From 8ae644a7e562168c45a511061296158878cf03f7 Mon Sep 17 00:00:00 2001 From: Jonathan Wei Date: Fri, 2 Feb 2018 10:43:02 -0800 Subject: [PATCH] Remove Escalator jetty http client escalation method (#5322) --- .../authentication/BasicHTTPEscalator.java | 52 -------------- .../security/kerberos/KerberosEscalator.java | 72 ------------------- .../server/AsyncQueryForwardingServlet.java | 17 +++-- .../AuthorizerMapperModule.java | 11 ++- .../io/druid/server/security/Escalator.java | 12 ---- .../druid/server/security/NoopEscalator.java | 6 -- .../AsyncQueryForwardingServletTest.java | 4 +- 7 files changed, 19 insertions(+), 155 deletions(-) diff --git a/extensions-core/druid-basic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java b/extensions-core/druid-basic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java index 2eb73a23bf20..4029537f5499 100644 --- a/extensions-core/druid-basic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java +++ b/extensions-core/druid-basic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java @@ -22,21 +22,11 @@ import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonTypeName; -import com.google.common.base.Throwables; import com.metamx.http.client.CredentialedHttpClient; import com.metamx.http.client.HttpClient; import com.metamx.http.client.auth.BasicCredentials; -import io.druid.java.util.common.StringUtils; -import io.druid.security.basic.BasicAuthUtils; import io.druid.server.security.AuthenticationResult; import io.druid.server.security.Escalator; -import org.eclipse.jetty.client.api.Authentication; -import org.eclipse.jetty.client.api.ContentResponse; -import org.eclipse.jetty.client.api.Request; -import org.eclipse.jetty.util.Attributes; -import org.jboss.netty.handler.codec.http.HttpHeaders; - -import java.net.URI; @JsonTypeName("basic") public class BasicHTTPEscalator implements Escalator @@ -66,48 +56,6 @@ public HttpClient createEscalatedClient(HttpClient baseClient) ); } - @Override - public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient) - { - baseClient.getAuthenticationStore().addAuthentication(new Authentication() - { - @Override - public boolean matches(String type, URI uri, String realm) - { - return true; - } - - @Override - public Result authenticate( - final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context - ) - { - return new Result() - { - @Override - public URI getURI() - { - return request.getURI(); - } - - @Override - public void apply(Request request) - { - try { - final String unencodedCreds = StringUtils.format("%s:%s", internalClientUsername, internalClientPassword); - final String base64Creds = BasicAuthUtils.getEncodedCredentials(unencodedCreds); - request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Basic " + base64Creds); - } - catch (Throwable e) { - Throwables.propagate(e); - } - } - }; - } - }); - return baseClient; - } - @Override public AuthenticationResult createEscalatedAuthenticationResult() { diff --git a/extensions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java b/extensions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java index e995233a23c2..887b5296d04e 100644 --- a/extensions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java +++ b/extensions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java @@ -22,20 +22,10 @@ import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonTypeName; -import com.google.common.base.Throwables; import com.metamx.http.client.HttpClient; import io.druid.java.util.common.logger.Logger; import io.druid.server.security.AuthenticationResult; import io.druid.server.security.Escalator; -import org.apache.hadoop.security.UserGroupInformation; -import org.eclipse.jetty.client.api.Authentication; -import org.eclipse.jetty.client.api.ContentResponse; -import org.eclipse.jetty.client.api.Request; -import org.eclipse.jetty.util.Attributes; -import org.jboss.netty.handler.codec.http.HttpHeaders; - -import java.net.URI; -import java.security.PrivilegedExceptionAction; @JsonTypeName("kerberos") public class KerberosEscalator implements Escalator @@ -64,68 +54,6 @@ public HttpClient createEscalatedClient(HttpClient baseClient) return new KerberosHttpClient(baseClient, internalClientPrincipal, internalClientKeytab); } - @Override - public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient) - { - baseClient.getAuthenticationStore().addAuthentication(new Authentication() - { - @Override - public boolean matches(String type, URI uri, String realm) - { - return true; - } - - @Override - public Result authenticate( - final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context - ) - { - return new Result() - { - @Override - public URI getURI() - { - return request.getURI(); - } - - @Override - public void apply(Request request) - { - try { - // No need to set cookies as they are handled by Jetty Http Client itself. - URI uri = request.getURI(); - if (DruidKerberosUtil.needToSendCredentials(baseClient.getCookieStore(), uri)) { - log.debug( - "No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ", - uri, - baseClient.getCookieStore().getCookies() - ); - final String host = request.getHost(); - DruidKerberosUtil.authenticateIfRequired(internalClientPrincipal, internalClientKeytab); - UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); - String challenge = currentUser.doAs(new PrivilegedExceptionAction() - { - @Override - public String run() throws Exception - { - return DruidKerberosUtil.kerberosChallenge(host); - } - }); - request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge); - } else { - log.debug("Found Auth Cookie found for URI[%s].", uri); - } - } - catch (Throwable e) { - Throwables.propagate(e); - } - } - }; - } - }); - return baseClient; - } - @Override public AuthenticationResult createEscalatedAuthenticationResult() { diff --git a/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java b/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java index f864a062740b..ebe1b13c67f3 100644 --- a/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java +++ b/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java @@ -44,7 +44,6 @@ import io.druid.server.router.QueryHostFinder; import io.druid.server.router.Router; import io.druid.server.security.AuthConfig; -import io.druid.server.security.Escalator; import org.apache.http.client.utils.URIBuilder; import org.eclipse.jetty.client.HttpClient; import org.eclipse.jetty.client.api.Request; @@ -112,7 +111,6 @@ private static void handleException(HttpServletResponse response, ObjectMapper o private final ServiceEmitter emitter; private final RequestLogger requestLogger; private final GenericQueryMetricsFactory queryMetricsFactory; - private final Escalator escalator; private HttpClient broadcastClient; @@ -126,8 +124,7 @@ public AsyncQueryForwardingServlet( @Router DruidHttpClientConfig httpClientConfig, ServiceEmitter emitter, RequestLogger requestLogger, - GenericQueryMetricsFactory queryMetricsFactory, - Escalator escalator + GenericQueryMetricsFactory queryMetricsFactory ) { this.warehouse = warehouse; @@ -139,7 +136,6 @@ public AsyncQueryForwardingServlet( this.emitter = emitter; this.requestLogger = requestLogger; this.queryMetricsFactory = queryMetricsFactory; - this.escalator = escalator; } @Override @@ -213,11 +209,14 @@ protected void service(HttpServletRequest request, HttpServletResponse response) ); } }; - broadcastClient + + Request broadcastReq = broadcastClient .newRequest(rewriteURI(request, server.getScheme(), server.getHost())) .method(HttpMethod.DELETE) - .timeout(CANCELLATION_TIMEOUT_MILLIS, TimeUnit.MILLISECONDS) - .send(completeListener); + .timeout(CANCELLATION_TIMEOUT_MILLIS, TimeUnit.MILLISECONDS); + + copyRequestHeaders(request, broadcastReq); + broadcastReq.send(completeListener); } interruptedQueryCount.incrementAndGet(); } @@ -347,7 +346,7 @@ protected static URI makeURI(String scheme, String host, String requestURI, Stri @Override protected HttpClient newHttpClient() { - return escalator.createEscalatedJettyClient(httpClientProvider.get()); + return httpClientProvider.get(); } @Override diff --git a/server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java b/server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java index 4ba019550833..7a5b17a484b2 100644 --- a/server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java +++ b/server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java @@ -95,11 +95,20 @@ public AuthorizerMapper get() // Default is allow all if (authorizers == null) { + AllowAllAuthorizer allowAllAuthorizer = new AllowAllAuthorizer(); + authorizerMap.put(AuthConfig.ALLOW_ALL_NAME, allowAllAuthorizer); + return new AuthorizerMapper(null) { @Override public Authorizer getAuthorizer(String name) { - return new AllowAllAuthorizer(); + return allowAllAuthorizer; + } + + @Override + public Map getAuthorizerMap() + { + return authorizerMap; } }; } diff --git a/server/src/main/java/io/druid/server/security/Escalator.java b/server/src/main/java/io/druid/server/security/Escalator.java index c3a9c19aa7d5..67b64363cf38 100644 --- a/server/src/main/java/io/druid/server/security/Escalator.java +++ b/server/src/main/java/io/druid/server/security/Escalator.java @@ -46,18 +46,6 @@ public interface Escalator */ HttpClient createEscalatedClient(HttpClient baseClient); - /** - * Return a client that sends requests with the format/information necessary to authenticate successfully - * against this Authenticator's authentication scheme using the identity of the internal system user. - *

- * This HTTP client is used by the Druid Router node. - * - * @param baseClient Base Jetty HttpClient - * - * @return Jetty HttpClient that sends requests with the credentials of the internal system user - */ - org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient); - /** * @return an AuthenticationResult representing the identity of the internal system user. */ diff --git a/server/src/main/java/io/druid/server/security/NoopEscalator.java b/server/src/main/java/io/druid/server/security/NoopEscalator.java index 583d12dc249a..970c8eb07d70 100644 --- a/server/src/main/java/io/druid/server/security/NoopEscalator.java +++ b/server/src/main/java/io/druid/server/security/NoopEscalator.java @@ -29,12 +29,6 @@ public HttpClient createEscalatedClient(HttpClient baseClient) return baseClient; } - @Override - public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient) - { - return baseClient; - } - @Override public AuthenticationResult createEscalatedAuthenticationResult() { diff --git a/server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java b/server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java index 9fcf4736fed1..4118e7ae4f98 100644 --- a/server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java +++ b/server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java @@ -54,7 +54,6 @@ import io.druid.server.security.AllowAllAuthorizer; import io.druid.server.security.Authorizer; import io.druid.server.security.AuthorizerMapper; -import io.druid.server.security.NoopEscalator; import org.eclipse.jetty.client.HttpClient; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; @@ -252,8 +251,7 @@ public void log(RequestLogLine requestLogLine) throws IOException // noop } }, - new DefaultGenericQueryMetricsFactory(jsonMapper), - new NoopEscalator() + new DefaultGenericQueryMetricsFactory(jsonMapper) ) { @Override