YARN-8217. RmAuthenticationFilterInitializer and TimelineAuthenticationFilterInitializer should use Configuration.getPropsWithPrefix instead of iterator. Contributed by Suma Shivaprasad.

(cherry picked from commit ee2ce923a922bfc3e89ad6f0f6a25e776fe91ffb)

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java

@@ -18,23 +18,13 @@
 
 package org.apache.hadoop.yarn.server.security.http;
 
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.Reader;
-import java.util.HashMap;
 import java.util.Map;
 
-import org.apache.commons.io.IOUtils;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.http.FilterContainer;
 import org.apache.hadoop.http.FilterInitializer;
-import org.apache.hadoop.http.HttpServer2;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
@@ -43,48 +33,23 @@ import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 public class RMAuthenticationFilterInitializer extends FilterInitializer {
 
   String configPrefix;
-  String kerberosPrincipalProperty;
-  String cookiePath;
 
   public RMAuthenticationFilterInitializer() {
     this.configPrefix = "hadoop.http.authentication.";
-    this.kerberosPrincipalProperty = KerberosAuthenticationHandler.PRINCIPAL;
-    this.cookiePath = "/";
   }
 
   protected Map<String, String> createFilterConfig(Configuration conf) {
-    Map<String, String> filterConfig = new HashMap<String, String>();
-
-    // setting the cookie path to root '/' so it is used for all resources.
-    filterConfig.put(AuthenticationFilter.COOKIE_PATH, cookiePath);
+    Map<String, String> filterConfig = AuthenticationFilterInitializer
+        .getFilterConfigMap(conf, configPrefix);
 
     // Before conf object is passed in, RM has already processed it and used RM
     // specific configs to overwrite hadoop common ones. Hence we just need to
     // source hadoop.proxyuser configs here.
-    for (Map.Entry<String, String> entry : conf) {
-      String propName = entry.getKey();
-      if (propName.startsWith(configPrefix)) {
-        String value = conf.get(propName);
-        String name = propName.substring(configPrefix.length());
-        filterConfig.put(name, value);
-      } else if (propName.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) {
-        String value = conf.get(propName);
-        String name = propName.substring("hadoop.".length());
-        filterConfig.put(name, value);
-      }
-    }
 
-    // Resolve _HOST into bind address
-    String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
-    String principal = filterConfig.get(kerberosPrincipalProperty);
-    if (principal != null) {
-      try {
-        principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
-      } catch (IOException ex) {
-        throw new RuntimeException(
-          "Could not resolve Kerberos principal name: " + ex.toString(), ex);
-      }
-      filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
+    //Add proxy user configs
+    for (Map.Entry<String, String> entry : conf.
+        getPropsWithPrefix(ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
+      filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
     }
 
     filterConfig.put(DelegationTokenAuthenticationHandler.TOKEN_KIND,
@@ -95,10 +60,8 @@ public class RMAuthenticationFilterInitializer extends FilterInitializer {
 
   @Override
   public void initFilter(FilterContainer container, Configuration conf) {
-
     Map<String, String> filterConfig = createFilterConfig(conf);
     container.addFilter("RMAuthenticationFilter",
       RMAuthenticationFilter.class.getName(), filterConfig);
   }
-
 }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/timeline/security/TimelineAuthenticationFilterInitializer.java

@@ -22,8 +22,7 @@ import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.http.FilterContainer;
 import org.apache.hadoop.http.FilterInitializer;
-import org.apache.hadoop.http.HttpServer2;
-import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
@@ -33,7 +32,6 @@ import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAu
 import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler;
 import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier;
 
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -62,42 +60,17 @@ public class TimelineAuthenticationFilterInitializer extends FilterInitializer {
   protected void setAuthFilterConfig(Configuration conf) {
     filterConfig = new HashMap<String, String>();
 
-    // setting the cookie path to root '/' so it is used for all resources.
-    filterConfig.put(AuthenticationFilter.COOKIE_PATH, "/");
-
-    for (Map.Entry<String, String> entry : conf) {
-      String name = entry.getKey();
-      if (name.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) {
-        String value = conf.get(name);
-        name = name.substring("hadoop.".length());
-        filterConfig.put(name, value);
-      }
-    }
-    for (Map.Entry<String, String> entry : conf) {
-      String name = entry.getKey();
-      if (name.startsWith(PREFIX)) {
-        // yarn.timeline-service.http-authentication.proxyuser will override
-        // hadoop.proxyuser
-        String value = conf.get(name);
-        name = name.substring(PREFIX.length());
-        filterConfig.put(name, value);
-      }
+    for (Map.Entry<String, String> entry : conf
+        .getPropsWithPrefix(ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
+      filterConfig.put("proxyuser" + entry.getKey(), entry.getValue());
     }
 
-    // Resolve _HOST into bind address
-    String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
-    String principal =
-        filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
-    if (principal != null) {
-      try {
-        principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
-      } catch (IOException ex) {
-        throw new RuntimeException("Could not resolve Kerberos principal " +
-            "name: " + ex.toString(), ex);
-      }
-      filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
-          principal);
-    }
+    // yarn.timeline-service.http-authentication.proxyuser will override
+    // hadoop.proxyuser
+    Map<String, String> timelineAuthProps =
+        AuthenticationFilterInitializer.getFilterConfigMap(conf, PREFIX);
+
+    filterConfig.putAll(timelineAuthProps);
   }
 
   protected Map<String, String> getFilterConfig() {

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestRMAuthenticationFilter.java

@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.resourcemanager.security;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.http.FilterContainer;
+import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter;
+import org.apache.hadoop.yarn.server.security.http
+    .RMAuthenticationFilterInitializer;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
+
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+/**
+ * Test RM Auth filter.
+ */
+public class TestRMAuthenticationFilter {
+
+  @SuppressWarnings("unchecked")
+  @Test
+  public void testConfiguration() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set("hadoop.http.authentication.foo", "bar");
+    conf.set("hadoop.proxyuser.user.foo", "bar1");
+
+    conf.set(HttpServer2.BIND_ADDRESS, "barhost");
+
+    FilterContainer container = Mockito.mock(FilterContainer.class);
+    Mockito.doAnswer(new Answer() {
+      @Override
+      public Object answer(InvocationOnMock invocationOnMock) throws Throwable {
+        Object[] args = invocationOnMock.getArguments();
+
+        assertEquals("RMAuthenticationFilter", args[0]);
+
+        assertEquals(RMAuthenticationFilter.class.getName(), args[1]);
+
+        Map<String, String> conf = (Map<String, String>) args[2];
+        assertEquals("/", conf.get("cookie.path"));
+
+        assertEquals("simple", conf.get("type"));
+        assertEquals("36000", conf.get("token.validity"));
+        assertNull(conf.get("cookie.domain"));
+        assertEquals("true", conf.get("simple.anonymous.allowed"));
+        assertEquals("HTTP/barhost@LOCALHOST", conf.get("kerberos.principal"));
+        assertEquals(System.getProperty("user.home") + "/hadoop.keytab",
+            conf.get("kerberos.keytab"));
+        assertEquals("bar", conf.get("foo"));
+        assertEquals("bar1", conf.get("proxyuser.user.foo"));
+
+        return null;
+      }
+    }).when(container).addFilter(Mockito.<String>anyObject(),
+        Mockito.<String>anyObject(), Mockito.<Map<String, String>>anyObject());
+
+    new RMAuthenticationFilterInitializer().initFilter(container, conf);
+  }
+}
+