KNOX-2026 - Accept Impala's authentication cookies (#161)
This patch modifies HadoopAuthCookieStore to accept cookies with
Impala's cookie name, "impala.auth".
It also updates a check that is used to ensure the cookie belongs to
Knox - previously, this check parsed the cookie according to the
specific format that Hadoop uses for its cookies and ensures that the
Knox principal appears in the expected location.
Impala uses a similar cookie format, but with a few changes such as
fields being in a different order. The check is made more permissive
such that it will accept any cookie that contains the Knox principal
anywhere in it.
Testing:
- Deployed in a cluster and verified that Knox accepts and returns
Impala's cookies as expected.
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
index bd85617..522019b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java
@@ -38,6 +38,7 @@
private static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth";
private static final String HIVE_SERVER2_AUTH_COOKIE_NAME = "hive.server2.auth";
+ private static final String IMPALA_AUTH_COOKIE_NAME = "impala.auth";
private static String knoxPrincipal;
@@ -73,28 +74,21 @@
private boolean isAuthCookie(Cookie cookie) {
return HADOOP_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
- HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName());
+ HIVE_SERVER2_AUTH_COOKIE_NAME.equals(cookie.getName()) ||
+ IMPALA_AUTH_COOKIE_NAME.equals(cookie.getName());
}
private boolean isKnoxCookie(Cookie cookie) {
boolean result = false;
+ // We expect cookies to be some delimited list of parameters, eg. username, principal,
+ // timestamp, random number, etc. along with an HMAC signature. To ensure we only
+ // store cookies that are relevant to Knox, we check that the Knox principal appears
+ // somewhere in the cookie value.
if (cookie != null) {
String value = cookie.getValue();
- if (value != null && !value.isEmpty()) {
- String principal = null;
-
- String[] cookieParts = value.split("&");
- if (cookieParts.length > 1) {
- String[] elementParts = cookieParts[1].split("=");
- if (elementParts.length == 2) {
- principal = elementParts[1];
- }
-
- if (principal != null) {
- result = principal.equals(knoxPrincipal);
- }
- }
+ if (value != null && value.contains(knoxPrincipal)) {
+ result = true;
}
}