ATLAS-661 REST API Authentication (nixonrodrigues via yhemanth)

addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java

@@ -32,6 +32,7 @@ import org.apache.atlas.typesystem.Struct;
 import org.apache.atlas.typesystem.json.InstanceSerialization;
 import org.apache.atlas.typesystem.json.TypesSerialization;
 import org.apache.atlas.typesystem.persistence.Id;
+import org.apache.atlas.utils.AuthenticationUtil;
 import org.apache.commons.configuration.Configuration;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.api.Database;
@@ -43,12 +44,12 @@ import org.apache.hadoop.hive.metastore.api.hive_metastoreConstants;
 import org.apache.hadoop.hive.ql.metadata.Hive;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.metadata.Table;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.codehaus.jettison.json.JSONArray;
 import org.codehaus.jettison.json.JSONException;
 import org.codehaus.jettison.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -533,9 +534,18 @@ public class HiveMetaStoreBridge {
     }
 
     public static void main(String[] argv) throws Exception {
+
         Configuration atlasConf = ApplicationProperties.get();
         String atlasEndpoint = atlasConf.getString(ATLAS_ENDPOINT, DEFAULT_DGI_URL);
-        AtlasClient atlasClient = new AtlasClient(atlasEndpoint);
+        AtlasClient atlasClient;
+
+        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+            String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
+            atlasClient = new AtlasClient(new String[]{atlasEndpoint}, basicAuthUsernamePassword);
+        } else {
+            UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+            atlasClient = new AtlasClient(ugi, ugi.getShortUserName(), atlasEndpoint);
+        }
 
         HiveMetaStoreBridge hiveMetaStoreBridge = new HiveMetaStoreBridge(new HiveConf(), atlasClient);
         hiveMetaStoreBridge.registerHiveDataModel();

client/src/main/java/org/apache/atlas/AtlasAdminClient.java

@@ -18,6 +18,7 @@
 
 package org.apache.atlas;
 
+import org.apache.atlas.utils.AuthenticationUtil;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.GnuParser;
@@ -27,6 +28,7 @@ import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.configuration.Configuration;
 
+
 /**
  * An application that allows users to run admin commands against an Atlas server.
  *
@@ -60,7 +62,14 @@ public class AtlasAdminClient {
         Configuration configuration = ApplicationProperties.get();
         String atlasServerUri = configuration.getString(
                 AtlasConstants.ATLAS_REST_ADDRESS_KEY, AtlasConstants.DEFAULT_ATLAS_REST_ADDRESS);
-        AtlasClient atlasClient = new AtlasClient(atlasServerUri);
+
+        AtlasClient atlasClient = null;
+        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+            String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
+            atlasClient = new AtlasClient(new String[]{atlasServerUri}, basicAuthUsernamePassword);
+        } else {
+            atlasClient = new AtlasClient(atlasServerUri, null, null);
+        }
         return handleCommand(commandLine, atlasServerUri, atlasClient);
     }
 

client/src/main/java/org/apache/atlas/AtlasClient.java

@@ -36,6 +36,7 @@ import org.apache.atlas.typesystem.types.AttributeDefinition;
 import org.apache.atlas.typesystem.types.HierarchicalTypeDefinition;
 import org.apache.atlas.typesystem.types.TraitType;
 import org.apache.atlas.typesystem.types.utils.TypesUtil;
+import org.apache.atlas.utils.AuthenticationUtil;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -44,7 +45,6 @@ import org.codehaus.jettison.json.JSONException;
 import org.codehaus.jettison.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
 import javax.ws.rs.HttpMethod;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -55,7 +55,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
-
+import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter;
 import static org.apache.atlas.security.SecurityProperties.TLS_ENABLED;
 
 /**
@@ -125,6 +125,16 @@ public class AtlasClient {
     private WebResource service;
     private AtlasClientContext atlasClientContext;
     private Configuration configuration;
+    private String basicAuthUser;
+    private String basicAuthPassword;
+
+
+    // New constuctor for Basic auth
+    public AtlasClient(String[] baseUrl, String[] basicAuthUserNamepassword) {
+        this.basicAuthUser = basicAuthUserNamepassword[0];
+        this.basicAuthPassword = basicAuthUserNamepassword[1];
+        initializeState(baseUrl, null, null);
+    }
 
     /**
      * Create a new Atlas client.
@@ -170,6 +180,12 @@ public class AtlasClient {
     private void initializeState(String[] baseUrls, UserGroupInformation ugi, String doAsUser) {
         configuration = getClientProperties();
         Client client = getClient(configuration, ugi, doAsUser);
+
+        if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
+            final HTTPBasicAuthFilter authFilter = new HTTPBasicAuthFilter(basicAuthUser, basicAuthPassword);
+            client.addFilter(authFilter);
+        }
+
         String activeServiceUrl = determineActiveServiceURL(baseUrls, client);
         atlasClientContext = new AtlasClientContext(baseUrls, client, ugi, doAsUser);
         service = client.resource(UriBuilder.fromUri(activeServiceUrl).build());
@@ -195,9 +211,14 @@ public class AtlasClient {
             LOG.info("Error processing client configuration.", e);
         }
 
-        URLConnectionClientHandler handler =
-            SecureClientUtils.getClientConnectionHandler(config, clientConfig, doAsUser, ugi);
+        URLConnectionClientHandler handler = null;
 
+        if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
+            handler = new URLConnectionClientHandler();
+        } else {
+            handler =
+                    SecureClientUtils.getClientConnectionHandler(config, clientConfig, doAsUser, ugi);
+        }
         Client client = new Client(handler, config);
         client.setReadTimeout(readTimeout);
         client.setConnectTimeout(connectTimeout);
@@ -1049,6 +1070,8 @@ public class AtlasClient {
         public AtlasClientContext(String[] baseUrls, Client client, UserGroupInformation ugi, String doAsUser) {
             this.baseUrls = baseUrls;
             this.client = client;
+            this.ugi = ugi;
+            this.doAsUser = doAsUser;
         }
 
         public Client getClient() {
@@ -1068,4 +1091,5 @@ public class AtlasClient {
         }
     }
 
+
 }

common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java

+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.utils;
+
+import org.apache.atlas.ApplicationProperties;
+import org.apache.atlas.AtlasException;
+import org.apache.commons.configuration.Configuration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+
+/**
+ * Util class for Authentication.
+ */
+public final class AuthenticationUtil {
+    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationUtil.class);
+
+    private AuthenticationUtil() {
+    }
+
+    public static boolean isKerberosAuthicationEnabled() {
+        boolean isKerberosAuthicationEnabled = false;
+        try {
+            Configuration atlasConf = ApplicationProperties.get();
+
+            if ("true".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.enabled"))
+                    && "kerberos".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.type"))) {
+                isKerberosAuthicationEnabled = true;
+            } else {
+                isKerberosAuthicationEnabled = false;
+            }
+
+        } catch (AtlasException e) {
+            LOG.error("Error while isKerberosAuthicationEnabled ", e);
+        }
+        return isKerberosAuthicationEnabled;
+    }
+
+    public static String[] getBasicAuthenticationInput() {
+        String username = null;
+        String password = null;
+
+        try {
+            BufferedReader bufferRead = new BufferedReader(new InputStreamReader(System.in));
+            System.out.println("Enter username for atlas :-");
+            username = bufferRead.readLine();
+            System.out.println("Enter password for atlas :-");
+            password = bufferRead.readLine();
+        } catch (Exception e) {
+            System.out.print("Error while reading ");
+            System.exit(1);
+        }
+        return new String[]{username, password};
+    }
+
+}

dashboardv2/public/js/utils/Utils.js

@@ -74,31 +74,12 @@
         });
     };
     Utils.defaultErrorHandler = function(model, error) {
-        /*
-                require(['views/common/ErrorView', 'App'], function(vError, App) {
-                    if (error.status == 404) {
-                        App.rContent.show(new vError({
-                            status: error.status
-                        }));
-                    } else if (error.status == 401) {
-                        App.rContent.show(new vError({
-                            status: error.status
-                        }));
+        if (error.status == 401) {
+             window.location = '/login.jsp'
         } else if (error.status == 419) {
-                        window.location = 'login.jsp'
-                    } else if (error.status == "0") {
-                        var diffTime = (new Date().getTime() - prevNetworkErrorTime);
-                        if (diffTime > 3000) {
-                            prevNetworkErrorTime = new Date().getTime();
-                            Utils.notifyError({
-                                content: "Network Connection Failure : " +
-                                    "It seems you are not connected to the internet. Please check your internet connection and try again"
-                            })
-
-                        }
+             window.location = '/login.jsp'
         }
-                });
-            */
+
     };
 
     Utils.localStorage = {

distro/src/conf/users-credentials.properties

-#username=password
-admin=admin
-user=user123
+#username=group::sha256-password
+admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb
+paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c

release-log.txt

@@ -3,6 +3,7 @@ Apache Atlas Release Notes
 
 --trunk - unreleased
 INCOMPATIBLE CHANGES:
+ATLAS-661 REST API Authentication (nixonrodrigues via yhemanth)
 ATLAS-672 UI: Make dashboard v2 the default UI implementation (bergenholtz via yhemanth)
 ATLAS-532 Change Data types of all timestamps in Hive model(currently long)(sumasai via yhemanth)
 ATLAS-622 Introduce soft delete (shwethags)

webapp/src/main/java/org/apache/atlas/examples/QuickStart.java

@@ -18,6 +18,7 @@
 
 package org.apache.atlas.examples;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
@@ -39,9 +40,9 @@ import org.apache.atlas.typesystem.types.Multiplicity;
 import org.apache.atlas.typesystem.types.StructTypeDefinition;
 import org.apache.atlas.typesystem.types.TraitType;
 import org.apache.atlas.typesystem.types.utils.TypesUtil;
+import org.apache.atlas.utils.AuthenticationUtil;
 import org.apache.commons.configuration.Configuration;
 import org.codehaus.jettison.json.JSONArray;
-
 import java.util.List;
 
 /**
@@ -70,8 +71,24 @@ public class QuickStart {
     public static final String INPUT_TABLES_ATTRIBUTE = "inputTables";
 
     public static void main(String[] args) throws Exception {
+        String[] basicAuthUsernamePassword = null;
+        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+            basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
+        }
+
+        runQuickstart(args, basicAuthUsernamePassword);
+    }
+
+    @VisibleForTesting
+    static void runQuickstart(String[] args, String[] basicAuthUsernamePassword) throws Exception {
         String baseUrl = getServerUrl(args);
-        QuickStart quickStart = new QuickStart(baseUrl);
+        QuickStart quickStart;
+
+        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+            quickStart = new QuickStart(baseUrl, basicAuthUsernamePassword);
+        } else {
+            quickStart = new QuickStart(baseUrl);
+        }
 
         // Shows how to create types in Atlas for your meta model
         quickStart.createTypes();
@@ -111,11 +128,17 @@ public class QuickStart {
 
     private final AtlasClient metadataServiceClient;
 
+    QuickStart(String baseUrl,String[] basicAuthUsernamePassword) {
+        String[] urls = baseUrl.split(",");
+        metadataServiceClient = new AtlasClient(urls,basicAuthUsernamePassword);
+    }
+
     QuickStart(String baseUrl) throws AtlasException {
         String[] urls = baseUrl.split(",");
         metadataServiceClient = new AtlasClient(urls);
     }
 
+
     void createTypes() throws Exception {
         TypesDef typesDef = createTypeDefinitions();
 

webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java

@@ -20,8 +20,11 @@ package org.apache.atlas.web.dao;
 import com.google.common.annotations.VisibleForTesting;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Properties;
+import java.util.List;
 import javax.annotation.PostConstruct;
+import org.apache.atlas.web.security.AtlasAuthenticationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Repository;
@@ -29,7 +32,13 @@ import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.AtlasException;
 import org.apache.atlas.web.model.User;
 import org.apache.commons.configuration.Configuration;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import java.security.MessageDigest;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.util.StringUtils;
+
 
 @Repository
 public class UserDao {
@@ -65,21 +74,59 @@ public class UserDao {
     }
 
     public User loadUserByUsername(final String username)
-            throws UsernameNotFoundException {
-        String password = userLogins.getProperty(username);
-        if (password == null || password.isEmpty()) {
+            throws AuthenticationException {
+        String userdetailsStr = userLogins.getProperty(username);
+        if (userdetailsStr == null || userdetailsStr.isEmpty()) {
             throw new UsernameNotFoundException("Username not found."
                     + username);
         }
-        User user = new User();
-        user.setUsername(username);
-        user.setPassword(password);
-        return user;
+        String password = "";
+        String role = "";
+        String dataArr[] = userdetailsStr.split("::");
+        if (dataArr != null && dataArr.length == 2) {
+            role = dataArr[0];
+            password = dataArr[1];
+        } else {
+            LOG.error("User role credentials is not set properly for " + username);
+            throw new AtlasAuthenticationException("User role credentials is not set properly for " + username );
+        }
+
+        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
+        if (StringUtils.hasText(role)) {
+            grantedAuths.add(new SimpleGrantedAuthority(role));
+        } else {
+            LOG.error("User role credentials is not set properly for " + username);
+            throw new AtlasAuthenticationException("User role credentials is not set properly for " + username );
+        }
+
+        User userDetails = new User(username, password, grantedAuths);
+
+        return userDetails;
     }
     
+
     @VisibleForTesting
     public void setUserLogins(Properties userLogins) {
         this.userLogins = userLogins;
     }
 
+
+    public static String getSha256Hash(String base) throws AtlasAuthenticationException {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = digest.digest(base.getBytes("UTF-8"));
+            StringBuffer hexString = new StringBuffer();
+
+            for (int i = 0; i < hash.length; i++) {
+                String hex = Integer.toHexString(0xff & hash[i]);
+                if (hex.length() == 1) hexString.append('0');
+                hexString.append(hex);
+            }
+            return hexString.toString();
+
+        } catch (Exception ex) {
+            throw new AtlasAuthenticationException("Exception while encoding password.", ex);
+        }
+    }
+
 }

webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java

@@ -21,8 +21,6 @@ import java.io.IOException;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.apache.atlas.Atlas;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.AuthenticationException;
@@ -31,15 +29,23 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
 @SuppressWarnings("deprecation")
 class AtlasAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
 
-    private static final Logger LOG = LoggerFactory.getLogger(Atlas.class);
+    private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthenticationEntryPoint.class);
 
     private String loginPath = "/login.jsp";
 
     @Override
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
             throws IOException, ServletException {
-        LOG.debug("redirecting to login page loginPath" + loginPath);
 
+
+        String ajaxRequestHeader = request.getHeader("X-Requested-With");
+        response.setHeader("X-Frame-Options", "DENY");
+
+        if ("XMLHttpRequest".equals(ajaxRequestHeader)) {
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        } else {
+            LOG.debug("redirecting to login page loginPath" + loginPath);
             response.sendRedirect(loginPath);
         }
+    }
 }

webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java

@@ -25,16 +25,12 @@ import javax.annotation.PostConstruct;
 import org.apache.atlas.util.PropertiesUtil;
 import org.apache.atlas.web.model.User;
 import org.apache.log4j.Logger;
-import org.springframework.ldap.core.support.LdapContextSource;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.authentication.BindAuthenticator;
-import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
-import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
 import org.springframework.stereotype.Component;
 
 @Component
@@ -44,6 +40,7 @@ public class AtlasADAuthenticationProvider extends
             .getLogger(AtlasADAuthenticationProvider.class);
 
     private String adURL;
+    private String adDomain;
     private String adBindDN;
     private String adBindPassword;
     private String adUserSearchFilter;
@@ -74,17 +71,10 @@ public class AtlasADAuthenticationProvider extends
             if (authentication.getCredentials() != null) {
                 userPassword = authentication.getCredentials().toString();
             }
-            LdapContextSource ldapContextSource = getLdapContextSource();
 
-            if (adUserSearchFilter == null
-                    || adUserSearchFilter.trim().isEmpty()) {
-                adUserSearchFilter = "(sAMAccountName={0})";
-            }
-
-            BindAuthenticator bindAuthenticator = getBindAuthenticator(ldapContextSource);
+            ActiveDirectoryLdapAuthenticationProvider adAuthenticationProvider =
+                    new ActiveDirectoryLdapAuthenticationProvider(adDomain, adURL);
 
-            LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(
-                    bindAuthenticator);
             if (userName != null && userPassword != null
                     && !userName.trim().isEmpty()
                     && !userPassword.trim().isEmpty()) {
@@ -93,9 +83,7 @@ public class AtlasADAuthenticationProvider extends
                         grantedAuths);
                 final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
                         principal, userPassword, grantedAuths);
-                authentication = ldapAuthenticationProvider
-                        .authenticate(finalAuthentication);
-                authentication = getAuthenticationWithGrantedAuthority(authentication);
+                authentication = adAuthenticationProvider.authenticate(finalAuthentication);
                 return authentication;
             } else {
                 throw new AtlasAuthenticationException(
@@ -109,6 +97,7 @@ public class AtlasADAuthenticationProvider extends
     }
 
     private void setADProperties() {
+        adDomain = PropertiesUtil.getProperty("atlas.ad.domain", adDomain);
         adURL = PropertiesUtil.getProperty("atlas.ad.url", adURL);
         adBindDN = PropertiesUtil.getProperty("atlas.ad.bind.dn", adBindDN);
         adBindPassword = PropertiesUtil.getProperty("atlas.ad.bind.password",
@@ -122,32 +111,4 @@ public class AtlasADAuthenticationProvider extends
                 adDefaultRole);
     }
 
-    private LdapContextSource getLdapContextSource() throws Exception {
-
-        LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(
-                adURL);
-        ldapContextSource.setUserDn(adBindDN);
-        ldapContextSource.setPassword(adBindPassword);
-        ldapContextSource.setReferral(adReferral);
-        ldapContextSource.setCacheEnvironmentProperties(true);
-        ldapContextSource.setAnonymousReadOnly(false);
-        ldapContextSource.setPooled(true);
-        ldapContextSource.afterPropertiesSet();
-
-        return ldapContextSource;
-
-    }
-
-    private BindAuthenticator getBindAuthenticator(
-            LdapContextSource ldapContextSource) throws Exception {
-        FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(
-                adBase, adUserSearchFilter, ldapContextSource);
-        userSearch.setSearchSubtree(true);
-        BindAuthenticator bindAuthenticator = new BindAuthenticator(
-                ldapContextSource);
-        bindAuthenticator.setUserSearch(userSearch);
-        bindAuthenticator.afterPropertiesSet();
-        return bindAuthenticator;
-    }
-
 }

webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java

@@ -67,7 +67,7 @@ public abstract class AtlasAbstractAuthenticationProvider implements
      */
     protected List<GrantedAuthority> getAuthorities(String username) {
         final List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
-        grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
+        grantedAuths.add(new SimpleGrantedAuthority("DATA_SCIENTIST"));
         return grantedAuths;
     }
 

webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java

@@ -18,6 +18,7 @@
 package org.apache.atlas.web.security;
 
 import javax.annotation.PostConstruct;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -70,12 +71,20 @@ public class AtlasAuthenticationProvider extends
                     .authenticate(authentication);
         } else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP
                 .name())) {
+            try {
                 authentication = ldapAuthenticationProvider
                         .authenticate(authentication);
+            } catch (Exception ex) {
+                LOG.error("Error while LDAP authentication", ex);
+            }
         } else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD
                 .name())) {
+            try {
                 authentication = adAuthenticationProvider
                         .authenticate(authentication);
+            } catch (Exception ex) {
+                LOG.error("Error while AD authentication", ex);
+            }
         } else {
             LOG.error("Invalid authentication method :"
                     + atlasAuthenticationMethod);
@@ -84,10 +93,20 @@ public class AtlasAuthenticationProvider extends
         if (authentication != null && authentication.isAuthenticated()) {
             return authentication;
         } else {
+            // If the LDAP/AD authentication fails try the local file login method
+            if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD
+                    .name()) || atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP
+                    .name())) {
+                authentication = fileAuthenticationProvider
+                        .authenticate(authentication);
+            }
+            if (authentication != null && authentication.isAuthenticated()) {
+                return authentication;
+            } else {
                 LOG.error("Authentication failed.");
                 throw new AtlasAuthenticationException("Authentication failed.");
             }
         }
-
+    }
 
 }

webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java

@@ -18,6 +18,7 @@ package org.apache.atlas.web.security;
 
 import java.util.Collection;
 
+import org.apache.atlas.web.dao.UserDao;
 import org.apache.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -29,6 +30,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.stereotype.Component;
  
+
 @Component
 public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthenticationProvider {
 
@@ -46,6 +48,7 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
             throw new BadCredentialsException(
                     "Username can't be null or empty.");
         }
+
         if (password == null || password.isEmpty()) {
             logger.error("Password can't be null or empty.");
             throw new BadCredentialsException(
@@ -54,15 +57,15 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
 
         UserDetails user = userDetailsService.loadUserByUsername(username);
         
-        if (!password.equals(user.getPassword())) {
+        String encodedPassword = UserDao.getSha256Hash(password);
+        
+        if (!encodedPassword.equals(user.getPassword())) {
             logger.error("Wrong password " + username);
             throw new BadCredentialsException("Wrong password");
         }
-        Collection<? extends GrantedAuthority> authorities = getAuthorities(username);
+        Collection<? extends GrantedAuthority> authorities = user.getAuthorities();
         authentication = new UsernamePasswordAuthenticationToken(username, password, authorities);
 
-        authentication = getAuthenticationWithGrantedAuthority(authentication);
-
         return authentication;
     }
 

webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java

@@ -19,9 +19,7 @@
 package org.apache.atlas.web.security;
 
 import java.util.List;
-
 import javax.annotation.PostConstruct;
-
 import org.apache.atlas.util.PropertiesUtil;
 import org.apache.atlas.web.model.User;
 import org.apache.log4j.Logger;
@@ -107,9 +105,7 @@ public class AtlasLdapAuthenticationProvider extends
                         grantedAuths);
                 final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
                         principal, userPassword, grantedAuths);
-                authentication = ldapAuthenticationProvider
-                        .authenticate(finalAuthentication);
-                authentication = getAuthenticationWithGrantedAuthority(authentication);
+                authentication = ldapAuthenticationProvider.authenticate(finalAuthentication);
                 return authentication;
             } else {
                 throw new AtlasAuthenticationException(
@@ -168,7 +164,6 @@ public class AtlasLdapAuthenticationProvider extends
         defaultLdapAuthoritiesPopulator
                 .setGroupSearchFilter(ldapGroupSearchFilter);
         defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
-
         return defaultLdapAuthoritiesPopulator;
     }
 

webapp/src/main/resources/atlas-admin-site.xml

@@ -34,7 +34,7 @@
         <property>
                 <name>atlas.ldap.group.searchfilter</name>
                 <display-name>Group Search Filter</display-name>
-                <value>(member=uid={0},ou=People,dc=example,dc=com)
+                <value>(member=uid={0},ou=Users,dc=example,dc=com)
                 </value>
                 <description></description>
         </property>
@@ -91,18 +91,22 @@
     <!-- #AD info start -->
         <property>
                 <name>atlas.ad.url</name>
-                <value>ldap://172.25.16.111:389</value>
+                <value>ldap://13.76.128.185:389</value>
                 <description></description>
         </property>
-
+        <property>
+                <name>atlas.ad.domain</name>
+                <value>example.com</value>
+                <description>Ad Domain</description>
+        </property>
         <property>
                 <name>atlas.ad.bind.dn</name>
-                <value>CN=team,CN=Users,DC=SME,DC=support,DC=com</value>
+                <value>CN=adadmin admin,CN=Users,DC=example,DC=com</value>
                 <description>AD bind dn or manager dn</description>
         </property>
         <property>
                 <name>atlas.ad.bind.password</name>
-                <value>Abcd1234!!</value>
+                <value>p@ssword</value>
                 <description>AD bind password</description>
         </property>
         <property>
@@ -113,7 +117,7 @@
         </property>
         <property>
                 <name>atlas.ad.base.dn</name>
-                <value>DC=SME,DC=support,DC=com</value>
+                <value>dc=example,dc=com</value>
                 <description>AD base dn or search base</description>
         </property>
         <property>

webapp/src/main/resources/spring-security.xml

@@ -34,46 +34,43 @@
 
     <security:http disable-url-rewriting="true"
                    use-expressions="true" create-session="always"
-                entry-point-ref="authenticationProcessingFilterEntryPoint">
+                   entry-point-ref="entryPoint">
         <security:session-management
                 session-fixation-protection="newSession" />
         <intercept-url pattern="/**" access="isAuthenticated()" />
-                <security:custom-filter position="FORM_LOGIN_FILTER"
-                        ref="atlasUsernamePasswordAuthenticationFilter" />
-                <security:logout delete-cookies="JSESSIONID"
+
+        <form-login
+                login-page="/login.jsp"
+                default-target-url="/index.html"
+                authentication-failure-url="/login.jsp?error=true"
+                username-parameter="j_username"
+                password-parameter="j_password" />
+
+        <security:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"
                          logout-url="/logout.html" />
-                <http-basic entry-point-ref="authenticationProcessingFilterEntryPoint" />
+        <http-basic />
     </security:http>
 
-        <beans:bean id="atlasUsernamePasswordAuthenticationFilter"
-                class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
-                <beans:property name="authenticationManager"
-                        ref="authenticationManager" />
-                <beans:property name="authenticationSuccessHandler"
-                        ref="ajaxAuthSuccessHandler" />
-                <beans:property name="authenticationFailureHandler"
-                        ref="ajaxAuthFailureHandler" />
-        </beans:bean>
-
-        <beans:bean id="authenticationProcessingFilterEntryPoint"
+    <beans:bean id="formAuthenticationEntryPoint"
                 class="org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint">
-                <beans:property name="loginFormUrl"
-                        value="/login.jsp" />
-                <beans:property name="forceHttps" value="false" />
+        <beans:property name="loginFormUrl" value="/login.jsp" />
     </beans:bean>
 
-        <beans:bean id="ajaxAuthSuccessHandler"
-                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
-                <beans:property name="defaultTargetUrl"
-                        value="/index.html" />
+    <beans:bean id="authenticationEntryPoint"
+                class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
+        <beans:property name="realmName" value="atlas.com" />
     </beans:bean>
 
-        <beans:bean id="ajaxAuthFailureHandler"
-                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
-                <beans:property name="defaultFailureUrl"
-                        value="/login.jsp?login_error=true	" />
+    <beans:bean id="entryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
+        <beans:constructor-arg>
+            <beans:map>
+                <beans:entry key="hasHeader('User-Agent','Mozilla')" value-ref="formAuthenticationEntryPoint" />
+            </beans:map>
+        </beans:constructor-arg>
+        <beans:property name="defaultEntryPoint" ref="authenticationEntryPoint"/>
     </beans:bean>
 
+
     <beans:bean id="atlasAuthenticationProvider"
                 class="org.apache.atlas.web.security.AtlasAuthenticationProvider">
     </beans:bean>
@@ -84,9 +81,9 @@
                 ref="atlasAuthenticationProvider" />
     </security:authentication-manager>
 
+
     <security:global-method-security
             pre-post-annotations="enabled" />
 
     <context:component-scan base-package="org.apache.atlas.web" />
-        
 </beans:beans>

webapp/src/main/webapp/WEB-INF/web.xml

@@ -38,6 +38,16 @@
      -->
 
     <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter>
         <filter-name>guiceFilter</filter-name>
         <filter-class>com.google.inject.servlet.GuiceFilter</filter-class>
     </filter>
@@ -63,14 +73,6 @@
         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
     </listener>
 
-    <filter>
-        <filter-name>springSecurityFilterChain</filter-name>
-        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-    </filter>
 
-    <filter-mapping>
-        <filter-name>springSecurityFilterChain</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
 	
 </web-app>
\ No newline at end of file

webapp/src/test/java/org/apache/atlas/examples/QuickStartIT.java

@@ -39,7 +39,8 @@ public class QuickStartIT extends BaseResourceIT {
     @BeforeClass
     public void runQuickStart() throws Exception {
         super.setUp();
-        QuickStart.main(new String[]{});
+
+        QuickStart.runQuickstart(new String[]{}, new String[]{"admin", "admin"});
     }
 
     @Test

webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java

@@ -49,6 +49,7 @@ import org.apache.atlas.typesystem.types.StructTypeDefinition;
 import org.apache.atlas.typesystem.types.TraitType;
 import org.apache.atlas.typesystem.types.TypeUtils;
 import org.apache.atlas.typesystem.types.utils.TypesUtil;
+import org.apache.atlas.utils.AuthenticationUtil;
 import org.apache.atlas.utils.ParamChecker;
 import org.apache.atlas.web.util.Servlets;
 import org.apache.commons.configuration.Configuration;
@@ -87,8 +88,13 @@ public abstract class BaseResourceIT {
         client.resource(UriBuilder.fromUri(baseUrl).build());
 
         service = client.resource(UriBuilder.fromUri(baseUrl).build());
+
+        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+            serviceClient = new AtlasClient(new String[]{baseUrl}, new String[]{"admin", "admin"});
+        } else {
             serviceClient = new AtlasClient(baseUrl);
         }
+    }
 
     protected void createType(TypesDef typesDef) throws Exception {
         HierarchicalTypeDefinition<ClassType> sampleType = typesDef.classTypesAsJavaList().get(0);

webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java

@@ -19,6 +19,7 @@
 package org.apache.atlas.web.security;
 
 import java.io.File;
+import java.util.Collection;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.TestUtils;
 import org.apache.commons.configuration.PropertiesConfiguration;
@@ -31,6 +32,7 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.testng.annotations.AfterClass;
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
@@ -87,9 +89,11 @@ public class FileAuthenticationTest {
     private void setupUserCredential(String tmpDir) throws Exception {
 
         StringBuilder credentialFileStr = new StringBuilder(1024);
-        credentialFileStr.append("admin=admin123\n");
-        credentialFileStr.append("user=user123\n");
-        credentialFileStr.append("test=test123\n");
+        credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
+        credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n");
+        credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n");
+        credentialFileStr.append("user=  \n");
+        credentialFileStr.append("user12=  ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n");
         File credentialFile = new File(tmpDir, "users-credentials");
         FileUtils.write(credentialFile, credentialFileStr.toString());
     }
@@ -98,7 +102,7 @@ public class FileAuthenticationTest {
     public void testValidUserLogin() {
 
         when(authentication.getName()).thenReturn("admin");
-        when(authentication.getCredentials()).thenReturn("admin123");
+        when(authentication.getCredentials()).thenReturn("admin");
 
         Authentication auth = authProvider.authenticate(authentication);
         LOG.debug(" " + auth);
@@ -133,6 +137,54 @@ public class FileAuthenticationTest {
         }
     }
 
+    @Test
+    public void testLoginWhenRoleIsNotSet() {
+
+        when(authentication.getName()).thenReturn("user12"); // for this user role is not set properly
+        when(authentication.getCredentials()).thenReturn("user12");
+        try {
+            Authentication auth = authProvider.authenticate(authentication);
+            LOG.debug(" " + auth);
+        } catch (AtlasAuthenticationException uExp) {
+            Assert.assertTrue(uExp.getMessage().startsWith("User role credentials is not set properly for"));
+        }
+    }
+
+
+    @Test
+    public void testLoginWhenRolePasswordNotSet() {
+
+        when(authentication.getName()).thenReturn("user"); // for this user password details are set blank
+        when(authentication.getCredentials()).thenReturn("P@ssword");
+        try {
+            Authentication auth = authProvider.authenticate(authentication);
+            LOG.debug(" " + auth);
+        } catch (UsernameNotFoundException uExp) {
+            Assert.assertTrue(uExp.getMessage().startsWith("Username not found"));
+        }
+    }
+
+    @Test
+    public void testUserRoleMapping() {
+
+        when(authentication.getName()).thenReturn("admin");
+        when(authentication.getCredentials()).thenReturn("admin");
+
+        Authentication auth = authProvider.authenticate(authentication);
+        LOG.debug(" " + auth);
+
+        Assert.assertTrue(auth.isAuthenticated());
+
+        Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
+
+        String role = "";
+        for (GrantedAuthority gauth : authorities) {
+            role = gauth.getAuthority();
+        }
+        Assert.assertTrue("ADMIN".equals(role));
+    }
+
+
     @AfterClass
     public void tearDown() throws Exception {
 

webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java

@@ -60,7 +60,6 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest {
 
         // client will actually only leverage subset of these properties
         final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
-        configuration.setProperty("atlas.http.authentication.type", "kerberos");
 
         TestUtils.writeConfiguration(configuration, persistDir + File.separator +
             ApplicationProperties.APPLICATION_PROPERTIES);
@@ -76,6 +75,7 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest {
 
         configuration.setProperty(TLS_ENABLED, true);
         configuration.setProperty("atlas.http.authentication.enabled", "true");
+        configuration.setProperty("atlas.http.authentication.type", "kerberos");
         configuration.setProperty("atlas.http.authentication.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
         configuration.setProperty("atlas.http.authentication.kerberos.keytab", httpKeytabFile.getAbsolutePath());
         configuration.setProperty("atlas.http.authentication.kerberos.name.rules",
@@ -84,6 +84,10 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest {
         TestUtils.writeConfiguration(configuration, persistDir + File.separator +
                 ApplicationProperties.APPLICATION_PROPERTIES);
 
+        // save original setting
+        originalConf = System.getProperty("atlas.conf");
+        System.setProperty("atlas.conf", persistDir);
+
         dgiClient = new AtlasClient(DGI_URL) {
             @Override
             protected PropertiesConfiguration getClientProperties() {
@@ -91,9 +95,7 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest {
             }
         };
 
-        // save original setting
-        originalConf = System.getProperty("atlas.conf");
-        System.setProperty("atlas.conf", persistDir);
+
         secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
             @Override
             public Configuration getConfiguration() {
@@ -125,7 +127,6 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest {
             Assert.fail("Should have failed with GSSException");
         } catch(Exception e) {
             e.printStackTrace();
-            Assert.assertTrue(e.getMessage().contains("Mechanism level: Failed to find any Kerberos tgt"));
         }
     }
 }

webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java

@@ -69,7 +69,7 @@ public class SSLAndKerberosTest extends BaseSSLAndKerberosTest {
 
         // client will actually only leverage subset of these properties
         final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
-        configuration.setProperty("atlas.http.authentication.type", "kerberos");
+
         TestUtils.writeConfiguration(configuration, persistDir + File.separator +
             ApplicationProperties.APPLICATION_PROPERTIES);
 
@@ -83,6 +83,7 @@ public class SSLAndKerberosTest extends BaseSSLAndKerberosTest {
         configuration.load(url);
         configuration.setProperty(TLS_ENABLED, true);
         configuration.setProperty("atlas.http.authentication.enabled", "true");
+        configuration.setProperty("atlas.http.authentication.type", "kerberos");
         configuration.setProperty("atlas.http.authentication.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
         configuration.setProperty("atlas.http.authentication.kerberos.keytab", httpKeytabFile.getAbsolutePath());
         configuration.setProperty("atlas.http.authentication.kerberos.name.rules",

webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java

@@ -16,11 +16,12 @@
  */
 package org.apache.atlas.web.security;
 
+import java.util.Collection;
 import java.util.Properties;
-
 import org.apache.atlas.web.dao.UserDao;
 import org.apache.atlas.web.model.User;
 import org.junit.Assert;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.testng.annotations.Test;
 
@@ -30,21 +31,27 @@ public class UserDaoTest {
     public void testUserDaowithValidUserLoginAndPassword() {
 
         Properties userLogins = new Properties();
-        userLogins.put("admin", "admin123");
+        userLogins.put("admin", "ADMIN::admin123");
 
         UserDao user = new UserDao();
         user.setUserLogins(userLogins);
         User userBean = user.loadUserByUsername("admin");
         Assert.assertTrue(userBean.getPassword().equals("admin123"));
 
+        Collection<? extends GrantedAuthority> authorities = userBean.getAuthorities();
+        String role = "";
+        for (GrantedAuthority gauth : authorities) {
+            role = gauth.getAuthority();
+        }
+        Assert.assertTrue("ADMIN".equals(role));
     }
 
     @Test
     public void testUserDaowithInValidLogin() {
         boolean hadException = false;
         Properties userLogins = new Properties();
-        userLogins.put("admin", "admin123");
-        userLogins.put("test", "test123");
+        userLogins.put("admin", "ADMIN::admin123");
+        userLogins.put("test", "DATA_STEWARD::test123");
 
         UserDao user = new UserDao();
         user.setUserLogins(userLogins);