From 044715deef04e531902ac278685f46dcd075f54d Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Fri, 19 Jun 2020 19:43:29 -0700 Subject: [PATCH 1/3] HDDS-3821. Disable Ozone SPNEGO should not fall back to hadoop.http.authentication configuration. --- .../docs/content/security/SecureOzone.md | 20 +-- .../content/security/SecuringOzoneHTTP.md | 141 ++++++++++++++++++ .../hdds/server/http/BaseHttpServer.java | 4 +- .../hadoop/hdds/server/http/HttpServer2.java | 24 +-- 4 files changed, 169 insertions(+), 20 deletions(-) create mode 100644 hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md diff --git a/hadoop-hdds/docs/content/security/SecureOzone.md b/hadoop-hdds/docs/content/security/SecureOzone.md index 7d3693e6d81..d49dfe9db7d 100644 --- a/hadoop-hdds/docs/content/security/SecureOzone.md +++ b/hadoop-hdds/docs/content/security/SecureOzone.md @@ -100,12 +100,12 @@ All these settings should be made in ozone-site.xml. The keytab file used by SCM daemon to login as its service principal. - hdds.scm.http.kerberos.principal - SCM http server service principal. + hdds.scm.http.auth.kerberos.principal + SCM http server service principal if SPNEGO is enabled for SCM http server. - hdds.scm.http.kerberos.keytab - The keytab file used by SCM http server to login as its service principal. + hdds.scm.http.auth.kerberos.keytab + The keytab file used by SCM http server to login as its service principal if SPNEGO is enabled for SCM http server @@ -136,12 +136,12 @@ All these settings should be made in ozone-site.xml. TThe keytab file used by SCM daemon to login as its service principal. - ozone.om.http.kerberos.principal - Ozone Manager http server service principal. + ozone.om.http.auth.kerberos.principal + Ozone Manager http server service principal if SPNEGO is enabled for om http server. - ozone.om.http.kerberos.keytab - The keytab file used by OM http server to login as its service principal. + ozone.om.http.auth.kerberos.keytab + The keytab file used by OM http server to login as its service principal if SPNEGO is enabled for om http server. @@ -165,11 +165,11 @@ All these settings should be made in ozone-site.xml. ozone.s3g.http.auth.kerberos.principal - S3 Gateway principal.
e.g. HTTP/_HOST@EXAMPLE.COM + S3 Gateway principal if SPNEGO is enabled for S3 Gateway http server.
e.g. HTTP/_HOST@EXAMPLE.COM ozone.s3g.http.auth.kerberos.keytab - The keytab file used by S3 gateway + The keytab file used by S3 gateway if SPNEGO is enabled for S3 Gateway http server. diff --git a/hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md b/hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md new file mode 100644 index 00000000000..c10f71d21de --- /dev/null +++ b/hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md @@ -0,0 +1,141 @@ +--- +title: "Securing Ozone HTTP web-consoles" +date: "2020-June-17" +summary: Secure HTTP web-consoles for Ozone services +weight: 3 +icon: lock +--- + + +This document describes how to configure Ozone HTTP web-consoles to require user authentication. + +### Default authentication + +By default Ozone HTTP web-consoles (OM, SCM, S3G, Recon, Datanode) +allow access without authentication based on the following default configurations. + +Property| Value +-----------------------------------|----------------------------------------- +ozone.security.http.kerberos.enabled | false +ozone.http.filter.initializers | + +If you have an SPNEGO enabled Ozone cluster and want to disable it for all Ozone services, +just make sure the two key mentioned are configured as above. + +### Kerberos based SPNEGO authentication +However, they can be configured to require Kerberos authentication using HTTP SPNEGO protocol (supported +by browsers like Firefox and Chrome). To achieve that, the following keys must +be configured first. + +Property| Value +-----------------------------------|----------------------------------------- +hadoop.security.authentication | kerberos +ozone.security.http.kerberos.enabled | true +ozone.http.filter.initializers | org.apache.hadoop.security.AuthenticationFilterInitializer + +After that, individual component needs to configure properly to completely enable +SPNEGO or SIMPLE authentication. + +### Enable SPNEGO authentication for OM HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.om.http.auth.type | kerberos +ozone.om.http.auth.kerberos.principal | HTTP/_HOST@REALM +ozone.om.http.auth.kerberos.keytab| /path/to/HTTP.keytab + +### Enable SPNEGO authentication for S3G HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.s3g.http.auth.type | kerberos +ozone.s3g.http.auth.kerberos.principal | HTTP/_HOST@REALM +ozone.s3g.http.auth.kerberos.keytab| /path/to/HTTP.keytab + +### Enable SPNEGO authentication for RECON HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.recon.http.auth.type | kerberos +ozone.recon.http.auth.kerberos.principal | HTTP/_HOST@REALM +ozone.recon.http.auth.kerberos.keytab| /path/to/HTTP.keytab + +### Enable SPNEGO authentication for SCM HTTP +Property| Value +-----------------------------------|----------------------------------------- +hdds.scm.http.auth.type | kerberos +hdds.scm.http.auth.kerberos.principal | HTTP/_HOST@REALM +hdds.scm.http.auth.kerberos.keytab| /path/to/HTTP.keytab + +### Enable SPNEGO authentication for DATANODE HTTP +Property| Value +-----------------------------------|----------------------------------------- +hdds.datanode.http.auth.type | kerberos +hdds.datanode.http.auth.kerberos.principal | HTTP/_HOST@REALM +hdds.datanode.http.auth.kerberos.keytab| /path/to/HTTP.keytab + +Note: Ozone datanode does not have a default webpage, which prevents you from +accessing "/" or "/index.html". But it does provide standard +servlet like jmx/conf/jstack via HTTP. + +In addition, Ozone HTTP web-console support the equivalent of Hadoop's Pseudo/Simple authentication. +If this option is enabled, the user name must be specified in the first browser interaction using the user.name +query string parameter. e.g., http://scm:9876/?user.name=scmadmin. + +### Enable SIMPLE authentication for OM HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.om.http.auth.type | simple +ozone.om.http.auth.simple.anonymous_allowed | false + +If you don't want to specify the user.name in the query string parameter, +change ozone.om.http.auth.simple.anonymous_allowed to true. + +### Enable SIMPLE authentication for S3G HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.s3g.http.auth.type | simple +ozone.s3g.http.auth.simple.anonymous_allowed | false + +If you don't want to specify the user.name in the query string parameter, +change ozone.s3g.http.auth.simple.anonymous_allowed to true. + +### Enable SIMPLE authentication for RECON HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.recon.http.auth.type | simple +ozone.recon.http.auth.simple.anonymous_allowed | false + +If you don't want to specify the user.name in the query string parameter, +change ozone.recon.http.auth.simple.anonymous_allowed to true. + + +### Enable SIMPLE authentication for SCM HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.scm.http.auth.type | simple +ozone.scm.http.auth.simple.anonymous_allowed | false + +If you don't want to specify the user.name in the query string parameter, +change ozone.scm.http.auth.simple.anonymous_allowed to true. + +### Enable SIMPLE authentication for DATANODE HTTP +Property| Value +-----------------------------------|----------------------------------------- +ozone.datanode.http.auth.type | simple +ozone.datanode.http.auth.simple.anonymous_allowed | false + +If you don't want to specify the user.name in the query string parameter, +change ozone.datanode.http.auth.simple.anonymous_allowed to true. diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java index 9cb4992d527..80cc96020e2 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java @@ -115,9 +115,11 @@ public BaseHttpServer(ConfigurationSource conf, String name) if (isSecurityEnabled) { String httpAuthType = conf.get(getHttpAuthType(), "simple"); LOG.info("HttpAuthType: {} = {}", getHttpAuthType(), httpAuthType); + // Ozone config prefix must be set to avoid AuthenticationFilter + // fall back to default one form hadoop.http.authentication. + builder.authFilterConfigurationPrefix(getHttpAuthConfigPrefix()); if (httpAuthType.equals("kerberos")) { builder.setSecurityEnabled(true); - builder.authFilterConfigurationPrefix(getHttpAuthConfigPrefix()); builder.setUsernameConfKey(getSpnegoPrincipal()); builder.setKeytabConfKey(getKeytabFile()); } diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java index a37a08c6c90..8f8604429ff 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java @@ -572,12 +572,13 @@ private HttpServer2(final Builder b) throws IOException { this.findPort = b.findPort; this.portRanges = b.portRanges; initializeWebServer(b.name, b.hostName, b.conf, b.pathSpecs, - b.authFilterConfigurationPrefix); + b.authFilterConfigurationPrefix, b.securityEnabled); } private void initializeWebServer(String name, String hostName, ConfigurationSource conf, String[] pathSpecs, - String authFilterConfigPrefix) throws IOException { + String authFilterConfigPrefix, + boolean securityEnabled) throws IOException { Preconditions.checkNotNull(webAppContext); @@ -614,14 +615,19 @@ private void initializeWebServer(String name, String hostName, final FilterInitializer[] initializers = getFilterInitializers(conf); if (initializers != null) { conf.set(BIND_ADDRESS, hostName); + org.apache.hadoop.conf.Configuration hadoopConf = + LegacyHadoopConfigurationSource.asHadoopConfiguration(conf); for (FilterInitializer c : initializers) { - //c.initFilter(this, conf) does not work here as it does not take config - // prefix key. - Map filterConfig = getFilterConfigMap( - LegacyHadoopConfigurationSource.asHadoopConfiguration(conf), - authFilterConfigPrefix); - addFilter("authentication", AuthenticationFilter.class.getName(), - filterConfig); + if (c instanceof AuthenticationFilterInitializer) { + if (securityEnabled) { + Map < String, String > filterConfig = getFilterConfigMap( + hadoopConf, authFilterConfigPrefix); + addFilter("authentication", + AuthenticationFilter.class.getName(), filterConfig); + } + } else { + c.initFilter(this, hadoopConf); + } } } From ceacf90731f08b4cddba56d7815642856129191c Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Fri, 19 Jun 2020 19:51:32 -0700 Subject: [PATCH 2/3] minor refactor --- .../apache/hadoop/hdds/server/http/HttpServer2.java | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java index 8f8604429ff..2d74898fb79 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java @@ -617,14 +617,12 @@ private void initializeWebServer(String name, String hostName, conf.set(BIND_ADDRESS, hostName); org.apache.hadoop.conf.Configuration hadoopConf = LegacyHadoopConfigurationSource.asHadoopConfiguration(conf); + Map filterConfig = getFilterConfigMap(hadoopConf, + authFilterConfigPrefix); for (FilterInitializer c : initializers) { - if (c instanceof AuthenticationFilterInitializer) { - if (securityEnabled) { - Map < String, String > filterConfig = getFilterConfigMap( - hadoopConf, authFilterConfigPrefix); - addFilter("authentication", - AuthenticationFilter.class.getName(), filterConfig); - } + if ((c instanceof AuthenticationFilterInitializer) && securityEnabled) { + addFilter("authentication", + AuthenticationFilter.class.getName(), filterConfig); } else { c.initFilter(this, hadoopConf); } From 21d9ba1421aa0edf03dc27f707ecfea147d76869 Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Tue, 23 Jun 2020 16:05:46 -0700 Subject: [PATCH 3/3] enable ratis log for the integration test --- .../integration-test/src/test/resources/log4j.properties | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hadoop-ozone/integration-test/src/test/resources/log4j.properties b/hadoop-ozone/integration-test/src/test/resources/log4j.properties index b8ad21d6c7f..e5381ad212f 100644 --- a/hadoop-ozone/integration-test/src/test/resources/log4j.properties +++ b/hadoop-ozone/integration-test/src/test/resources/log4j.properties @@ -19,3 +19,6 @@ log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} [%t] %-5p %c{2} (%F:% log4j.logger.org.apache.hadoop.security.ShellBasedUnixGroupsMapping=ERROR log4j.logger.org.apache.hadoop.util.NativeCodeLoader=ERROR + +log4j.logger.org.apache.ratis.grpc.server.GrpcLogAppender=DEBUG +log4j.logger.org.apache.ratis.server.impl.RaftServerImpl=DEBUG