ATLAS-3387-Consider X-FORWARDED-FOR header for getting end user IP address when…

ATLAS-3387-Consider X-FORWARDED-FOR header for getting end user IP address when connected with proxy. Signed-off-by: nixonrodrigues <nixon@apache.org>

ATLAS-3387-Consider X-FORWARDED-FOR header for getting end user IP address when…
331fb430 · nikhilbonte · nixonrodrigues · f36fecdf · 331fb430 · 331fb430
Commit 331fb430 authored Aug 27, 2019 by nikhilbonte Committed by nixonrodrigues Sep 09, 2019
9 changed files
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -30,6 +30,7 @@ import org.slf4j.LoggerFactory;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -43,6 +44,8 @@ public class AtlasAccessRequest {
    private       String         user            = null;
    private       Set<String>    userGroups      = null;
    private       String         clientIPAddress = null;
+    private       List<String>   forwardedAddresses;
+    private       String         remoteIPAddress;
    protected AtlasAccessRequest(AtlasPrivilege action) {
@@ -50,7 +53,14 @@ public class AtlasAccessRequest {
    }
    protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups) {
-        this(action, user, userGroups, new Date(), null);
+        this(action, user, userGroups, new Date(), null, null, null);
+    }
+    protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups, Date accessTime,
+                                 String clientIPAddress, List<String> forwardedAddresses, String remoteIPAddress) {
+        this(action, user, userGroups, accessTime, clientIPAddress);
+        this.forwardedAddresses  = forwardedAddresses;
+        this.remoteIPAddress     = remoteIPAddress;
    }
    protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups, Date accessTime, String clientIPAddress) {
@@ -82,10 +92,26 @@ public class AtlasAccessRequest {
        this.userGroups = userGroups;
    }
+    public List<String> getForwardedAddresses() {
+        return forwardedAddresses;
+    }
+    public String getRemoteIPAddress() {
+        return remoteIPAddress;
+    }
    public String getClientIPAddress() {
        return clientIPAddress;
    }
+    public void setForwardedAddresses(List<String> forwardedAddresses) {
+        this.forwardedAddresses = forwardedAddresses;
+    }
+    public void setRemoteIPAddress(String remoteIPAddress) {
+        this.remoteIPAddress = remoteIPAddress;
+    }
    public void setClientIPAddress(String clientIPAddress) {
        this.clientIPAddress = clientIPAddress;
    }
@@ -168,7 +194,10 @@ public class AtlasAccessRequest {
    @Override
    public String toString() {
-        return "AtlasAccessRequest[action=" + action + ", accessTime=" + accessTime + ", user=" + user +
+        return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" + accessTime +", user='" + user + '\'' +
-                                   ", userGroups=" + userGroups + ", clientIPAddress=" + clientIPAddress + "]";
+                ", userGroups=" + userGroups + ", clientIPAddress='" + clientIPAddress + '\'' +
+                ", forwardedAddresses=" + forwardedAddresses + ", remoteIPAddress='" + remoteIPAddress + '\'' +
+                ']';
    }
 }
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
@@ -33,6 +33,7 @@ public class AtlasAdminAccessRequest extends AtlasAccessRequest {
    @Override
    public String toString() {
        return "AtlasAdminAccessRequest[action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
-                                        ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+                                        ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+                ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
    }
 }
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
@@ -35,6 +35,8 @@ import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.List;
+import java.util.Arrays;
 public class AtlasAuthorizationUtils {
    private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
@@ -79,6 +81,8 @@ public class AtlasAuthorizationUtils {
                request.setUser(userName, getCurrentUserGroups());
                request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+                request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+                request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
                authorizer.scrubSearchResults(request);
            } catch (AtlasAuthorizationException e) {
@@ -99,6 +103,8 @@ public class AtlasAuthorizationUtils {
                request.setUser(userName, getCurrentUserGroups());
                request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+                request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+                request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
                ret = authorizer.isAccessAllowed(request);
            } catch (AtlasAuthorizationException e) {
                LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -124,6 +130,8 @@ public class AtlasAuthorizationUtils {
                request.setUser(getCurrentUserName(), getCurrentUserGroups());
                request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+                request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+                request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
                ret = authorizer.isAccessAllowed(request);
            } catch (AtlasAuthorizationException e) {
                LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -149,6 +157,8 @@ public class AtlasAuthorizationUtils {
                request.setUser(getCurrentUserName(), getCurrentUserGroups());
                request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+                request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+                request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
                ret = authorizer.isAccessAllowed(request);
            } catch (AtlasAuthorizationException e) {
                LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -174,6 +184,8 @@ public class AtlasAuthorizationUtils {
                request.setUser(getCurrentUserName(), getCurrentUserGroups());
                request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+                request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+                request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
                ret = authorizer.isAccessAllowed(request);
            } catch (AtlasAuthorizationException e) {
                LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -187,6 +199,16 @@ public class AtlasAuthorizationUtils {
        return ret;
    }
+    public static List<String> getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest){
+        String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR");
+        String[] forwardedAddresses = null ;
+        if(!StringUtils.isEmpty(ipAddress)){
+            forwardedAddresses = ipAddress.split(",");
+        }
+        return forwardedAddresses != null ? Arrays.asList(forwardedAddresses) : null;
+    }
    public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
        String ret = "";

--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
@@ -107,8 +107,9 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest {
    @Override
    public String toString() {
        return "AtlasEntityAccessRequest[entity=" + entity + ", classification=" + classification + ", attributeName=" + attributeName +
-                                         ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
+                ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
-                                         ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+                ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+                ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
    }
 }

--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
@@ -88,6 +88,7 @@ public class AtlasRelationshipAccessRequest extends AtlasAccessRequest {
    public String toString() {
        return "AtlasRelationshipAccessRequest[relationshipType=" + relationshipType + ", end1Entity=" + end1Entity + ", end2Entity=" + end2Entity +
                ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
-                ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+                ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+                ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
    }
 }
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
@@ -47,7 +47,8 @@ public class AtlasSearchResultScrubRequest extends AtlasAccessRequest {
    @Override
    public String toString() {
        return "AtlasSearchResultScrubRequest[searchResult=" + searchResult + ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
-                                         ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+                ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+                ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
    }
 }

--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
@@ -44,6 +44,7 @@ public class AtlasTypeAccessRequest extends AtlasAccessRequest {
    @Override
    public String toString() {
        return "AtlasEntityAccessRequest[typeDef=" + typeDef + ", action=" + getAction() + ", accessTime=" + getAccessTime() +
-                                         ", user=" + getUser() + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+                ", user=" + getUser() + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+                ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
    }
 }
--- a/server-api/src/main/java/org/apache/atlas/RequestContext.java
+++ b/server-api/src/main/java/org/apache/atlas/RequestContext.java
@@ -29,7 +29,14 @@ import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import java.util.*;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+import java.util.Map;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.HashMap;
 public class RequestContext {
    private static final Logger METRICS = LoggerFactory.getLogger("METRICS");
@@ -48,10 +55,11 @@ public class RequestContext {
    private final AtlasPerfMetrics                       metrics             = isMetricsEnabled ? new AtlasPerfMetrics() : null;
    private       List<EntityGuidPair>                   entityGuidInRequest = null;
-    private String      user;
+    private String       user;
-    private Set<String> userGroups;
+    private Set<String>  userGroups;
-    private String      clientIPAddress;
+    private String       clientIPAddress;
-    private DeleteType  deleteType   = DeleteType.DEFAULT;
+    private List<String> forwardedAddresses;
+    private DeleteType   deleteType   = DeleteType.DEFAULT;
    private int         maxAttempts  = 1;
    private int         attemptCount = 1;
    private boolean     isImportInProgress = false;
@@ -354,4 +362,12 @@ public class RequestContext {
            entity.setGuid(guid);
        }
    }
+    public List<String> getForwardedAddresses() {
+        return forwardedAddresses;
+    }
+    public void setForwardedAddresses(List<String> forwardedAddresses) {
+        this.forwardedAddresses = forwardedAddresses;
+    }
 }
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
@@ -91,6 +91,7 @@ public class AuditFilter implements Filter {
            requestContext.setUser(user, userGroups);
            requestContext.setClientIPAddress(AtlasAuthorizationUtils.getRequestIpAddress(httpRequest));
            requestContext.setCreateShellEntityForNonExistingReference(createShellEntityForNonExistingReference);
+            requestContext.setForwardedAddresses(AtlasAuthorizationUtils.getForwardedAddressesFromRequest(httpRequest));
            if (StringUtils.isNotEmpty(deleteType)) {
                if (deleteTypeOverrideEnabled) {