SQOOP-2002: Sqoop2: Refactor existing security component

(Richard Zhou via Abraham Elmahrek)

core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java

@@ -31,7 +31,7 @@ public class AuthenticationManager implements Reconfigurable {
   /**
    * Default authentication handler
    */
-  public static final String DEFAULT_AUTHENTICATION_HANDLER = "org.apache.sqoop.security.SimpleAuthenticationHandler";
+  public static final String DEFAULT_AUTHENTICATION_HANDLER = "org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler";
 
 
   /**
@@ -92,9 +92,9 @@ public synchronized void initialize() throws ClassNotFoundException, IllegalAcce
     }
 
     String handler = SqoopConfiguration.getInstance().getContext().getString(
-        AuthenticationConstants.AUTHENTICATION_HANDLER,
+        SecurityConstants.AUTHENTICATION_HANDLER,
         DEFAULT_AUTHENTICATION_HANDLER).trim();
-    authenticationHandler = AuthenticationHandlerFactory.getAuthenticationHandler(handler);
+    authenticationHandler = SecurityFactory.getAuthenticationHandler(handler);
     authenticationHandler.doInitialize();
     authenticationHandler.secureLogin();
 

core/src/main/java/org/apache/sqoop/security/SecurityConstants.java

@@ -22,19 +22,24 @@
 /**
  * Constants that are used in authentication module.
  */
-public final class AuthenticationConstants {
-
+public final class SecurityConstants {
+  /**
+   * All security related configuration is prefixed with this:
+   * <tt>org.apache.sqoop.security.</tt>
+   */
+  public static final String PREFIX_SECURITY_CONFIG =
+          ConfigurationConstants.PREFIX_GLOBAL_CONFIG + "security.";
   /**
    * All authentication related configuration is prefixed with this:
-   * <tt>org.apache.sqoop.authentication.</tt>
+   * <tt>org.apache.sqoop.security.authentication.</tt>
    */
   public static final String PREFIX_AUTHENTICATION_CONFIG =
-    ConfigurationConstants.PREFIX_GLOBAL_CONFIG + "authentication.";
+    PREFIX_SECURITY_CONFIG + "authentication.";
 
   /**
    * The config specifies the sqoop authentication type (SIMPLE, KERBEROS).
    * The default type is SIMPLE
-   * <tt>org.apache.sqoop.authentication.type</tt>.
+   * <tt>org.apache.sqoop.security.authentication.type</tt>.
    */
   public static final String AUTHENTICATION_TYPE =
     PREFIX_AUTHENTICATION_CONFIG + "type";
@@ -42,56 +47,56 @@ public final class AuthenticationConstants {
   /**
    * The config specifies the sqoop authentication handler class.
    * The default type is org.apache.sqoop.security.SimpleAuthenticationHandler
-   * <tt>org.apache.sqoop.authentication.handler</tt>.
+   * <tt>org.apache.sqoop.security.authentication.handler</tt>.
    */
   public static final String AUTHENTICATION_HANDLER =
           PREFIX_AUTHENTICATION_CONFIG + "handler";
 
   /**
    * The config enables or disables anonymous authentication.
-   * <tt>org.apache.sqoop.authentication.anonymous</tt>.
+   * <tt>org.apache.sqoop.security.authentication.anonymous</tt>.
    */
   public static final String AUTHENTICATION_ANONYMOUS =
       PREFIX_AUTHENTICATION_CONFIG + "anonymous";
 
   /**
    * All kerberos authentication related configuration is prefixed with this:
-   * <tt>org.apache.sqoop.authentication.kerberos.</tt>
+   * <tt>org.apache.security.sqoop.authentication.kerberos.</tt>
    */
   public static final String PREFIX_AUTHENTICATION_KERBEROS_CONFIG =
           PREFIX_AUTHENTICATION_CONFIG + "kerberos.";
 
   /**
    * The config specifies the kerberos principal.
-   * <tt>org.apache.sqoop.authentication.kerberos.principal</tt>.
+   * <tt>org.apache.sqoop.security.authentication.kerberos.principal</tt>.
    */
   public static final String AUTHENTICATION_KERBEROS_PRINCIPAL =
     PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "principal";
 
   /**
    * The config specifies the kerberos keytab.
-   * <tt>org.apache.sqoop.authentication.kerberos.principal</tt>.
+   * <tt>org.apache.sqoop.security.authentication.kerberos.principal</tt>.
    */
   public static final String AUTHENTICATION_KERBEROS_KEYTAB =
     PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "keytab";
 
   /**
    * All kerberos authentication for http related configuration is prefixed with this:
-   * <tt>org.apache.sqoop.authentication.kerberos.http.</tt>
+   * <tt>org.apache.sqoop.security.authentication.kerberos.http.</tt>
    */
   public static final String PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG =
           PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "http.";
 
   /**
    * The config specifies the kerberos principal for http.
-   * <tt>org.apache.sqoop.authentication.kerberos.http.principal</tt>.
+   * <tt>org.apache.sqoop.security.authentication.kerberos.http.principal</tt>.
    */
   public static final String AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL =
           PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "principal";
 
   /**
    * The config specifies the kerberos keytab for http.
-   * <tt>org.apache.sqoop.authentication.kerberos.http.principal</tt>.
+   * <tt>org.apache.sqoop.security.authentication.kerberos.http.principal</tt>.
    */
   public static final String AUTHENTICATION_KERBEROS_HTTP_KEYTAB =
           PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "keytab";
@@ -103,7 +108,7 @@ public final class AuthenticationConstants {
 
   public static enum TYPE {SIMPLE, KERBEROS}
 
-  private AuthenticationConstants() {
+  private SecurityConstants() {
     // Instantiation of this class is prohibited
   }
 }

core/src/main/java/org/apache/sqoop/security/SecurityError.java

@@ -19,7 +19,7 @@
 
 import org.apache.sqoop.common.ErrorCode;
 
-public enum AuthenticationError implements ErrorCode {
+public enum SecurityError implements ErrorCode {
 
   /** An unknown error has occurred. */
   AUTH_0000("An unknown error has occurred"),
@@ -44,7 +44,7 @@ public enum AuthenticationError implements ErrorCode {
 
   private final String message;
 
-  private AuthenticationError(String message) {
+  private SecurityError(String message) {
     this.message = message;
   }
 

core/src/main/java/org/apache/sqoop/security/SecurityFactory.java

@@ -23,14 +23,14 @@
 /**
  * Create authentication manager.
  */
-public class AuthenticationHandlerFactory {
+public class SecurityFactory {
 
   public static AuthenticationHandler getAuthenticationHandler(String handler) throws ClassNotFoundException, IllegalAccessException, InstantiationException {
 
     Class<?> handlerClass = ClassUtils.loadClass(handler);
 
     if (handlerClass == null) {
-      throw new SqoopException(AuthenticationError.AUTH_0004,
+      throw new SqoopException(SecurityError.AUTH_0004,
               "Authentication Handler Class: " + handler);
     }
 
@@ -38,7 +38,7 @@ public static AuthenticationHandler getAuthenticationHandler(String handler) thr
     try {
       newHandler = (AuthenticationHandler) handlerClass.newInstance();
     } catch (Exception ex) {
-      throw new SqoopException(AuthenticationError.AUTH_0004,
+      throw new SqoopException(SecurityError.AUTH_0004,
               "Authentication Handler Class: " + handler, ex);
     }
     return newHandler;

dist/src/main/server/conf/sqoop.properties

@@ -144,16 +144,16 @@ org.apache.sqoop.execution.engine=org.apache.sqoop.execution.mapreduce.Mapreduce
 #
 # Authentication configuration
 #
-#org.apache.sqoop.authentication.type=SIMPLE
-#org.apache.sqoop.authentication.handler=org.apache.sqoop.security.SimpleAuthenticationHandler
-#org.apache.sqoop.authentication.anonymous=true
-#org.apache.sqoop.authentication.type=KERBEROS
-#org.apache.sqoop.authentication.handler=org.apache.sqoop.security.KerberosAuthenticationHandler
-#org.apache.sqoop.authentication.kerberos.principal=sqoop/_HOST@NOVALOCAL
-#org.apache.sqoop.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab
-#org.apache.sqoop.authentication.kerberos.http.principal=HTTP/_HOST@NOVALOCAL
-#org.apache.sqoop.authentication.kerberos.http.keytab=/home/kerberos/sqoop.keytab
-#org.apache.sqoop.authentication.enable.doAs=true
-#org.apache.sqoop.authentication.proxyuser.#USER#.users=*
-#org.apache.sqoop.authentication.proxyuser.#USER#.groups=*
-#org.apache.sqoop.authentication.proxyuser.#USER#.hosts=*
+#org.apache.sqoop.security.authentication.type=SIMPLE
+#org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler
+#org.apache.sqoop.security.authentication.anonymous=true
+#org.apache.sqoop.security.authentication.type=KERBEROS
+#org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler
+#org.apache.sqoop.security.authentication.kerberos.principal=sqoop/_HOST@NOVALOCAL
+#org.apache.sqoop.security.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab
+#org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/_HOST@NOVALOCAL
+#org.apache.sqoop.security.authentication.kerberos.http.keytab=/home/kerberos/sqoop.keytab
+#org.apache.sqoop.security.authentication.enable.doAs=true
+#org.apache.sqoop.security.authentication.proxyuser.#USER#.users=*
+#org.apache.sqoop.security.authentication.proxyuser.#USER#.groups=*
+#org.apache.sqoop.security.authentication.proxyuser.#USER#.hosts=*

docs/src/site/sphinx/SecurityGuideOnSqoop2.rst

@@ -30,7 +30,7 @@ Modify Sqoop configuration file, normally in <Sqoop Folder>/server/config/sqoop.
 ::
 
   org.apache.sqoop.authentication.type=SIMPLE
-  org.apache.sqoop.authentication.handler=org.apache.sqoop.security.SimpleAuthenticationHandler
+  org.apache.sqoop.authentication.handler=org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler
   org.apache.sqoop.anonymous=true
 
 -	Simple authentication is used by default. Commenting out authentication configuration will yield the use of simple authentication.
@@ -88,7 +88,7 @@ Modify Sqoop configuration file, normally in <Sqoop Folder>/server/config/sqoop.
 ::
 
   org.apache.sqoop.authentication.type=KERBEROS
-  org.apache.sqoop.authentication.handler=org.apache.sqoop.security.KerberosAuthenticationHandler
+  org.apache.sqoop.authentication.handler=org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler
   org.apache.sqoop.authentication.kerberos.principal=sqoop/_HOST@<REALM>
   org.apache.sqoop.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab
   org.apache.sqoop.authentication.kerberos.http.principal=HTTP/_HOST@<REALM>
@@ -132,7 +132,7 @@ If the Sqoop server has started successfully with Kerberos authentication, the f
 
 ::
 
-  2014-12-04 15:02:58,038 INFO  security.KerberosAuthenticationHandler [org.apache.sqoop.security.KerberosAuthenticationHandler.secureLogin(KerberosAuthenticationHandler.java:84)] Using Kerberos authentication, principal [sqoop/_HOST@HADOOP.COM] keytab [/home/kerberos/sqoop.keytab]
+  2014-12-04 15:02:58,038 INFO  security.KerberosAuthenticationHandler [org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler.secureLogin(KerberosAuthenticationHandler.java:84)] Using Kerberos authentication, principal [sqoop/_HOST@HADOOP.COM] keytab [/home/kerberos/sqoop.keytab]
 
 If the Sqoop client was able to communicate with the Sqoop server, the following will be in <Sqoop Folder>/server/log/catalina.out:
 

security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java

@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.sqoop.security;
+package org.apache.sqoop.security.Authentication;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.SecurityUtil;
@@ -24,6 +24,9 @@
 import org.apache.sqoop.common.MapContext;
 import org.apache.sqoop.common.SqoopException;
 import org.apache.sqoop.core.SqoopConfiguration;
+import org.apache.sqoop.security.AuthenticationHandler;
+import org.apache.sqoop.security.SecurityConstants;
+import org.apache.sqoop.security.SecurityError;
 
 import java.io.IOException;
 
@@ -56,30 +59,30 @@ public void doInitialize() {
   public void secureLogin() {
     MapContext mapContext = SqoopConfiguration.getInstance().getContext();
     String keytab = mapContext.getString(
-            AuthenticationConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim();
+            SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim();
     if (keytab.length() == 0) {
-      throw new SqoopException(AuthenticationError.AUTH_0001,
-              AuthenticationConstants.AUTHENTICATION_KERBEROS_KEYTAB);
+      throw new SqoopException(SecurityError.AUTH_0001,
+              SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB);
     }
     keytabFile = keytab;
 
     String principal = mapContext.getString(
-            AuthenticationConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim();
+            SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim();
     if (principal.length() == 0) {
-      throw new SqoopException(AuthenticationError.AUTH_0002,
-              AuthenticationConstants.AUTHENTICATION_KERBEROS_PRINCIPAL);
+      throw new SqoopException(SecurityError.AUTH_0002,
+              SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL);
     }
     keytabPrincipal = principal;
 
     Configuration conf = new Configuration();
     conf.set(get_hadoop_security_authentication(),
-            AuthenticationConstants.TYPE.KERBEROS.name());
+            SecurityConstants.TYPE.KERBEROS.name());
     UserGroupInformation.setConfiguration(conf);
     try {
       String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
       UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab);
     } catch (IOException ex) {
-      throw new SqoopException(AuthenticationError.AUTH_0003, ex);
+      throw new SqoopException(SecurityError.AUTH_0003, ex);
     }
     LOG.info("Using Kerberos authentication, principal ["
             + principal + "] keytab [" + keytab + "]");

security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java

@@ -15,11 +15,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.sqoop.security;
+package org.apache.sqoop.security.Authentication;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.log4j.Logger;
+import org.apache.sqoop.security.AuthenticationHandler;
+import org.apache.sqoop.security.SecurityConstants;
 
 public class SimpleAuthenticationHandler extends AuthenticationHandler {
 
@@ -33,7 +35,7 @@ public void secureLogin() {
     //no secureLogin, just set configurations
     Configuration conf = new Configuration();
     conf.set(get_hadoop_security_authentication(),
-            AuthenticationConstants.TYPE.SIMPLE.name());
+            SecurityConstants.TYPE.SIMPLE.name());
     UserGroupInformation.setConfiguration(conf);
     LOG.info("Using simple/pseudo authentication, principal ["
             + System.getProperty("user.name") + "]");

server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java

@@ -19,7 +19,6 @@
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
@@ -29,8 +28,8 @@
 import org.apache.sqoop.common.MapContext;
 import org.apache.sqoop.common.SqoopException;
 import org.apache.sqoop.core.SqoopConfiguration;
-import org.apache.sqoop.security.AuthenticationConstants;
-import org.apache.sqoop.security.AuthenticationError;
+import org.apache.sqoop.security.SecurityConstants;
+import org.apache.sqoop.security.SecurityError;
 
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
@@ -46,46 +45,46 @@ protected Properties getConfiguration(String configPrefix,
     Properties properties = new Properties();
     MapContext mapContext = SqoopConfiguration.getInstance().getContext();
     String type = mapContext.getString(
-        AuthenticationConstants.AUTHENTICATION_TYPE,
-        AuthenticationConstants.TYPE.SIMPLE.name()).trim();
+        SecurityConstants.AUTHENTICATION_TYPE,
+        SecurityConstants.TYPE.SIMPLE.name()).trim();
 
-    if (type.equalsIgnoreCase(AuthenticationConstants.TYPE.KERBEROS.name())) {
+    if (type.equalsIgnoreCase(SecurityConstants.TYPE.KERBEROS.name())) {
       properties.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName());
 
       String keytab = mapContext.getString(
-              AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB).trim();
+              SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB).trim();
       if (keytab.length() == 0) {
-        throw new SqoopException(AuthenticationError.AUTH_0005,
-                AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB);
+        throw new SqoopException(SecurityError.AUTH_0005,
+                SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB);
       }
 
       String principal = mapContext.getString(
-              AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL).trim();
+              SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL).trim();
       if (principal.length() == 0) {
-        throw new SqoopException(AuthenticationError.AUTH_0006,
-                AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL);
+        throw new SqoopException(SecurityError.AUTH_0006,
+                SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL);
       }
 
       String hostPrincipal = "";
       try {
         hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
       } catch (IOException e) {
-        throw new SqoopException(AuthenticationError.AUTH_0006,
-                AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL);
+        throw new SqoopException(SecurityError.AUTH_0006,
+                SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL);
       }
 
       properties.setProperty(KerberosAuthenticationHandler.PRINCIPAL, hostPrincipal);
       properties.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab);
-    } else if (type.equalsIgnoreCase(AuthenticationConstants.TYPE.SIMPLE.name())) {
+    } else if (type.equalsIgnoreCase(SecurityConstants.TYPE.SIMPLE.name())) {
       properties.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName());
       properties.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED,
-          mapContext.getString(AuthenticationConstants.AUTHENTICATION_ANONYMOUS, "true").trim());
+          mapContext.getString(SecurityConstants.AUTHENTICATION_ANONYMOUS, "true").trim());
     } else {
-      throw new SqoopException(AuthenticationError.AUTH_0004, type);
+      throw new SqoopException(SecurityError.AUTH_0004, type);
     }
 
     properties.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND,
-            AuthenticationConstants.TOKEN_KIND);
+            SecurityConstants.TOKEN_KIND);
 
     return properties;
   }