Druid Extension to enable Authentication using Kerberos. #3853
Conversation
distribution/pom.xml
Outdated
| @@ -105,6 +105,8 @@ | |||
| <argument>-c</argument> | |||
| <argument>io.druid.extensions:postgresql-metadata-storage</argument> | |||
| <argument>${druid.distribution.pulldeps.opts}</argument> | |||
| <argument>-c</argument> | |||
| |`druid.hadoop.security.spnego.authToLocal`||It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT| | ||
| |`druid.hadoop.security.spnego.excludedPaths`|`['/status','/health']`| Array of HTTP paths which which does NOT need to be authenticated.|\["/status"]| | ||
|
|
||
| As a note, it is required that the SPNego principal in use by the druid nodes must have a primary of HTTP (where Kerberos principals are of the form primary\[/instance]@REALM). |
There was a problem hiding this comment.
not sure i am getting what does this mean ?
| <scope>test</scope> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>org.eclipse.jetty</groupId> |
- This PR adds an extension for supporting druid authentication via Kerberos. - Working on the docs.
nishantmonu51
force-pushed
the
kerberos-security
branch
from
d14997a to
c33e9c2
Compare
|
@b-slim Thanks for the review. handled review comments and resolved conflicts. |
| # Druid-Kerberos | ||
|
|
||
| Druid Extension to enable Authentication for Druid Nodes using Kerberos. | ||
| This extension adds AuthenticationFilter which is used to proect HTTP Endpoints using the simple and protected GSSAPI negotiation mechanism [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO). |
|
|
||
| |Property|Possible Values|Description|Default| | ||
| |--------|---------------|-----------|-------| | ||
| |`druid.authentication.type`|kerberos||Must be set to 'kerberos' to enable kerberos authetication.|empty| |
There was a problem hiding this comment.
do we expect to have another type withing the same module ? not sure if this is needed i propose to turn it into a switch to turn it on/off druid.authentication.kerberos=true by default.
| |Property|Possible Values|Description|Default| | ||
| |--------|---------------|-----------|-------| | ||
| |`druid.authentication.type`|kerberos||Must be set to 'kerberos' to enable kerberos authetication.|empty| | ||
| |`druid.hadoop.security.kerberos.principal`|`[email protected]`| Principal user name, used for internal node communication|empty| |
There was a problem hiding this comment.
can we add a column to clear out what is required and not ?
| |`druid.hadoop.security.kerberos.keytab`|`/etc/security/keytabs/druid.headlessUser.keytab`|Path to keytab file used for internal node communication|empty| | ||
| |`druid.hadoop.security.spnego.principal`|`HTTP/[email protected]`| SPNego service principal used by druid nodes|empty| | ||
| |`druid.hadoop.security.spnego.keytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego service keytab|empty| | ||
| |`druid.hadoop.security.spnego.authToLocal`||It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT| |
There was a problem hiding this comment.
does this take a map of object ? can you give example please ?
| |`druid.hadoop.security.spnego.principal`|`HTTP/[email protected]`| SPNego service principal used by druid nodes|empty| | ||
| |`druid.hadoop.security.spnego.keytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego service keytab|empty| | ||
| |`druid.hadoop.security.spnego.authToLocal`||It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT| | ||
| |`druid.hadoop.security.spnego.excludedPaths`|`['/status','/health']`| Array of HTTP paths which which does NOT need to be authenticated.|\["/status"]| |
There was a problem hiding this comment.
not sure about this, usually the security guys like to block every thing by default. but it is ok if you like to have it open
There was a problem hiding this comment.
removed, by default all paths are authenticated now.
| private static final String PROPERTY_AUTH_TYPE = "druid.authentication.type"; | ||
| private static final String KERBEROS = "kerberos"; | ||
|
|
||
| @Inject |
There was a problem hiding this comment.
can we avoid injecting the properties ?
There was a problem hiding this comment.
I could not find a trivial way to avoid it, FWIW, I referenced this from SqlModule, there also we inject props, so maybe its ok ?
If not can you suggest an alternative ?
| binder.bind(HttpClient.class) | ||
| .annotatedWith(Client.class) | ||
| .toProvider(new KerberosHttpClientProvider(new HttpClientModule.HttpClientProvider(Client.class))) | ||
| .in(LazySingleton.class); |
There was a problem hiding this comment.
did you tested on Router i guess it is missing annotation @Router https://github.com/druid-io/druid/blob/35160e55953a476ca17b8676bf984a68a2a8f192/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java#L115-L115
There was a problem hiding this comment.
made changes for Router, since it uses Jetty Http client instead of MMX, had to write another class for that,
| private boolean isKerberosSecurityEnabled() | ||
| { | ||
| Preconditions.checkNotNull(props, "props"); | ||
| return props.getProperty(PROPERTY_AUTH_TYPE, "").equalsIgnoreCase(KERBEROS); |
There was a problem hiding this comment.
as i said above this is more like true/false IMO.
There was a problem hiding this comment.
changed to boolean flag
| * under the License. | ||
| */ | ||
|
|
||
| package io.druid.kerberos; |
There was a problem hiding this comment.
nit i would call it io.druid.security.kerberos
| @Override | ||
| public String run() throws Exception | ||
| { | ||
| return kerberosChallenge(host); |
There was a problem hiding this comment.
not sure how this actually works but the question is it blocking ? can we cache the challenge key to avoid RPC comms for every call ?
There was a problem hiding this comment.
if you have multiple calls will this generate multiple tokens ? shouldn't make sure that we have unique token in case of concurrent requests ?
There was a problem hiding this comment.
@nishantmonu51 please this is an important one.
There was a problem hiding this comment.
this should not be blocking as user is already logged in using this realm.
Also checked how other projects implement this e.g -
https://github.com/prongs/apache-hive/blob/master/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java
which has similar logic underneath.
as far as multi threading goes, Since the credentials are read from the Subject which is initiating the context. it should be safe to call this concurrently from multiple threads.
| @Override | ||
| public Map<String, String> getInitParameters() | ||
| { | ||
| System.out.println(config); |
| public static String kerberosChallenge(String server) throws GSSException | ||
| { | ||
| // This Oid for Kerberos GSS-API mechanism. | ||
| Oid mechOid = new Oid("1.2.840.113554.1.2.2"); |
There was a problem hiding this comment.
looking at Hadoop project looks like this is JVM dependent https://github.com/apache/hadoop/blob/916140604ffef59466ba30832478311d3e6249bd/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java#L54-L54
There was a problem hiding this comment.
@nishantmonu51 this still the same.
| return kerberosChallenge(host); | ||
| } | ||
| }); | ||
| request.setHeader(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge); |
There was a problem hiding this comment.
looks like there is no Negotiation which means that there is no spenago in the picture at all ? i am i missing something ?
| Multibinder.newSetBinder(binder, ServletFilterHolder.class) | ||
| .addBinding() | ||
| .to(SpnegoFilterHolder.class); | ||
| JsonConfigProvider.bind(binder, "druid.global.http", DruidHttpClientConfig.class, Global.class); |
There was a problem hiding this comment.
not needed, removed.
| .toProvider(new KerberosHttpClientProvider(new HttpClientModule.HttpClientProvider(Global.class))) | ||
| .in(LazySingleton.class); | ||
|
|
||
| JsonConfigProvider.bind(binder, "druid.broker.http", DruidHttpClientConfig.class, Client.class); |
|
looks good to me besides existing comments. |
| { | ||
| ClassLoader prevLoader = Thread.currentThread().getContextClassLoader(); | ||
| try { | ||
| Thread.currentThread().setContextClassLoader(AuthenticationFilter.class.getClassLoader()); |
There was a problem hiding this comment.
do we need this ? can we add a comments why we need to switch the classloader ?
| Configuration conf = new Configuration(); | ||
| conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); | ||
| UserGroupInformation.setConfiguration(conf); | ||
| if (UserGroupInformation.isSecurityEnabled()) { |
There was a problem hiding this comment.
this seems to me it is using hadoop conf files to check of kerberos is enabled. would this still work in case we are not using hadoop config with druid ?
There was a problem hiding this comment.
So after digging into the hadoop code seems like you are setting conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); and then testing UserGroupInformation.isSecurityEnabled()) seems like this test will always return true. ??
There was a problem hiding this comment.
removed the check.
There was a problem hiding this comment.
@nishantmonu51t this seems to me it is using hadoop conf files to check of kerberos is enabled. would this still work in case we are not using hadoop config with druid ?
| private static final String KERBEROS_ENABLED = "druid.authentication.kerberos.enabled"; | ||
|
|
||
| @Inject | ||
| private Properties props; |
There was a problem hiding this comment.
If i am not wrong the only reason this is needed is to read the value of druid.authentication.kerberos.enabled.
IMO this is not need since if the user chose to add this extension to the list of loaded module it means they want it activated and if they don't all they have to do is to remove it from the list. So i guess it is fair to assume that there is no need for this flag and turn it on by adding it to the list.
There was a problem hiding this comment.
The extensions can also be loaded from classpath, so if someone adds the jar in classpath without wanting to enable authentication, It will be useful for such cases.
| |`druid.hadoop.security.spnego.principal`|`HTTP/[email protected]`| SPNego service principal used by druid nodes|empty|Yes| | ||
| |`druid.hadoop.security.spnego.keytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego service keytab|empty|Yes| | ||
| |`druid.hadoop.security.spnego.authToLocal`||It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT|No| | ||
| |`druid.hadoop.security.spnego.excludedPaths`|`['/status','/health']`| Array of HTTP paths which which does NOT need to be authenticated.|\["/status"]|No| |
There was a problem hiding this comment.
thought you said everything is blocked ?
|
Have you seen the lock used ?
https://github.com/prongs/apache-hive/blob/master/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java#L61
--
B-Slim
_______/\/\/\_______/\/\/\_______/\/\/\_______/\/\/\_______/\/\/\_______
… On Jan 25, 2017, at 2:21 AM, Nishant Bangarwa ***@***.***> wrote:
@nishantmonu51 commented on this pull request.
In extensions-core/druid-kerberos/src/main/java/io/druid/kerberos/KerberosHttpClient.java <#3853>:
> +
+ @OverRide
+ public <Intermediate, Final> ListenableFuture<Final> go(
+ Request request, HttpResponseHandler<Intermediate, Final> httpResponseHandler, Duration duration
+ )
+ {
+ try {
+ final String host = request.getUrl().getHost();
+ authenticateIfRequired();
+ UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
+ String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>()
+ {
+ @OverRide
+ public String run() throws Exception
+ {
+ return kerberosChallenge(host);
this should not be blocking as user is already logged in using this realm.
Also checked how other projects implement this e.g -
https://github.com/prongs/apache-hive/blob/master/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java <https://github.com/prongs/apache-hive/blob/master/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java>
which has similar logic underneath.
as far as multi threading goes, Since the credentials are read from the Subject which is initiating the context. it should be safe to call this concurrently from multiple threads.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#3853>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHCODK5Jh5w1whPHnn-GRxbgbAAUBLz8ks5rVyITgaJpZM4Lllrf>.
|
|
@b-slim: Nice catch, fixed the locking. |
|
@b-slim: Have added cookie handling and added more detailed docs to include curl commands and browser configs required to access coordinator and overlord console. |
| 3. Now you can access druid HTTP endpoints using curl command as follows - | ||
|
|
||
| ``` | ||
| curl --negotiate -u:anyUser -b ~/cookies.txt -c ~/cookies.txt -X POST -H'Content-Type: application/json' <HTTP_END_POINT> |
There was a problem hiding this comment.
can we mention that negotiate is needed only once ?
There was a problem hiding this comment.
IMO, user should always specify negotiate. Fwiw, adding this will not mean that authentication handshake will be always done.
Above curl command works like this -
- sends request to that to the server with the cookies for that domain if any.
- If the server accepts the cookie it will return a 200 OK
- If the cookie is found to be invalid (multiple reasons - someone restarted the server before the cookie expired, the cookie expired) It will send a response otherwise 401 Unauthorized.
- The client on receiving 401 now will perform the SPNego negotiate mechanism.
Will add comment about the use of cookies.
| @Override | ||
| public void configure(Binder binder) | ||
| { | ||
| JsonConfigProvider.bind(binder, "druid.hadoop.security.kerberos", DruidKerberosConfig.class); |
There was a problem hiding this comment.
nit: so fare we have HdfsKerberosConfig and HadoopKerberosConfig can we call this one AuthKerberosConfig or any other name that reflects the scope ?
| |`druid.hadoop.security.spnego.keytab`|`/etc/security/keytabs/spnego.service.keytab`|SPNego service keytab used by druid nodes|empty|Yes| | ||
| |`druid.hadoop.security.spnego.authToLocal`|`RULE:[1:$1@$0]([email protected])s/.*/druid DEFAULT`|It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.|DEFAULT|No| | ||
| |`druid.hadoop.security.spnego.excludedPaths`|`['/status','/health']`| Array of HTTP paths which which does NOT need to be authenticated.|None|No| | ||
| |`druid.hadoop.security.spnego.cookieSignatureSecret`|`secretString`| Secret used to sign authentication cookies|<Random value>|No| |
There was a problem hiding this comment.
wondering : if we can get away with a random String why we need this config ?
There was a problem hiding this comment.
main reason is that the cookie specs does not guarantee isolation against port numbers.
e.g This is a sample cookie content from my host which does not have any port info-
druid-spnego-1.openstacklocal FALSE /druid/v2/ FALSE 0 hadoop.auth u=druid&[email protected]&t=kerberos&e=1486006717274&s=/pK2gDY6htUnS73Bo2DrwDSTh2Y=
so if you have multiple druid nodes running on same host using same paths and different signature (generated randomly instead of being explictly set ), user will keep doing token negotiation as cookie generated by one node will not be accepted by other node. setting the cookie signature ensures that this does not occur.
Have added more clarification in docs.
There was a problem hiding this comment.
@nishantmonu51 This is a very important information to add to the docs thought looks like it is mandetory to have it random if you have multiple process in the same machine.
| params.put(AuthenticationFilter.AUTH_TYPE, "kerberos"); | ||
| params.put("kerberos.name.rules", config.getAuthToLocal()); | ||
| if (config.getCookieSignatureSecret() != null) { | ||
| params.put("signature.secret", config.getCookieSignatureSecret()); |
There was a problem hiding this comment.
@nishantmonu51 not sure where the random string will be generated ?
There was a problem hiding this comment.
|
👍 |
|
@himanshug: Handled review comments from slim, Please check again. |
Druid Extension to enable Authentication for Druid Nodes using Kerberos.
It uses the simple and protected GSSAPI negotiation mechanism, SPNEGO(https://en.wikipedia.org/wiki/SPNEGO) for authentication via HTTP.
For internal node communication it also adds a wrapper around existing HTTP client to add GSSAPI authentication headers.