Google Git
Sign in
apache / knox / f7acac99b10064f6f992f3352d2446d6661fe373^! / .
commitf7acac99b10064f6f992f3352d2446d6661fe373[log] [tgz]
authorThomas Tauber-Marshall <tmarshall@cloudera.com>Wed Oct 09 08:58:32 2019 -0700
committerKevin Risden <risdenk@users.noreply.github.com>Wed Oct 09 11:58:32 2019 -0400
treeaf1790108bf5fad8d0c67e76e467bfab396ccacf
parentb5c6486db72030d269f75974bd282b3eec55549d [diff]
KNOX-2026 - Accept Impala's authentication cookies (#161)

This patch modifies HadoopAuthCookieStore to accept cookies with
Impala's cookie name, "impala.auth".

It also updates a check that is used to ensure the cookie belongs to
Knox - previously, this check parsed the cookie according to the
specific format that Hadoop uses for its cookies and ensures that the
Knox principal appears in the expected location.

Impala uses a similar cookie format, but with a few changes such as
fields being in a different order. The check is made more permissive
such that it will accept any cookie that contains the Knox principal
anywhere in it.

Testing:
- Deployed in a cluster and verified that Knox accepts and returns
  Impala's cookies as expected.
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
index bd85617..522019b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java

@@ -38,6 +38,7 @@
 
   private static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth";
   private static final String HIVE_SERVER2_AUTH_COOKIE_NAME = "hive.server2.auth";
+  private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth";
 
   private static String knoxPrincipal;
 
@@ -73,28 +74,21 @@
 
   private boolean isAuthCookie(Cookie cookie) {
     return HADOOP_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
-               HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName());
+        HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
+        IMPALA_AUTH_COOKIE_NAME.equals(cookie.getName());
   }
 
   private boolean isKnoxCookie(Cookie cookie) {
     boolean result = false;
 
+    // We expect cookies to be some delimited list of parameters, eg. username, principal,
+    // timestamp, random number, etc. along with an HMAC signature. To ensure we only
+    // store cookies that are relevant to Knox, we check that the Knox principal appears
+    // somewhere in the cookie value.
     if (cookie != null) {
       String value = cookie.getValue();
-      if (value != null && !value.isEmpty()) {
-        String principal = null;
-
-        String[] cookieParts = value.split("&");
-        if (cookieParts.length > 1) {
-          String[] elementParts = cookieParts[1].split("=");
-          if (elementParts.length == 2) {
-            principal = elementParts[1];
-          }
-
-          if (principal != null) {
-            result = principal.equals(knoxPrincipal);
-          }
-        }
+      if (value != null && value.contains(knoxPrincipal)) {
+        result = true;
       }
     }