ATLAS-1244: added support for KnoxSSO Authentication

Signed-off-by: Madhan Neethiraj <madhan@apache.org>

ATLAS-1244: added support for KnoxSSO Authentication
854b7928 · nixonrodrigues · Madhan Neethiraj · ae92406d · 854b7928 · 854b7928
Commit 854b7928 authored Nov 02, 2016 by nixonrodrigues Committed by Madhan Neethiraj Nov 15, 2016
13 changed files
--- a/distro/src/conf/atlas-application.properties
+++ b/distro/src/conf/atlas-application.properties
@@ -198,3 +198,12 @@ atlas.rest-csrf.custom-header=X-XSRF-HEADER
 #########  Enable Taxonomy  #########
 atlas.feature.taxonomy.enable=true
+############ KNOX Configs ################
+#atlas.sso.knox.browser.useragent=Mozilla,Chrome,Opera
+#atlas.sso.knox.enabled=true
+#atlas.sso.knox.providerurl=https://<knox gateway ip>:8443/gateway/knoxsso/api/v1/websso
+#atlas.sso.knox.publicKey=
--- a/release-log.txt
+++ b/release-log.txt
@@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al
 ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai)
 ALL CHANGES:
+ATLAS-1244 added support for KnoxSSO Authentication
 ATLAS-1295 Build failure due to patch for ATLAS-1081 (apoorvnaik via sumasai)
 ATLAS-1081 Atlas jetty server configuration (shwethags)
 ATLAS-1257 Map Entity REST APIs to ATLAS v1 backend (sumasai)

--- a/webapp/pom.xml
+++ b/webapp/pom.xml
@@ -355,6 +355,18 @@
            <scope>test</scope>
        </dependency>
+	 <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>3.9</version>
+            <scope>compile</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
    </dependencies>
    <build>

--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
@@ -435,7 +435,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
                        Collection<String> headerNames = httpResponse.getHeaderNames();
                        for (String headerName : headerNames) {
                            String value = httpResponse.getHeader(headerName);
-                            if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("JSESSIONID")) {
+                            if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("ATLASSESSIONID")) {
                                chk = false;
                                break;
                            }

--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
--- a/webapp/src/main/java/org/apache/atlas/web/filters/SSOAuthentication.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/SSOAuthentication.java
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.web.filters;
+import com.nimbusds.jwt.SignedJWT;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import java.util.Collection;
+/**
+ * Internal token which describes JWT authentication
+ */
+public class SSOAuthentication implements Authentication {
+    private final SignedJWT token;
+    private boolean authenticated = false;
+    public SSOAuthentication(SignedJWT token) {
+        this.token = token;
+    }
+    @Override
+    public SignedJWT getCredentials() {
+        return token;
+    }
+    @Override
+    public Object getDetails() {
+        return null;
+    }
+    @Override
+    public boolean isAuthenticated() {
+        return authenticated;
+    }
+    @Override
+    public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
+        this.authenticated = authenticated;
+    }
+    @Override
+    public String getName() {
+        return null;
+    }
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return null;
+    }
+    @Override
+    public Object getPrincipal() {
+        return null;
+    }
+}
--- a/webapp/src/main/java/org/apache/atlas/web/filters/SSOAuthenticationProperties.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/SSOAuthenticationProperties.java
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.web.filters;
+import java.security.interfaces.RSAPublicKey;
+public class SSOAuthenticationProperties {
+    private String authenticationProviderUrl = null;
+    private RSAPublicKey publicKey = null;
+    private String cookieName = "hadoop-jwt";
+    private String originalUrlQueryParam = null;
+    private String[] userAgentList = null;
+    public String getAuthenticationProviderUrl() {
+        return authenticationProviderUrl;
+    }
+    public void setAuthenticationProviderUrl(String authenticationProviderUrl) {
+        this.authenticationProviderUrl = authenticationProviderUrl;
+    }
+    public RSAPublicKey getPublicKey() {
+        return publicKey;
+    }
+    public void setPublicKey(RSAPublicKey publicKey) {
+        this.publicKey = publicKey;
+    }
+    public String getCookieName() {
+        return cookieName;
+    }
+    public void setCookieName(String cookieName) {
+        this.cookieName = cookieName;
+    }
+    public String getOriginalUrlQueryParam() {
+        return originalUrlQueryParam;
+    }
+    public void setOriginalUrlQueryParam(String originalUrlQueryParam) {
+        this.originalUrlQueryParam = originalUrlQueryParam;
+    }
+    /**
+     * @return the userAgentList
+     */
+    public String[] getUserAgentList() {
+        return userAgentList;
+    }
+    /**
+     * @param userAgentList the userAgentList to set
+     */
+    public void setUserAgentList(String[] userAgentList) {
+        this.userAgentList = userAgentList;
+    }
+}
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
@@ -22,7 +22,11 @@ package org.apache.atlas.web.security;
 import java.util.ArrayList;
 import java.util.List;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -33,6 +37,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 public abstract class AtlasAbstractAuthenticationProvider implements
        AuthenticationProvider {
+    private static final Logger LOG = LoggerFactory.getLogger(AtlasAbstractAuthenticationProvider.class);
    @Override
    public boolean supports(Class<?> authentication) {
@@ -92,16 +97,20 @@ public abstract class AtlasAbstractAuthenticationProvider implements
        return authentication;
    }
-    public List<GrantedAuthority> getAuthoritiesFromUGI(String userName) {
+    public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) {
        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
-        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
+        Configuration config = new Configuration();
-        if (ugi != null) {
-            String[] userGroups = ugi.getGroupNames();
+        try {
+            Groups gp = new Groups(config);
+            List<String> userGroups = gp.getGroups(userName);
            if (userGroups != null) {
                for (String group : userGroups) {
                    grantedAuths.add(new SimpleGrantedAuthority(group));
                }
            }
+        } catch (java.io.IOException e) {
+            LOG.error("Exception while fetching groups ", e);
        }
        return grantedAuths;
    }

--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
@@ -39,6 +39,10 @@ public class AtlasAuthenticationProvider extends
    public static final String FILE_AUTH_METHOD = "atlas.authentication.method.file";
    public static final String LDAP_TYPE = "atlas.authentication.method.ldap.type";
+    private boolean ssoEnabled = false;
    @Autowired
    AtlasLdapAuthenticationProvider ldapAuthenticationProvider;
@@ -67,17 +71,27 @@ public class AtlasAuthenticationProvider extends
    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {
-        if (ldapType.equalsIgnoreCase("LDAP")) {
+        if(ssoEnabled){
-            try {
+            if (authentication != null){
-                authentication = ldapAuthenticationProvider.authenticate(authentication);
+                authentication = getSSOAuthentication(authentication);
-            } catch (Exception ex) {
+                if(authentication!=null && authentication.isAuthenticated()){
-                LOG.error("Error while LDAP authentication", ex);
+                    return authentication;
+                }
            }
-        } else if (ldapType.equalsIgnoreCase("AD")) {
+        } else {
-            try {
-                authentication = adAuthenticationProvider.authenticate(authentication);
+            if (ldapType.equalsIgnoreCase("LDAP")) {
-            } catch (Exception ex) {
+                try {
-                LOG.error("Error while AD authentication", ex);
+                    authentication = ldapAuthenticationProvider.authenticate(authentication);
+                } catch (Exception ex) {
+                    LOG.error("Error while LDAP authentication", ex);
+                }
+            } else if (ldapType.equalsIgnoreCase("AD")) {
+                try {
+                    authentication = adAuthenticationProvider.authenticate(authentication);
+                } catch (Exception ex) {
+                    LOG.error("Error while AD authentication", ex);
+                }
            }
        }
@@ -97,4 +111,15 @@ public class AtlasAuthenticationProvider extends
        throw new AtlasAuthenticationException("Authentication failed.");
    }
+    public boolean isSsoEnabled() {
+        return ssoEnabled;
+    }
+    public void setSsoEnabled(boolean ssoEnabled) {
+        this.ssoEnabled = ssoEnabled;
+    }
+    private Authentication getSSOAuthentication(Authentication authentication) throws AuthenticationException{
+        return authentication;
+    }
 }
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationSuccessHandler.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationSuccessHandler.java
@@ -43,6 +43,11 @@ public class AtlasAuthenticationSuccessHandler implements AuthenticationSuccessH
        ObjectMapper mapper = new ObjectMapper();
        json.put("msgDesc", "Success");
+        if (request.getSession() != null) { // incase of form based login mark it as local login in session
+            request.getSession().setAttribute("locallogin","true");
+            request.getServletContext().setAttribute(request.getSession().getId(), "locallogin");
+        }
        String jsonAsStr = mapper.writeValueAsString(json);
        response.setContentType("application/json");
        response.setStatus(HttpServletResponse.SC_OK);

--- a/webapp/src/main/resources/spring-security.xml
+++ b/webapp/src/main/resources/spring-security.xml
@@ -42,6 +42,7 @@
        <security:session-management
                session-fixation-protection="newSession" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
+        <custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />
        <security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
        <security:custom-filter ref="CSRFPreventionFilter" after="REMEMBER_ME_FILTER" />
@@ -53,7 +54,7 @@
                username-parameter="j_username"
                password-parameter="j_password" />
-        <security:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"
+        <security:logout logout-success-url="/login.jsp" delete-cookies="ATLASSESSIONID"
                         logout-url="/logout.html" />
        <http-basic />
        <security:custom-filter position="LAST" ref="atlasAuthorizationFilter"/>
@@ -61,7 +62,10 @@
    <beans:bean id="krbAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasAuthenticationFilter">
    </beans:bean>
+    <beans:bean id="ssoAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter">
+    </beans:bean>
    <beans:bean id="CSRFPreventionFilter" class="org.apache.atlas.web.filters.AtlasCSRFPreventionFilter">
    </beans:bean>

--- a/webapp/src/main/webapp/WEB-INF/web.xml
+++ b/webapp/src/main/webapp/WEB-INF/web.xml
@@ -79,5 +79,14 @@
    </listener>
+    <session-config>
+        <session-timeout>60</session-timeout>
+        <tracking-mode>COOKIE</tracking-mode>
+        <cookie-config>
+            <name>ATLASSESSIONID</name>
+            <http-only>true</http-only>
+        </cookie-config>
+    </session-config>
 </web-app>
--- a/webapp/src/test/webapp/WEB-INF/web.xml
+++ b/webapp/src/test/webapp/WEB-INF/web.xml
@@ -73,4 +73,13 @@
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
+    <session-config>
+        <session-timeout>60</session-timeout>
+        <tracking-mode>COOKIE</tracking-mode>
+        <cookie-config>
+            <name>ATLASSESSIONID</name>
+            <http-only>true</http-only>
+        </cookie-config>
+    </session-config>
 </web-app>