Skip to content

A
atlas
Commit 8f229628 by Shwetha GS
Options

ATLAS-990 Hive Import metadata script fails with auth exception (nixonrodrigues via shwethags)

parent ab624dda
Showing with 52 additions and 13 deletions
client/src/main/java/org/apache/atlas/security/SecureClientUtils.java
......@@ -68,14 +68,9 @@ public class SecureClientUtils {
conf.addResource(conf.get(SSLFactory.SSL_CLIENT_CONF_KEY, SecurityProperties.SSL_CLIENT_PROPERTIES));
UserGroupInformation.setConfiguration(conf);
final ConnectionConfigurator connConfigurator = newConnConfigurator(conf);
String authType = "simple";
if (clientConfig != null) {
authType = clientConfig.getString("atlas.http.authentication.type", "simple");
}
Authenticator authenticator = new PseudoDelegationTokenAuthenticator();
if (!authType.equals("simple")) {
authenticator = new KerberosDelegationTokenAuthenticator();
}
Authenticator authenticator = new KerberosDelegationTokenAuthenticator();
authenticator.setConnectionConfigurator(connConfigurator);
final DelegationTokenAuthenticator finalAuthenticator = (DelegationTokenAuthenticator) authenticator;
final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
......
pom.xml
......@@ -366,7 +366,7 @@
<jackson.version>1.8.3</jackson.version>
<tinkerpop.version>2.6.0</tinkerpop.version>
<titan.version>0.5.4</titan.version>
<hadoop.version>2.7.0</hadoop.version>
<hadoop.version>2.7.1</hadoop.version>
<hbase.version>1.1.2</hbase.version>
<solr.version>5.5.1</solr.version>
<kafka.version>0.10.0.0</kafka.version>
......
release-log.txt
......@@ -6,6 +6,7 @@ INCOMPATIBLE CHANGES:
ALL CHANGES:
ATLAS-990 Hive Import metadata script fails with auth exception (nixonrodrigues via shwethags)
ATLAS-998 determine HA mode from property atlas.server.ids, instead of atlas.server.ha.enabled (madhan.neethiraj via shwethags)
ATLAS-986 Ability to differentiate business catalog terms from traits (sumasai,svimal2106 via shwethags)
ATLAS-1025 Set HIVE_HOME if hive is available in relative path to import hive script (svimal2106 via shwethags)
......
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
......@@ -30,6 +30,7 @@ import org.apache.commons.configuration.ConfigurationConverter;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
......@@ -37,6 +38,7 @@ import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.SignerException;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.log4j.NDC;
import org.slf4j.Logger;
......@@ -67,7 +69,7 @@ import java.net.UnknownHostException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.*;
import javax.servlet.http.Cookie;
/**
* This enforces authentication as part of the filter before processing the request.
......@@ -81,6 +83,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
private Signer signer;
private SignerSecretProvider secretProvider;
public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
private boolean isInitializedByTomcat;
public AtlasAuthenticationFilter() {
try {
......@@ -157,6 +160,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
secretProvider = AuthenticationFilter.constructSecretProvider(
filterConfig.getServletContext(),
super.getConfiguration(configPrefix, filterConfig), false);
this.isInitializedByTomcat = true;
} catch (Exception ex) {
throw new ServletException(ex);
}
......@@ -434,6 +438,11 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
@Override
public void destroy() {
if ((this.secretProvider != null) && (this.isInitializedByTomcat)) {
this.secretProvider.destroy();
this.secretProvider = null;
}
optionsServlet.destroy();
super.destroy();
}
......@@ -449,11 +458,11 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
while (i.hasNext()) {
String cookie = i.next();
if (!StringUtils.isEmpty(cookie)) {
if (cookie.toLowerCase().startsWith("hadoop.auth".toLowerCase()) && cookie.contains("u=")) {
if (cookie.toLowerCase().startsWith(AuthenticatedURL.AUTH_COOKIE.toLowerCase()) && cookie.contains("u=")) {
String[] split = cookie.split(";");
if (split != null) {
for (String s : split) {
if (!StringUtils.isEmpty(s) && s.toLowerCase().startsWith("hadoop.auth".toLowerCase())) {
if (!StringUtils.isEmpty(s) && s.toLowerCase().startsWith(AuthenticatedURL.AUTH_COOKIE.toLowerCase())) {
int ustr = s.indexOf("u=");
if (ustr != -1) {
int andStr = s.indexOf("&", ustr);
......@@ -478,7 +487,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
}
public static void createAuthCookie(HttpServletResponse resp, String token, String domain, String path, long expires, boolean isSecure) {
StringBuilder sb = (new StringBuilder("hadoop.auth")).append("=");
StringBuilder sb = (new StringBuilder(AuthenticatedURL.AUTH_COOKIE)).append("=");
if(token != null && token.length() > 0) {
sb.append("\"").append(token).append("\"");
}
......@@ -507,4 +516,38 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
resp.addHeader("Set-Cookie", sb.toString());
}
@Override
protected AuthenticationToken getToken(HttpServletRequest request)
throws IOException, AuthenticationException {
AuthenticationToken token = null;
String tokenStr = null;
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
tokenStr = cookie.getValue();
try {
tokenStr = this.signer.verifyAndExtract(tokenStr);
} catch (SignerException ex) {
throw new AuthenticationException(ex);
}
}
}
}
if (tokenStr != null) {
token = AuthenticationToken.parse(tokenStr);
if(token != null) {
AuthenticationHandler authHandler = getAuthenticationHandler();
if (!token.getType().equals(authHandler.getType())) {
throw new AuthenticationException("Invalid AuthenticationToken type");
}
if (token.isExpired()) {
throw new AuthenticationException("AuthenticationToken expired");
}
}
}
return token;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment