ATLAS-2557: updated groups lookup for logged in user with an option to include…

ATLAS-2557: updated groups lookup for logged in user with an option to include groups from Hadoop config Signed-off-by: Madhan Neethiraj <madhan@apache.org>

ATLAS-2557: updated groups lookup for logged in user with an option to include…
7515915f · nixonrodrigues · Madhan Neethiraj · b1907a33 · 7515915f · 7515915f
Commit 7515915f authored Apr 13, 2018 by nixonrodrigues Committed by Madhan Neethiraj Apr 13, 2018
Showing with 51 additions and 14 deletions

AuthenticationUtil.java .../main/java/org/apache/atlas/utils/AuthenticationUtil.java +14 -0

AtlasAbstractAuthenticationProvider.java ...las/web/security/AtlasAbstractAuthenticationProvider.java +37 -14

No files found.
--- a/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java
+++ b/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java
@@ -47,6 +47,20 @@ public final class AuthenticationUtil {
        return atlasConf.getBoolean("atlas.authentication.method.kerberos", false);
    }

+    public static boolean includeHadoopGroups(){
+        boolean includeHadoopGroups = false;
+
+        try {
+            Configuration configuration = ApplicationProperties.get();
+
+            includeHadoopGroups = configuration.getBoolean("atlas.authentication.ugi-groups.include-hadoop-groups", includeHadoopGroups);
+        } catch (AtlasException e) {
+            LOG.error("AuthenticationUtil::includeHadoopGroups(). Error while loading atlas application properties ", e);
+        }
+
+        return includeHadoopGroups;
+    }
+
    public static String[] getBasicAuthenticationInput() {
        String username = null;
        String password = null;

--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
@@ -19,6 +19,7 @@

 package org.apache.atlas.web.security;

+import org.apache.commons.collections.CollectionUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -33,7 +34,11 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;

 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
+
+import org.apache.atlas.utils.AuthenticationUtil;

 public abstract class AtlasAbstractAuthenticationProvider implements AuthenticationProvider {
    private static final Logger LOG = LoggerFactory.getLogger(AtlasAbstractAuthenticationProvider.class);
@@ -94,33 +99,51 @@ public abstract class AtlasAbstractAuthenticationProvider implements Authenticat
    }

    public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) {
-        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
+        Set<String>          userGroups = new HashSet<>();
+        UserGroupInformation ugi        = UserGroupInformation.createRemoteUser(userName);

-        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
        if (ugi != null) {
-            String[] userGroups = ugi.getGroupNames();
-            if (userGroups != null) {
-                for (String group : userGroups) {
-                    grantedAuths.add(new SimpleGrantedAuthority(group));
+            String[] groups = ugi.getGroupNames();
+
+            if(LOG.isDebugEnabled()) {
+                LOG.debug("UserGroupInformation userGroups=" + groups);
+            }
+
+            if (groups != null) {
+                for (String group : groups) {
+                    userGroups.add(group);
                }
            }
        }
-        // if group empty take groups from UGI LDAP-based group mapping
-        if (grantedAuths != null && grantedAuths.isEmpty()) {
+
+        // if group empty take groups from Hadoop LDAP-based group mapping
+        if (CollectionUtils.isEmpty(userGroups) || AuthenticationUtil.includeHadoopGroups()) {
            try {
                Configuration config = new Configuration();
-                Groups gp = new Groups(config);
-                List<String> userGroups = gp.getGroups(userName);
-                if (userGroups != null) {
-                    for (String group : userGroups) {
-                        grantedAuths.add(new SimpleGrantedAuthority(group));
+                Groups        gp     = new Groups(config);
+                List<String>  groups = gp.getGroups(userName);
+
+                if(LOG.isDebugEnabled()) {
+                    LOG.debug("Hadoop userGroups=" + groups);
+                }
+
+                if (groups != null) {
+                    for (String group : groups) {
+                        userGroups.add(group);
                    }
                }
            } catch (java.io.IOException e) {
                LOG.error("Exception while fetching groups ", e);
            }
        }
-        return grantedAuths;
+
+        List<GrantedAuthority> ret = new ArrayList<>();
+
+        for (String userGroup : userGroups) {
+            ret.add(new SimpleGrantedAuthority(userGroup));
+        }
+
+        return ret;
    }

 }