ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt.

25044cee · nixonrodrigues · 7aca24fb · 25044cee · 25044cee · 25044cee
Commit 25044cee authored Oct 23, 2019 by nixonrodrigues
14 changed files
--- a/addons/falcon-bridge/src/test/resources/users-credentials.properties
+++ b/addons/falcon-bridge/src/test/resources/users-credentials.properties
-#username=group::sha256-password
+#username=group::sha256+salt-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/addons/hbase-bridge/src/test/resources/users-credentials.properties
+++ b/addons/hbase-bridge/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/addons/hive-bridge/src/test/resources/users-credentials.properties
+++ b/addons/hive-bridge/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/addons/impala-bridge/src/test/resources/users-credentials.properties
+++ b/addons/impala-bridge/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/addons/kafka-bridge/src/test/resources/users-credentials.properties
+++ b/addons/kafka-bridge/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/addons/sqoop-bridge/src/test/resources/users-credentials.properties
+++ b/addons/sqoop-bridge/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/addons/storm-bridge/src/test/resources/users-credentials.properties
+++ b/addons/storm-bridge/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/distro/src/conf/users-credentials.properties
+++ b/distro/src/conf/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/intg/src/test/resources/users-credentials.properties
+++ b/intg/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
--- a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
+++ b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
@@ -16,6 +16,10 @@
 */
 package org.apache.atlas.util;
+import org.apache.atlas.web.dao.UserDao;
+import org.apache.commons.cli.BasicParser;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Options;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.alias.CredentialProvider;
@@ -71,6 +75,36 @@ public class CredentialProviderUtility {
    public static TextDevice textDevice = DEFAULT_TEXT_DEVICE;
    public static void main(String[] args) throws IOException {
+        Options options = new Options();
+        try {
+            createOptions(options);
+            CommandLine cmd = new BasicParser().parse(options, args);
+            boolean generatePasswordOption = cmd.hasOption("g");
+            if (generatePasswordOption) {
+                String userName = cmd.getOptionValue("u");
+                String password = cmd.getOptionValue("p");
+                if (userName != null && password != null) {
+                    String encryptedPassword = UserDao.encrypt(password, userName);
+                    textDevice.printf("Your encrypted password is  : " + encryptedPassword, null);
+                    textDevice.printf("\n", null);
+                } else {
+                    textDevice.printf("Please provide username and password as input. Usage:" +
+                            " cputil.py -g -u <username> -p <password>", null);
+                }
+                return;
+            }
+        } catch (Exception e) {
+            System.out.println("Exception while generatePassword  " + e.getMessage());
+            return;
+        }
        // prompt for the provider name
        CredentialProvider provider = getCredentialProvider(textDevice);
@@ -100,6 +134,12 @@ public class CredentialProviderUtility {
        }
    }
+    private static void createOptions(Options options) {
+        options.addOption("g", "generatePassword", false, "Generate Password");
+        options.addOption("u", "username", true, "UserName");
+        options.addOption("p", "password", true, "Password");
+    }
    /**
     * Retrieves a password from the command line.
     * @param textDevice  the system console.

--- a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
+++ b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
@@ -28,6 +28,7 @@ import javax.annotation.PostConstruct;
 import org.apache.atlas.web.security.AtlasAuthenticationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.stereotype.Repository;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.AtlasException;
@@ -50,6 +51,8 @@ public class UserDao {
    private Properties userLogins;
+    private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
    @PostConstruct
    public void init() {
        loadFileLoginsDetails();
@@ -106,14 +109,12 @@ public class UserDao {
        return userDetails;
    }
    @VisibleForTesting
    public void setUserLogins(Properties userLogins) {
        this.userLogins = userLogins;
    }
    public static String getSha256Hash(String base) throws AtlasAuthenticationException {
        try {
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
@@ -132,4 +133,7 @@ public class UserDao {
        }
    }
+    public static String encrypt(String password, String salt) {
+           return sha256Encoder.encodePassword(password, salt);
+    }
 }
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
@@ -16,7 +16,9 @@
 */
 package org.apache.atlas.web.security;
+import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.dao.UserDao;
+import org.apache.commons.configuration.Configuration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -28,6 +30,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.stereotype.Component;
+import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import java.util.Collection;
@@ -38,12 +41,23 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
    private static Logger logger = LoggerFactory.getLogger(AtlasFileAuthenticationProvider.class);
    private final UserDetailsService userDetailsService;
+    private boolean v1ValidationEnabled = true;
    @Inject
    public AtlasFileAuthenticationProvider(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }
+    @PostConstruct
+    public void setup() {
+        try {
+            Configuration configuration = ApplicationProperties.get();
+            v1ValidationEnabled = configuration.getBoolean("atlas.authentication.method.file.v1-validation.enabled", true);
+        } catch (Exception e) {
+            logger.error("Exception while setup", e);
+        }
+    }
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = authentication.getName();
@@ -61,9 +75,15 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
        }
        UserDetails user = userDetailsService.loadUserByUsername(username);
+        String encodedPassword = UserDao.encrypt(password, username);
-        String encodedPassword = UserDao.getSha256Hash(password);
+        boolean isValidPassword = encodedPassword.equals(user.getPassword());
+        if (!isValidPassword && v1ValidationEnabled) {
+            encodedPassword = UserDao.getSha256Hash(password);
+        }
        if (!encodedPassword.equals(user.getPassword())) {
            logger.error("Wrong password " + username);
            throw new BadCredentialsException("Wrong password");

--- a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
+++ b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
@@ -88,15 +88,16 @@ public class FileAuthenticationTest {
        TestUtils.writeConfiguration(configuration, persistDir + File.separator
                + ApplicationProperties.APPLICATION_PROPERTIES);
    }
    private void setupUserCredential(String tmpDir) throws Exception {
        StringBuilder credentialFileStr = new StringBuilder(1024);
-        credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
+        credentialFileStr.append("admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1\n");
+        credentialFileStr.append("adminv1=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
        credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n");
        credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n");
        credentialFileStr.append("user=  \n");
-        credentialFileStr.append("user12=  ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n");
+        credentialFileStr.append("user12=  ::43d864d8f9b53cd913fc6a665c8470595cefa4a360edeb78cf6c4eac00c0a3a0\n");
        File credentialFile = new File(tmpDir, "users-credentials");
        FileUtils.write(credentialFile, credentialFileStr.toString());
    }
@@ -123,6 +124,18 @@ public class FileAuthenticationTest {
    }
    @Test
+    public void testValidUserLoginWithV1password() {
+        when(authentication.getName()).thenReturn("adminv1");
+        when(authentication.getCredentials()).thenReturn("admin");
+        Authentication auth = authProvider.authenticate(authentication);
+        LOG.debug(" {}", auth);
+        assertTrue(auth.isAuthenticated());
+    }
+    @Test
    public void testInValidPasswordLogin() {
        when(authentication.getName()).thenReturn("admin");

--- a/webapp/src/test/resources/users-credentials.properties
+++ b/webapp/src/test/resources/users-credentials.properties
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034