticator AUTHENTICATOR = new KerberosAuthenticator();
private static final FalconAuthorizationToken INSTANCE = new FalconAuthorizationToken();
private static final Logger LOGGER = Logger.getLogger(FalconAuthorizationToken.class);
// Use a hashmap so that we can cache the tokens.
private final ConcurrentHashMap<String, AuthenticatedURL.Token> tokens =
new ConcurrentHashMap<>();
private FalconAuthorizationToken() {
}
public static final HostnameVerifier ALL_TRUSTING_HOSTNAME_VERIFIER = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
};
private static void authenticate(String user, String protocol, String host, int port)
throws IOException, AuthenticationException, InterruptedException {
final URL url = new URL(String.format("%s://%s:%d/%s", protocol, host, port,
AUTH_URL + "?" + PseudoAuthenticator.USER_NAME + "=" + user));
LOGGER.info("Authorize using url: " + url.toString());
final AuthenticatedURL.Token currentToken = new AuthenticatedURL.Token();
/*using KerberosAuthenticator which falls back to PsuedoAuthenticator
instead of passing authentication type from the command line - bad factory*/
try {
HttpsURLConnection.setDefaultSSLSocketFactory(BaseRequest.getSslContext()
.getSocketFactory());
} catch (Exception e) {
throw new RuntimeException(e);
}
HttpsURLConnection.setDefaultHostnameVerifier(ALL_TRUSTING_HOSTNAME_VERIFIER);
UserGroupInformation callerUGI = KerberosHelper.getUGI(user);
callerUGI.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
new AuthenticatedURL(AUTHENTICATOR).openConnection(url, currentToken);
return null;
}
});
String key = getKey(user, protocol, host, port);
// initialize a hash map if its null.
LOGGER.info("Authorization Token: " + currentToken.toString());
INSTANCE.tokens.put(key, currentToken);
}
public static AuthenticatedURL.Token getToken(String user, String protocol, String host,
int port, boolean overWrite)
throws IOException, AuthenticationException, InterruptedException {
String key = getKey(user, protocol, host, port);
/*if the tokens are null or if token is not found then we will go ahead and authenticate
or if we are asked to overwrite*/
if (!INSTANCE.tokens.containsKey(key) || overWrite) {
authenticate(user, protocol, host, port);
}
return INSTANCE.tokens.get(key);
}
public static AuthenticatedURL.Token getToken(String user, String protocol, String host,
int port)
throws IOException, AuthenticationException, InterruptedException {
return getToken(user, protocol, host, port, false);
}
/*spnego token will be unique to the user and uri its being requested for.
Hence the key of the hash map is the combination of user, protocol, host and port.*/
private static String getKey(String user, String protocol, String host, int port) {
return String.format("%s-%s-%s-%d", user, protocol, host, port);
}
}