ATLAS-820 Kerberized env: Authentication failing (nixonrodrigues via yhemanth)

addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java

@@ -562,7 +562,7 @@ public class HiveMetaStoreBridge {
         String atlasEndpoint = atlasConf.getString(ATLAS_ENDPOINT, DEFAULT_DGI_URL);
         AtlasClient atlasClient;
 
-        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+        if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
             String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
             atlasClient = new AtlasClient(new String[]{atlasEndpoint}, basicAuthUsernamePassword);
         } else {

client/src/main/java/org/apache/atlas/AtlasAdminClient.java

@@ -64,7 +64,7 @@ public class AtlasAdminClient {
                 AtlasConstants.ATLAS_REST_ADDRESS_KEY, AtlasConstants.DEFAULT_ATLAS_REST_ADDRESS);
 
         AtlasClient atlasClient = null;
-        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+        if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
             String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
             atlasClient = new AtlasClient(new String[]{atlasServerUri}, basicAuthUsernamePassword);
         } else {

client/src/main/java/org/apache/atlas/AtlasClient.java

@@ -189,7 +189,7 @@ public class AtlasClient {
         configuration = getClientProperties();
         Client client = getClient(configuration, ugi, doAsUser);
 
-        if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
+        if ((!AuthenticationUtil.isKerberosAuthenticationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
             final HTTPBasicAuthFilter authFilter = new HTTPBasicAuthFilter(basicAuthUser, basicAuthPassword);
             client.addFilter(authFilter);
         }
@@ -221,7 +221,7 @@ public class AtlasClient {
 
         URLConnectionClientHandler handler = null;
 
-        if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
+        if ((!AuthenticationUtil.isKerberosAuthenticationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) {
             handler = new URLConnectionClientHandler();
         } else {
             handler =

common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java

@@ -35,22 +35,21 @@ public final class AuthenticationUtil {
     private AuthenticationUtil() {
     }
 
-    public static boolean isKerberosAuthicationEnabled() {
-        boolean isKerberosAuthicationEnabled = false;
+    public static boolean isKerberosAuthenticationEnabled() {
+        boolean isKerberosAuthenticationEnabled = false;
         try {
             Configuration atlasConf = ApplicationProperties.get();
 
-            if ("true".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.enabled"))
-                    && "kerberos".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.type"))) {
-                isKerberosAuthicationEnabled = true;
+            if ("true".equalsIgnoreCase(atlasConf.getString("atlas.authentication.method.kerberos"))) {
+                isKerberosAuthenticationEnabled = true;
             } else {
-                isKerberosAuthicationEnabled = false;
+                isKerberosAuthenticationEnabled = false;
             }
 
         } catch (AtlasException e) {
-            LOG.error("Error while isKerberosAuthicationEnabled ", e);
+            LOG.error("Error while isKerberosAuthenticationEnabled ", e);
         }
-        return isKerberosAuthicationEnabled;
+        return isKerberosAuthenticationEnabled;
     }
 
     public static String[] getBasicAuthenticationInput() {

distro/src/conf/atlas-application.properties

@@ -63,10 +63,13 @@ atlas.enableTLS=false
 
 # Authentication config
 
-# enabled:  true or false
-atlas.http.authentication.enabled=false
-# type:  simple or kerberos
-atlas.http.authentication.type=simple
+atlas.authentication.method.kerberos=false
+atlas.authentication.method.ldap=false
+atlas.authentication.method.file=true
+
+atlas.authentication.method.ldap.type=LDAP
+atlas.authentication.method.ldap.url=
+atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
 
 #########  JAAS Configuration ########
 
@@ -102,11 +105,6 @@ atlas.server.ha.enabled=false
 #atlas.server.ha.zookeeper.auth=<scheme>:<authinfo>
 
 
-#### atlas.login.method {FILE,LDAP,AD} ####
-atlas.login.method=FILE
-
-### File path of users-credentials
-atlas.login.credentials.file=${sys:atlas.home}/conf/users-credentials.properties
 
 #########POLICY FILE PATH #########
 atlas.auth.policy.file=${sys:atlas.home}/conf/policy-store.txt

distro/src/conf/policy-store.txt

@@ -5,3 +5,4 @@
 adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*
 dataScientistPolicy;;;;DATA_SCIENTIST:r;;type:*,entity:*,taxonomy:*,term:*
 dataStewardPolicy;;;;DATA_STEWARD:rwu;;type:*,entity:*,taxonomy:*,term:*
+hadoopPolicy;;;;hadoop:rwud;;type:*,entity:*,operation:*,taxonomy:*,term:*

release-log.txt

@@ -22,6 +22,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset
 ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags)
 
 ALL CHANGES:
+ATLAS-820 Kerberized env: Authentication failing (nixonrodrigues via yhemanth)
 ATLAS-852 Change Default landing page to taxonomy (kevalbhatt18 via yhemanth)
 ATLAS-858 Unable to delete terms via API which are 3 or more levels deep (jspeidel via sumasai)
 ATLAS-848 Atlas UI: Search term box in left navigation is not auto refresh.(Kalyanikashikar via sumasai)

webapp/src/main/java/org/apache/atlas/examples/QuickStart.java

@@ -72,7 +72,7 @@ public class QuickStart {
 
     public static void main(String[] args) throws Exception {
         String[] basicAuthUsernamePassword = null;
-        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+        if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
             basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput();
         }
 
@@ -84,7 +84,7 @@ public class QuickStart {
         String baseUrl = getServerUrl(args);
         QuickStart quickStart;
 
-        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+        if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
             quickStart = new QuickStart(baseUrl, basicAuthUsernamePassword);
         } else {
             quickStart = new QuickStart(baseUrl);

webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java

@@ -58,7 +58,7 @@ public class UserDao {
 
             Configuration configuration = ApplicationProperties.get();
             PROPERTY_FILE_PATH = configuration
-                    .getString("atlas.login.credentials.file");
+                    .getString("atlas.authentication.method.file.filename");
             if (PROPERTY_FILE_PATH != null && !"".equals(PROPERTY_FILE_PATH)) {
                 userLogins = new Properties();
                 userLogins.load(new FileInputStream(PROPERTY_FILE_PATH));

webapp/src/main/java/org/apache/atlas/web/filters/NullServletContext.java

+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+
+package org.apache.atlas.web.filters;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.Servlet;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Enumeration;
+import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterRegistration;
+import javax.servlet.ServletRegistration;
+import javax.servlet.SessionCookieConfig;
+import javax.servlet.SessionTrackingMode;
+import javax.servlet.FilterRegistration.Dynamic;
+import javax.servlet.descriptor.JspConfigDescriptor;
+import java.util.EventListener;
+import java.util.Map;
+
+
+/**
+ */
+public class NullServletContext implements ServletContext {
+
+
+
+    public void setSessionTrackingModes(
+            Set<SessionTrackingMode> sessionTrackingModes) {
+    }
+
+
+    public boolean setInitParameter(String name, String value) {
+        return false;
+    }
+
+
+    public void setAttribute(String name, Object object) {
+    }
+
+
+    public void removeAttribute(String name) {
+    }
+
+
+    public void log(String message, Throwable throwable) {
+    }
+
+
+    public void log(Exception exception, String msg) {
+    }
+
+
+    public void log(String msg) {
+    }
+
+
+    public String getVirtualServerName() {
+        return null;
+    }
+
+
+    public SessionCookieConfig getSessionCookieConfig() {
+        return null;
+    }
+
+
+    public Enumeration<Servlet> getServlets() {
+        return null;
+    }
+
+
+    public Map<String, ? extends ServletRegistration> getServletRegistrations() {
+        return null;
+    }
+
+
+    public ServletRegistration getServletRegistration(String servletName) {
+        return null;
+    }
+
+
+    public Enumeration<String> getServletNames() {
+        return null;
+    }
+
+
+    public String getServletContextName() {
+        return null;
+    }
+
+
+    public Servlet getServlet(String name) throws ServletException {
+        return null;
+    }
+
+
+    public String getServerInfo() {
+        return null;
+    }
+
+
+    public Set<String> getResourcePaths(String path) {
+        return null;
+    }
+
+
+    public InputStream getResourceAsStream(String path) {
+        return null;
+    }
+
+
+    public URL getResource(String path) throws MalformedURLException {
+        return null;
+    }
+
+
+    public RequestDispatcher getRequestDispatcher(String path) {
+        return null;
+    }
+
+
+    public String getRealPath(String path) {
+        return null;
+    }
+
+
+    public RequestDispatcher getNamedDispatcher(String name) {
+        return null;
+    }
+
+
+    public int getMinorVersion() {
+        return 0;
+    }
+
+
+    public String getMimeType(String file) {
+        return null;
+    }
+
+
+    public int getMajorVersion() {
+        return 0;
+    }
+
+
+    public JspConfigDescriptor getJspConfigDescriptor() {
+        return null;
+    }
+
+
+    public Enumeration<String> getInitParameterNames() {
+        return null;
+    }
+
+
+    public String getInitParameter(String name) {
+        return null;
+    }
+
+
+    public Map<String, ? extends FilterRegistration> getFilterRegistrations() {
+        return null;
+    }
+
+
+    public FilterRegistration getFilterRegistration(String filterName) {
+        return null;
+    }
+
+
+    public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
+        return null;
+    }
+
+
+    public int getEffectiveMinorVersion() {
+        return 0;
+    }
+
+
+    public int getEffectiveMajorVersion() {
+        return 0;
+    }
+
+
+    public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
+        return null;
+    }
+
+
+    public String getContextPath() {
+        return null;
+    }
+
+
+    public ServletContext getContext(String uripath) {
+        return null;
+    }
+
+
+    public ClassLoader getClassLoader() {
+        return null;
+    }
+
+
+    public Enumeration<String> getAttributeNames() {
+        return null;
+    }
+
+
+    public Object getAttribute(String name) {
+        return null;
+    }
+
+
+    public void declareRoles(String... roleNames) {
+    }
+
+
+    public <T extends Servlet> T createServlet(Class<T> clazz)
+            throws ServletException {
+        return null;
+    }
+
+
+    public <T extends EventListener> T createListener(Class<T> clazz)
+            throws ServletException {
+        return null;
+    }
+
+
+    public <T extends Filter> T createFilter(Class<T> clazz)
+            throws ServletException {
+        return null;
+    }
+
+
+    public javax.servlet.ServletRegistration.Dynamic addServlet(
+            String servletName, Class<? extends Servlet> servletClass) {
+        return null;
+    }
+
+
+    public javax.servlet.ServletRegistration.Dynamic addServlet(
+            String servletName, Servlet servlet) {
+        return null;
+    }
+
+
+    public javax.servlet.ServletRegistration.Dynamic addServlet(
+            String servletName, String className) {
+        return null;
+    }
+
+
+    public void addListener(Class<? extends EventListener> listenerClass) {
+    }
+
+
+    public <T extends EventListener> void addListener(T t) {
+    }
+
+
+    public void addListener(String className) {
+    }
+
+
+    public Dynamic addFilter(String filterName,
+                             Class<? extends Filter> filterClass) {
+        return null;
+    }
+
+
+    public Dynamic addFilter(String filterName, Filter filter) {
+        return null;
+    }
+
+
+    public Dynamic addFilter(String filterName, String className) {
+        return null;
+    }
+
+
+}

webapp/src/main/java/org/apache/atlas/web/listeners/GuiceServletConfig.java

@@ -95,11 +95,6 @@ public class GuiceServletConfig extends GuiceServletContextListener {
                         protected void configureServlets() {
                             filter("/*").through(AuditFilter.class);
                             configureActiveServerFilterIfNecessary();
-                            try {
-                                configureAuthenticationFilter();
-                            } catch (ConfigurationException e) {
-                                LOG.warn("Unable to add and configure authentication filter", e);
-                            }
 
                             String packages = getServletContext().getInitParameter(GUICE_CTX_PARAM);
 
@@ -120,16 +115,6 @@ public class GuiceServletConfig extends GuiceServletContextListener {
                             }
                         }
 
-                        private void configureAuthenticationFilter() throws ConfigurationException {
-                            Configuration configuration = getConfiguration();
-                            if (configuration == null) {
-                                throw new ConfigurationException("Could not load application configuration");
-                            }
-                            if (Boolean.valueOf(configuration.getString(AtlasClient.HTTP_AUTHENTICATION_ENABLED))) {
-                                LOG.info("Enabling AuthenticationFilter");
-                                filter("/*").through(AtlasAuthenticationFilter.class);
-                            }
-                        }
                     });
 
             LOG.info("Guice modules loaded");

webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java

@@ -38,7 +38,7 @@ public class LoginProcessor {
 
     private static final Logger LOG = LoggerFactory.getLogger(LoginProcessor.class);
     public static final String ATLAS_AUTHENTICATION_PREFIX = "atlas.authentication.";
-    public static final String AUTHENTICATION_METHOD = ATLAS_AUTHENTICATION_PREFIX + "method";
+    public static final String AUTHENTICATION_KERBEROS_METHOD = ATLAS_AUTHENTICATION_PREFIX + "method.kerberos";
     public static final String AUTHENTICATION_PRINCIPAL = ATLAS_AUTHENTICATION_PREFIX + "principal";
     public static final String AUTHENTICATION_KEYTAB = ATLAS_AUTHENTICATION_PREFIX + "keytab";
 
@@ -95,12 +95,14 @@ public class LoginProcessor {
 
     protected void setupHadoopConfiguration(Configuration hadoopConfig, org.apache.commons.configuration.Configuration
             configuration) {
-        String authMethod;
-        authMethod = configuration != null ? configuration.getString(AUTHENTICATION_METHOD) : null;
+        String authMethod = "";
+        String kerberosAuthNEnabled = configuration != null ? configuration.getString(AUTHENTICATION_KERBEROS_METHOD) : null;
         // getString may return null, and would like to log the nature of the default setting
-        if (authMethod == null) {
+        if (kerberosAuthNEnabled == null || kerberosAuthNEnabled.equalsIgnoreCase("false")) {
             LOG.info("No authentication method configured.  Defaulting to simple authentication");
             authMethod = "simple";
+        } else if (kerberosAuthNEnabled.equalsIgnoreCase("true")) {
+            authMethod = "kerberos";
         }
         SecurityUtil
                 .setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.valueOf(authMethod.toUpperCase()),

webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java

@@ -34,11 +34,12 @@ public class AtlasAuthenticationProvider extends
     private static final Logger LOG = LoggerFactory
             .getLogger(AtlasAuthenticationProvider.class);
 
-    private String atlasAuthenticationMethod = "UNKNOWN";
-
-    enum AUTH_METHOD {
-        FILE, LDAP, AD
-    };
+    private boolean fileAuthenticationMethodEnabled = true;
+    private boolean ldapAuthenticationMethodEnabled = false;
+    private String ldapType = "UNKNOWN";
+    public static final String FILE_AUTH_METHOD = "atlas.authentication.method.file";
+    public static final String LDAP_AUTH_METHOD = "atlas.authentication.method.ldap";
+    public static final String LDAP_TYPE = "atlas.authentication.method.ldap.type";
 
     @Autowired
     AtlasLdapAuthenticationProvider ldapAuthenticationProvider;
@@ -53,8 +54,12 @@ public class AtlasAuthenticationProvider extends
     void setAuthenticationMethod() {
         try {
             Configuration configuration = ApplicationProperties.get();
-            this.atlasAuthenticationMethod = configuration.getString(
-                    "atlas.login.method", "UNKNOWN");
+
+            this.fileAuthenticationMethodEnabled = configuration.getBoolean(
+                    FILE_AUTH_METHOD, true);
+            this.ldapAuthenticationMethodEnabled = configuration.getBoolean(
+                    LDAP_AUTH_METHOD, false);
+            this.ldapType = configuration.getString(LDAP_TYPE, "UNKNOWN");
         } catch (Exception e) {
             LOG.error(
                     "Error while getting atlas.login.method application properties",
@@ -66,37 +71,30 @@ public class AtlasAuthenticationProvider extends
     public Authentication authenticate(Authentication authentication)
             throws AuthenticationException {
 
-        if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.FILE.name())) {
-            authentication = fileAuthenticationProvider
-                    .authenticate(authentication);
-        } else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP
-                .name())) {
+        if (ldapAuthenticationMethodEnabled) {
+
+            if (ldapType.equalsIgnoreCase("LDAP")) {
                 try {
                     authentication = ldapAuthenticationProvider
                             .authenticate(authentication);
                 } catch (Exception ex) {
                     LOG.error("Error while LDAP authentication", ex);
                 }
-        } else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD
-                .name())) {
+            } else if (ldapType.equalsIgnoreCase("AD")) {
                 try {
                     authentication = adAuthenticationProvider
                             .authenticate(authentication);
                 } catch (Exception ex) {
                     LOG.error("Error while AD authentication", ex);
                 }
-        } else {
-            LOG.error("Invalid authentication method :"
-                    + atlasAuthenticationMethod);
+            }
         }
 
         if (authentication != null && authentication.isAuthenticated()) {
             return authentication;
         } else {
-            // If the LDAP/AD authentication fails try the local file login method
-            if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD
-                    .name()) || atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP
-                    .name())) {
+            // If the LDAP/AD authentication fails try the local filebased login method
+            if (fileAuthenticationMethodEnabled) {
                 authentication = fileAuthenticationProvider
                         .authenticate(authentication);
             }

webapp/src/main/resources/spring-security.xml

@@ -30,6 +30,7 @@
 
     <security:http pattern="/login.jsp" security="none" />
     <security:http pattern="/css/**" security="none" />
+    <security:http pattern="/img/**" security="none" />
     <security:http pattern="/libs/**" security="none" />
     <security:http pattern="/js/**" security="none" />
     <security:http pattern="/api/atlas/admin/status" security="none" />
@@ -41,6 +42,8 @@
                 session-fixation-protection="newSession" />
         <intercept-url pattern="/**" access="isAuthenticated()" />
 
+        <security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
+
         <form-login
                 login-page="/login.jsp"
                 authentication-success-handler-ref="atlasAuthenticationSuccessHandler"
@@ -54,6 +57,9 @@
         <security:custom-filter position="LAST" ref="atlasAuthorizationFilter"/>
     </security:http>
 
+    <beans:bean id="krbAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasAuthenticationFilter">
+    </beans:bean>
+
     <beans:bean id="atlasAuthenticationSuccessHandler"
                 class="org.apache.atlas.web.security.AtlasAuthenticationSuccessHandler" />
 

webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java

@@ -89,7 +89,7 @@ public abstract class BaseResourceIT {
 
         service = client.resource(UriBuilder.fromUri(baseUrl).build());
 
-        if (!AuthenticationUtil.isKerberosAuthicationEnabled()) {
+        if (!AuthenticationUtil.isKerberosAuthenticationEnabled()) {
             serviceClient = new AtlasClient(new String[]{baseUrl}, new String[]{"admin", "admin"});
         } else {
             serviceClient = new AtlasClient(baseUrl);

webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java

@@ -77,8 +77,8 @@ public class FileAuthenticationTest {
 
     private void setUpAltasApplicationProperties(String persistDir) throws Exception {
         final PropertiesConfiguration configuration = new PropertiesConfiguration();
-        configuration.setProperty("atlas.login.method", "FILE");
-        configuration.setProperty("atlas.login.credentials.file", persistDir
+        configuration.setProperty("atlas.authentication.method.file", "true");
+        configuration.setProperty("atlas.authentication.method.file.filename", persistDir
                 + "/users-credentials");
         configuration.setProperty("atlas.auth.policy.file",persistDir
                 + "/policy-store.txt" );