::Go back to Oozie Documentation Index::
Creating Custom Authentication
Hadoop-Auth Authentication Interfaces and classes
1. org.apache.hadoop.security.authentication.client.Authenticator: Interface for client authentication mechanisms.
The following authenticators are provided in hadoop-auth:
- KerberosAuthenticator : the authenticator implements the Kerberos SPNEGO authentication sequence.
- PseudoAuthenticator : the authenticator implementation provides an authentication equivalent to Hadoop's Simple
2. org.apache.hadoop.security.authentication.server.AuthenticationHandler: Interface for server authentication mechanisms.
- KerberosAuthenticationHandler : the authenticator handler implements the Kerberos SPNEGO authentication mechanism for HTTP.
- PseudoAuthenticationHandler : the authenticator handler provides a pseudo authentication mechanism that accepts the user
3. org.apache.hadoop.security.authentication.server.AuthenticationFilter: A servlet filter enables protecting web application resources with different authentication mechanisms provided by AuthenticationHandler. To enable the filter, web application resources file (ex. web.xml) needs to include a filter class derived from AuthenticationFilter .
For more information have a look at the appropriate Hadoop documentation .
Provide Custom Authentication to Oozie Client
Apache Oozie contains a default class org.apache.oozie.client.AuthOozieClient to support Kerberos HTTP SPNEGO authentication, pseudo/simple authentication and anonymous access for client connections.
To provide other authentication mechanisms, an Oozie client should extend from AuthOozieClient and provide the following methods should be overridden by derived classes to provide custom authentication:
- getAuthenticator() : return corresponding Authenticator based on value specified by user at auth command option.
- createConnection() : create a singleton class at Authenticator to allow client set and get key-value configuration for
Provide Custom Authentication to Oozie Server
To accept custom authentication in Oozie server, a filter extends from AuthenticationFilter must be provided. This filter delegates to the configured authentication handler for authentication and once it obtains an AuthenticationToken from it, sets a signed HTTP cookie with the token. If HTTP cookie is provided with different key name, its cookie value can be retrieved by overriding getToken() method. Please note, only when getToken() return NULL, a custom authentication can be invoked and processed in AuthenticationFilter.doFilter() .
The following method explains how to read it and return NULL token.
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
String tokenStr = null;
Cookie[] cookies = request.getCookies(); if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
tokenStr = cookie.getValue();
LOG.info("Got 'hadoop.auth' cookie from request = " + tokenStr);
if (tokenStr != null && !tokenStr.trim().isEmpty()) {
AuthenticationToken retToken = super.getToken(request);
return retToken;
}
} else if (cookie.getName().equals("NEWAUTH")) {
tokenStr = cookie.getValue();
// DO NOT return the token string so request can authenticated.
}
}
}
return null;
}