Mihaly Szjatinya has uploaded a new patch set (#11). ( http://gerrit.cloudera.org:8080/23237 )
Change subject: IMPALA-14285: Add SAML2 authentication support for Impala Web UI ...................................................................... IMPALA-14285: Add SAML2 authentication support for Impala Web UI This change introduces SAML2 Browser Profile authentication for the Impala Web UI, largely reusing and adapting the approach from IMPALA-10437 (HS2-HTTP server). The implementation is simplified for the webserver context, where the browser acts as the SAML client. The flow consists of: 1. Redirecting the user to the SSO provider for authentication 2. Validating the SAML authNResponse and redirecting back to the original resource with a Set-Cookie header The initial resource URI is preserved as RelayState and restored after successful authentication. Key changes: - Refactored C++ webserver and authentication utilities to support SAML2 flow - Added new Java classes for SAML relay state and client logic - Added and refactored end-to-end tests for SAML2 SSO in the webserver Notes: - Supposedly SAML authentication may be used alongside other methods, but the logic is not fully clear yet; also this would require additional testing Change-Id: I12540300529f9c240abf7196141ecb0ae6e37995 --- M be/src/kudu/util/web_callback_registry.h M be/src/rpc/authentication-util.cc M be/src/rpc/authentication-util.h M be/src/rpc/authentication.cc M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M be/src/util/backend-gflag-util.cc M be/src/util/webserver.cc M be/src/util/webserver.h M common/thrift/BackendGflags.thrift M common/thrift/metrics.json M fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlAuthTokenGenerator.java D fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlHttpServlet.java M fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfo.java A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfoHS2.java A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfoWS.java D fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStore.java A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreBase.java A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreHS2.java A fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreWS.java D fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClient.java A fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientBase.java A fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientHS2.java A fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientWS.java M fe/src/main/java/org/apache/impala/service/BackendConfig.java M fe/src/main/java/org/apache/impala/service/Frontend.java M fe/src/main/java/org/apache/impala/service/JniFrontend.java M tests/common/impala_cluster.py M tests/common/impala_service.py M tests/common/impala_test_suite.py M tests/custom_cluster/test_saml2_sso.py 31 files changed, 1,598 insertions(+), 789 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/37/23237/11 -- To view, visit http://gerrit.cloudera.org:8080/23237 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I12540300529f9c240abf7196141ecb0ae6e37995 Gerrit-Change-Number: 23237 Gerrit-PatchSet: 11 Gerrit-Owner: Mihaly Szjatinya <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Mihaly Szjatinya <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]>
