Skip to content

A
atlas
Commit 395296ce by Hemanth Yamijala
Options

ATLAS-820 Kerberized env: Authentication failing (nixonrodrigues via yhemanth)

parent b66f0572
Showing with 358 additions and 67 deletions
addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java
......@@ -562,7 +562,7 @@ public class HiveMetaStoreBridge {
String atlasEndpoint = atlasConf.getString(ATLAS_ENDPOINT, DEFAULT_DGI_URL);
AtlasClient atlasClient;
if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
atlasClient = new AtlasClient(new String[]{atlasEndpoint}, basicAuthUsernamePassword);
} else {
......
client/src/main/java/org/apache/atlas/AtlasAdminClient.java
......@@ -64,7 +64,7 @@ public class AtlasAdminClient {
AtlasConstants.ATLAS_REST_ADDRESS_KEY, AtlasConstants.DEFAULT_ATLAS_REST_ADDRESS);
AtlasClient atlasClient = null;
if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
atlasClient = new AtlasClient(new String[]{atlasServerUri}, basicAuthUsernamePassword);
} else {
......
client/src/main/java/org/apache/atlas/AtlasClient.java
......@@ -189,7 +189,7 @@ public class AtlasClient {
configuration = getClientProperties();
Client client = getClient(configuration, ugi, doAsUser);
if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
if ((!AuthenticationUtil.isKerberosAuthenticationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
final HTTPBasicAuthFilter authFilter = new HTTPBasicAuthFilter(basicAuthUser, basicAuthPassword);
client.addFilter(authFilter);
}
......@@ -221,7 +221,7 @@ public class AtlasClient {
URLConnectionClientHandler handler = null;
if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
if ((!AuthenticationUtil.isKerberosAuthenticationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
handler = new URLConnectionClientHandler();
} else {
handler =
......
common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java
......@@ -35,22 +35,21 @@ public final class AuthenticationUtil {
private AuthenticationUtil() {
}
public static boolean isKerberosAuthicationEnabled() {
boolean isKerberosAuthicationEnabled = false;
public static boolean isKerberosAuthenticationEnabled() {
boolean isKerberosAuthenticationEnabled = false;
try {
Configuration atlasConf = ApplicationProperties.get();
if ("true".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.enabled"))
&& "kerberos".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.type"))) {
isKerberosAuthicationEnabled = true;
if ("true".equalsIgnoreCase(atlasConf.getString("atlas.authentication.method.kerberos"))) {
isKerberosAuthenticationEnabled = true;
} else {
isKerberosAuthicationEnabled = false;
isKerberosAuthenticationEnabled = false;
}
} catch (AtlasException e) {
LOG.error("Error while isKerberosAuthicationEnabled ", e);
LOG.error("Error while isKerberosAuthenticationEnabled ", e);
}
return isKerberosAuthicationEnabled;
return isKerberosAuthenticationEnabled;
}
public static String[] getBasicAuthenticationInput() {
......
distro/src/conf/atlas-application.properties
......@@ -63,10 +63,13 @@ atlas.enableTLS=false
# Authentication config
# enabled: true or false
atlas.http.authentication.enabled=false
# type: simple or kerberos
atlas.http.authentication.type=simple
atlas.authentication.method.kerberos=false
atlas.authentication.method.ldap=false
atlas.authentication.method.file=true
atlas.authentication.method.ldap.type=LDAP
atlas.authentication.method.ldap.url=
atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
######### JAAS Configuration ########
......@@ -102,11 +105,6 @@ atlas.server.ha.enabled=false
#atlas.server.ha.zookeeper.auth=<scheme>:<authinfo>
#### atlas.login.method {FILE,LDAP,AD} ####
atlas.login.method=FILE
### File path of users-credentials
atlas.login.credentials.file=${sys:atlas.home}/conf/users-credentials.properties
#########POLICY FILE PATH #########
atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt
......
distro/src/conf/policy-store.txt
......@@ -5,3 +5,4 @@
adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
dataScientistPolicy;;;;DATA_SCIENTIST:r;;type:*,entity:*,taxonomy:*,term:*
dataStewardPolicy;;;;DATA_STEWARD:rwu;;type:*,entity:*,taxonomy:*,term:*
hadoopPolicy;;;;hadoop:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
release-log.txt
......@@ -22,6 +22,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset
ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags)
ALL CHANGES:
ATLAS-820 Kerberized env: Authentication failing (nixonrodrigues via yhemanth)
ATLAS-852 Change Default landing page to taxonomy (kevalbhatt18 via yhemanth)
ATLAS-858 Unable to delete terms via API which are 3 or more levels deep (jspeidel via sumasai)
ATLAS-848 Atlas UI: Search term box in left navigation is not auto refresh.(Kalyanikashikar via sumasai)
......
webapp/src/main/java/org/apache/atlas/examples/QuickStart.java
......@@ -72,7 +72,7 @@ public class QuickStart {
public static void main(String[] args) throws Exception {
String[] basicAuthUsernamePassword = null;
if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
}
......@@ -84,7 +84,7 @@ public class QuickStart {
String baseUrl = getServerUrl(args);
QuickStart quickStart;
if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
quickStart = new QuickStart(baseUrl, basicAuthUsernamePassword);
} else {
quickStart = new QuickStart(baseUrl);
......
webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
......@@ -58,7 +58,7 @@ public class UserDao {
Configuration configuration = ApplicationProperties.get();
PROPERTY_FILE_PATH = configuration
.getString("atlas.login.credentials.file");
.getString("atlas.authentication.method.file.filename");
if (PROPERTY_FILE_PATH != null && !"".equals(PROPERTY_FILE_PATH)) {
userLogins = new Properties();
userLogins.load(new FileInputStream(PROPERTY_FILE_PATH));
......
webapp/src/main/java/org/apache/atlas/web/filters/NullServletContext.java 0 → 100644
/**
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License. See accompanying LICENSE file.
*/
package org.apache.atlas.web.filters;
import javax.servlet.RequestDispatcher;
import javax.servlet.Servlet;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Enumeration;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterRegistration;
import javax.servlet.ServletRegistration;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;
import javax.servlet.FilterRegistration.Dynamic;
import javax.servlet.descriptor.JspConfigDescriptor;
import java.util.EventListener;
import java.util.Map;
/**
*/
public class NullServletContext implements ServletContext {
public void setSessionTrackingModes(
Set<SessionTrackingMode> sessionTrackingModes) {
}
public boolean setInitParameter(String name, String value) {
return false;
}
public void setAttribute(String name, Object object) {
}
public void removeAttribute(String name) {
}
public void log(String message, Throwable throwable) {
}
public void log(Exception exception, String msg) {
}
public void log(String msg) {
}
public String getVirtualServerName() {
return null;
}
public SessionCookieConfig getSessionCookieConfig() {
return null;
}
public Enumeration<Servlet> getServlets() {
return null;
}
public Map<String, ? extends ServletRegistration> getServletRegistrations() {
return null;
}
public ServletRegistration getServletRegistration(String servletName) {
return null;
}
public Enumeration<String> getServletNames() {
return null;
}
public String getServletContextName() {
return null;
}
public Servlet getServlet(String name) throws ServletException {
return null;
}
public String getServerInfo() {
return null;
}
public Set<String> getResourcePaths(String path) {
return null;
}
public InputStream getResourceAsStream(String path) {
return null;
}
public URL getResource(String path) throws MalformedURLException {
return null;
}
public RequestDispatcher getRequestDispatcher(String path) {
return null;
}
public String getRealPath(String path) {
return null;
}
public RequestDispatcher getNamedDispatcher(String name) {
return null;
}
public int getMinorVersion() {
return 0;
}
public String getMimeType(String file) {
return null;
}
public int getMajorVersion() {
return 0;
}
public JspConfigDescriptor getJspConfigDescriptor() {
return null;
}
public Enumeration<String> getInitParameterNames() {
return null;
}
public String getInitParameter(String name) {
return null;
}
public Map<String, ? extends FilterRegistration> getFilterRegistrations() {
return null;
}
public FilterRegistration getFilterRegistration(String filterName) {
return null;
}
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
return null;
}
public int getEffectiveMinorVersion() {
return 0;
}
public int getEffectiveMajorVersion() {
return 0;
}
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
return null;
}
public String getContextPath() {
return null;
}
public ServletContext getContext(String uripath) {
return null;
}
public ClassLoader getClassLoader() {
return null;
}
public Enumeration<String> getAttributeNames() {
return null;
}
public Object getAttribute(String name) {
return null;
}
public void declareRoles(String... roleNames) {
}
public <T extends Servlet> T createServlet(Class<T> clazz)
throws ServletException {
return null;
}
public <T extends EventListener> T createListener(Class<T> clazz)
throws ServletException {
return null;
}
public <T extends Filter> T createFilter(Class<T> clazz)
throws ServletException {
return null;
}
public javax.servlet.ServletRegistration.Dynamic addServlet(
String servletName, Class<? extends Servlet> servletClass) {
return null;
}
public javax.servlet.ServletRegistration.Dynamic addServlet(
String servletName, Servlet servlet) {
return null;
}
public javax.servlet.ServletRegistration.Dynamic addServlet(
String servletName, String className) {
return null;
}
public void addListener(Class<? extends EventListener> listenerClass) {
}
public <T extends EventListener> void addListener(T t) {
}
public void addListener(String className) {
}
public Dynamic addFilter(String filterName,
Class<? extends Filter> filterClass) {
return null;
}
public Dynamic addFilter(String filterName, Filter filter) {
return null;
}
public Dynamic addFilter(String filterName, String className) {
return null;
}
}
webapp/src/main/java/org/apache/atlas/web/listeners/GuiceServletConfig.java
......@@ -95,11 +95,6 @@ public class GuiceServletConfig extends GuiceServletContextListener {
protected void configureServlets() {
filter("/*").through(AuditFilter.class);
configureActiveServerFilterIfNecessary();
try {
configureAuthenticationFilter();
} catch (ConfigurationException e) {
LOG.warn("Unable to add and configure authentication filter", e);
}
String packages = getServletContext().getInitParameter(GUICE_CTX_PARAM);
......@@ -120,16 +115,6 @@ public class GuiceServletConfig extends GuiceServletContextListener {
}
}
private void configureAuthenticationFilter() throws ConfigurationException {
Configuration configuration = getConfiguration();
if (configuration == null) {
throw new ConfigurationException("Could not load application configuration");
}
if (Boolean.valueOf(configuration.getString(AtlasClient.HTTP_AUTHENTICATION_ENABLED))) {
LOG.info("Enabling AuthenticationFilter");
filter("/*").through(AtlasAuthenticationFilter.class);
}
}
});
LOG.info("Guice modules loaded");
......
webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java
......@@ -38,7 +38,7 @@ public class LoginProcessor {
private static final Logger LOG = LoggerFactory.getLogger(LoginProcessor.class);
public static final String ATLAS_AUTHENTICATION_PREFIX = "atlas.authentication.";
public static final String AUTHENTICATION_METHOD = ATLAS_AUTHENTICATION_PREFIX + "method";
public static final String AUTHENTICATION_KERBEROS_METHOD = ATLAS_AUTHENTICATION_PREFIX + "method.kerberos";
public static final String AUTHENTICATION_PRINCIPAL = ATLAS_AUTHENTICATION_PREFIX + "principal";
public static final String AUTHENTICATION_KEYTAB = ATLAS_AUTHENTICATION_PREFIX + "keytab";
......@@ -95,12 +95,14 @@ public class LoginProcessor {
protected void setupHadoopConfiguration(Configuration hadoopConfig, org.apache.commons.configuration.Configuration
configuration) {
String authMethod;
authMethod = configuration != null ? configuration.getString(AUTHENTICATION_METHOD) : null;
String authMethod = "";
String kerberosAuthNEnabled = configuration != null ? configuration.getString(AUTHENTICATION_KERBEROS_METHOD) : null;
// getString may return null, and would like to log the nature of the default setting
if (authMethod == null) {
if (kerberosAuthNEnabled == null || kerberosAuthNEnabled.equalsIgnoreCase("false")) {
LOG.info("No authentication method configured. Defaulting to simple authentication");
authMethod = "simple";
} else if (kerberosAuthNEnabled.equalsIgnoreCase("true")) {
authMethod = "kerberos";
}
SecurityUtil
.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.valueOf(authMethod.toUpperCase()),
......
webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
......@@ -34,11 +34,12 @@ public class AtlasAuthenticationProvider extends
private static final Logger LOG = LoggerFactory
.getLogger(AtlasAuthenticationProvider.class);
private String atlasAuthenticationMethod = "UNKNOWN";
enum AUTH_METHOD {
FILE, LDAP, AD
};
private boolean fileAuthenticationMethodEnabled = true;
private boolean ldapAuthenticationMethodEnabled = false;
private String ldapType = "UNKNOWN";
public static final String FILE_AUTH_METHOD = "atlas.authentication.method.file";
public static final String LDAP_AUTH_METHOD = "atlas.authentication.method.ldap";
public static final String LDAP_TYPE = "atlas.authentication.method.ldap.type";
@Autowired
AtlasLdapAuthenticationProvider ldapAuthenticationProvider;
......@@ -53,8 +54,12 @@ public class AtlasAuthenticationProvider extends
void setAuthenticationMethod() {
try {
Configuration configuration = ApplicationProperties.get();
this.atlasAuthenticationMethod = configuration.getString(
"atlas.login.method", "UNKNOWN");
this.fileAuthenticationMethodEnabled = configuration.getBoolean(
FILE_AUTH_METHOD, true);
this.ldapAuthenticationMethodEnabled = configuration.getBoolean(
LDAP_AUTH_METHOD, false);
this.ldapType = configuration.getString(LDAP_TYPE, "UNKNOWN");
} catch (Exception e) {
LOG.error(
"Error while getting atlas.login.method application properties",
......@@ -66,37 +71,30 @@ public class AtlasAuthenticationProvider extends
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.FILE.name())) {
authentication = fileAuthenticationProvider
.authenticate(authentication);
} else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP
.name())) {
if (ldapAuthenticationMethodEnabled) {
if (ldapType.equalsIgnoreCase("LDAP")) {
try {
authentication = ldapAuthenticationProvider
.authenticate(authentication);
} catch (Exception ex) {
LOG.error("Error while LDAP authentication", ex);
}
} else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD
.name())) {
} else if (ldapType.equalsIgnoreCase("AD")) {
try {
authentication = adAuthenticationProvider
.authenticate(authentication);
} catch (Exception ex) {
LOG.error("Error while AD authentication", ex);
}
} else {
LOG.error("Invalid authentication method :"
+ atlasAuthenticationMethod);
}
}
if (authentication != null && authentication.isAuthenticated()) {
return authentication;
} else {
// If the LDAP/AD authentication fails try the local file login method
if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD
.name()) || atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP
.name())) {
// If the LDAP/AD authentication fails try the local filebased login method
if (fileAuthenticationMethodEnabled) {
authentication = fileAuthenticationProvider
.authenticate(authentication);
}
......
webapp/src/main/resources/spring-security.xml
......@@ -30,6 +30,7 @@
<security:http pattern="/login.jsp" security="none" />
<security:http pattern="/css/**" security="none" />
<security:http pattern="/img/**" security="none" />
<security:http pattern="/libs/**" security="none" />
<security:http pattern="/js/**" security="none" />
<security:http pattern="/api/atlas/admin/status" security="none" />
......@@ -41,6 +42,8 @@
session-fixation-protection="newSession" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
<form-login
login-page="/login.jsp"
authentication-success-handler-ref="atlasAuthenticationSuccessHandler"
......@@ -54,6 +57,9 @@
<security:custom-filter position="LAST" ref="atlasAuthorizationFilter"/>
</security:http>
<beans:bean id="krbAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasAuthenticationFilter">
</beans:bean>
<beans:bean id="atlasAuthenticationSuccessHandler"
class="org.apache.atlas.web.security.AtlasAuthenticationSuccessHandler" />
......
webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java
......@@ -89,7 +89,7 @@ public abstract class BaseResourceIT {
service = client.resource(UriBuilder.fromUri(baseUrl).build());
if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
serviceClient = new AtlasClient(new String[]{baseUrl}, new String[]{"admin", "admin"});
} else {
serviceClient = new AtlasClient(baseUrl);
......
webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
......@@ -77,8 +77,8 @@ public class FileAuthenticationTest {
private void setUpAltasApplicationProperties(String persistDir) throws Exception {
final PropertiesConfiguration configuration = new PropertiesConfiguration();
configuration.setProperty("atlas.login.method", "FILE");
configuration.setProperty("atlas.login.credentials.file", persistDir
configuration.setProperty("atlas.authentication.method.file", "true");
configuration.setProperty("atlas.authentication.method.file.filename", persistDir
+ "/users-credentials");
configuration.setProperty("atlas.auth.policy.file",persistDir
+ "/policy-store.txt" );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment