PHOENIX-5393 Add _HOST expansion to SPNEGO login
Closes #6
diff --git a/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
index 4766394..5f39362 100644
--- a/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
+++ b/queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
@@ -286,18 +286,12 @@
}
@VisibleForTesting
- void configureSpnegoAuthentication(HttpServer.Builder builder, UserGroupInformation ugi) {
+ void configureSpnegoAuthentication(HttpServer.Builder builder, UserGroupInformation ugi) throws IOException {
String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB);
File keytab = new File(keytabPath);
String httpKeytabPath =
getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null);
- String httpPrincipal =
- getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null);
- // Backwards compat for a configuration key change
- if (httpPrincipal == null) {
- httpPrincipal =
- getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null);
- }
+ String httpPrincipal = getSpnegoPrincipal(getConf());
File httpKeytab = null;
if (null != httpKeytabPath) {
httpKeytab = new File(httpKeytabPath);
@@ -316,6 +310,26 @@
}
}
+ /**
+ * Returns the Kerberos principal to use for SPNEGO, substituting {@code _HOST}
+ * if it is present as the "instance" component of the Kerberos principal. It returns
+ * the configured principal as-is if {@code _HOST} is not the "instance".
+ */
+ String getSpnegoPrincipal(Configuration conf) throws IOException {
+ String httpPrincipal = conf.get(
+ QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null);
+ // Backwards compat for a configuration key change
+ if (httpPrincipal == null) {
+ httpPrincipal = conf.get(
+ QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null);
+ }
+
+ String hostname = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
+ conf.get(QueryServices.QUERY_SERVER_DNS_INTERFACE_ATTRIB, "default"),
+ conf.get(QueryServices.QUERY_SERVER_DNS_NAMESERVER_ATTRIB, "default")));
+ return SecurityUtil.getServerPrincipal(httpPrincipal, hostname);
+ }
+
@VisibleForTesting
UserGroupInformation getUserGroupInformation() throws IOException {
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
diff --git a/queryserver/src/test/java/org/apache/phoenix/queryserver/server/QueryServerTest.java b/queryserver/src/test/java/org/apache/phoenix/queryserver/server/QueryServerTest.java
new file mode 100644
index 0000000..243e713
--- /dev/null
+++ b/queryserver/src/test/java/org/apache/phoenix/queryserver/server/QueryServerTest.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.net.InetAddress;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.phoenix.query.QueryServices;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class QueryServerTest {
+
+ private static String getSpnegoPrincipal(String instance) {
+ return "HTTP/" + instance + "@EXAMPLE.COM";
+ }
+
+ private static String EXPECTED_HOSTNAME;
+ private QueryServer qs;
+ private Configuration conf;
+
+ @BeforeClass
+ public static void setupOnce() throws IOException {
+ EXPECTED_HOSTNAME = InetAddress.getLocalHost().getCanonicalHostName();
+ }
+
+ @Before
+ public void setup() {
+ this.conf = new Configuration(false);
+ this.qs = new QueryServer();
+ }
+
+ @Test
+ public void testHostExpansion() throws IOException {
+ conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, getSpnegoPrincipal("_HOST"));
+
+ assertEquals(getSpnegoPrincipal(EXPECTED_HOSTNAME), qs.getSpnegoPrincipal(conf));
+ }
+
+ @Test
+ public void testHostExpansionWithOldName() throws IOException {
+ conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, getSpnegoPrincipal("_HOST"));
+
+ assertEquals(getSpnegoPrincipal(EXPECTED_HOSTNAME), qs.getSpnegoPrincipal(conf));
+ }
+
+ @Test
+ public void testHostExpansionWithOldAndNewNames() throws IOException {
+ conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, getSpnegoPrincipal("_HOST"));
+ // When we provide both names, the new property should take priority
+ conf.set(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, "fake_" + getSpnegoPrincipal("_HOST"));
+
+ assertEquals(getSpnegoPrincipal(EXPECTED_HOSTNAME), qs.getSpnegoPrincipal(conf));
+ }
+
+}
