ATLAS-1538 Make AtlasLdapAuthenticationProvider like Ranger for OpenLdap type

release-log.txt

@@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al
 ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai)
 
 ALL CHANGES:
+ATLAS-1538 Make AtlasLdapAuthenticationProvider like Ranger for OpenLdap type (nixonrodrigues via kevalbhatt)
 ATLAS-1605 Edit Entity in UI : Update button is not enabled when updating attribute of type date (Kalyanikashikar via kevalbhatt)
 ATLAS-1595:Create Entity in UI : All attributes are not listed for hdfs_path. (Kalyanikashikar via kevalbhatt)
 ATLAS-1618: updated export to support scope option - full/connected

webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java

@@ -97,18 +97,30 @@ public abstract class AtlasAbstractAuthenticationProvider implements
 
     public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) {
         List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
-        Configuration config = new Configuration();
 
-        try {
-            Groups gp = new Groups(config);
-            List<String> userGroups = gp.getGroups(userName);
+        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
+        if (ugi != null) {
+            String[] userGroups = ugi.getGroupNames();
             if (userGroups != null) {
                 for (String group : userGroups) {
                     grantedAuths.add(new SimpleGrantedAuthority(group));
                 }
             }
-        } catch (java.io.IOException e) {
-            LOG.error("Exception while fetching groups ", e);
+        }
+        // if group empty take groups from UGI LDAP-based group mapping
+        if (grantedAuths != null && grantedAuths.isEmpty()) {
+            try {
+                Configuration config = new Configuration();
+                Groups gp = new Groups(config);
+                List<String> userGroups = gp.getGroups(userName);
+                if (userGroups != null) {
+                    for (String group : userGroups) {
+                        grantedAuths.add(new SimpleGrantedAuthority(group));
+                    }
+                }
+            } catch (java.io.IOException e) {
+                LOG.error("Exception while fetching groups ", e);
+            }
         }
         return grantedAuths;
     }

webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java

@@ -18,9 +18,11 @@
 
 package org.apache.atlas.web.security;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import javax.annotation.PostConstruct;
+
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.model.User;
 import org.apache.commons.configuration.Configuration;
@@ -39,11 +41,13 @@ import org.springframework.security.ldap.authentication.LdapAuthenticationProvid
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.stereotype.Component;
+import org.apache.commons.lang.StringUtils;
 
 @Component
 public class AtlasLdapAuthenticationProvider extends
         AtlasAbstractAuthenticationProvider {
     private static Logger LOG = LoggerFactory.getLogger(AtlasLdapAuthenticationProvider.class);
+    private boolean isDebugEnabled = LOG.isDebugEnabled();
 
     private String ldapURL;
     private String ldapUserDNPattern;
@@ -67,15 +71,27 @@ public class AtlasLdapAuthenticationProvider extends
     public Authentication authenticate(Authentication authentication)
             throws AuthenticationException {
         try {
-            return getLdapBindAuthentication(authentication);
+            authentication = getLdapBindAuthentication(authentication);
+            if (authentication != null && authentication.isAuthenticated()) {
+                return authentication;
+            } else {
+                authentication = getLdapAuthentication(authentication);
+                if (authentication != null && authentication.isAuthenticated()) {
+                    return authentication;
+                }
+            }
         } catch (Exception e) {
             throw new AtlasAuthenticationException(e.getMessage(), e.getCause());
         }
+        return authentication;
     }
 
     private Authentication getLdapBindAuthentication(
             Authentication authentication) throws Exception {
         try {
+            if (isDebugEnabled) {
+                LOG.debug("==> AtlasLdapAuthenticationProvider getLdapBindAuthentication");
+            }
             String userName = authentication.getName();
             String userPassword = "";
             if (authentication.getCredentials() != null) {
@@ -115,15 +131,95 @@ public class AtlasLdapAuthenticationProvider extends
                 }
                 return authentication;
             } else {
-                throw new AtlasAuthenticationException(
-                        "LDAP Authentication::userName or userPassword is null or empty for userName "
-                                + userName);
+                LOG.error("LDAP Authentication::userName or userPassword is null or empty for userName "
+                        + userName);
             }
         } catch (Exception e) {
-            LOG.error("LDAP Authentication Failed:", e);
-            throw new AtlasAuthenticationException(
-                    "LDAP Authentication Failed", e);
+            LOG.error(" getLdapBindAuthentication LDAP Authentication Failed:", e);
+        }
+        if (isDebugEnabled) {
+            LOG.debug("<== AtlasLdapAuthenticationProvider getLdapBindAuthentication");
+        }
+        return authentication;
+    }
+
+    private Authentication getLdapAuthentication(Authentication authentication) {
+
+        if (isDebugEnabled) {
+            LOG.debug("==> AtlasLdapAuthenticationProvider getLdapAuthentication");
+        }
+
+        try {
+            // taking the user-name and password from the authentication
+            // object.
+            String userName = authentication.getName();
+            String userPassword = "";
+            if (authentication.getCredentials() != null) {
+                userPassword = authentication.getCredentials().toString();
+            }
+
+            // populating LDAP context source with LDAP URL and user-DN-pattern
+            LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(
+                    ldapURL);
+
+            ldapContextSource.setCacheEnvironmentProperties(false);
+            ldapContextSource.setAnonymousReadOnly(true);
+
+            // Creating BindAuthenticator using Ldap Context Source.
+            BindAuthenticator bindAuthenticator = new BindAuthenticator(
+                    ldapContextSource);
+            //String[] userDnPatterns = new String[] { rangerLdapUserDNPattern };
+            String[] userDnPatterns = ldapUserDNPattern.split(";");
+            bindAuthenticator.setUserDnPatterns(userDnPatterns);
+
+            LdapAuthenticationProvider ldapAuthenticationProvider = null;
+
+            if (!StringUtils.isEmpty(ldapGroupSearchBase) && !StringUtils.isEmpty(ldapGroupSearchFilter)) {
+                // Creating LDAP authorities populator using Ldap context source and
+                // Ldap group search base.
+                // populating LDAP authorities populator with group search
+                // base,group role attribute, group search filter.
+                DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
+                        ldapContextSource, ldapGroupSearchBase);
+                defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(ldapGroupRoleAttribute);
+                defaultLdapAuthoritiesPopulator.setGroupSearchFilter(ldapGroupSearchFilter);
+                defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
+
+                // Creating Ldap authentication provider using BindAuthenticator and Ldap authentication populator
+                ldapAuthenticationProvider = new LdapAuthenticationProvider(
+                        bindAuthenticator, defaultLdapAuthoritiesPopulator);
+            } else {
+                ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
+            }
+
+            // getting user authenticated
+            if (userName != null && userPassword != null
+                    && !userName.trim().isEmpty()
+                    && !userPassword.trim().isEmpty()) {
+                final List<GrantedAuthority> grantedAuths = getAuthorities(userName);
+
+                final UserDetails principal = new User(userName, userPassword,
+                        grantedAuths);
+
+                final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
+                        principal, userPassword, grantedAuths);
+
+                authentication = ldapAuthenticationProvider
+                        .authenticate(finalAuthentication);
+                if (groupsFromUGI) {
+                    authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication);
+                }
+                return authentication;
+            } else {
+                return authentication;
+            }
+        } catch (Exception e) {
+            LOG.error("getLdapAuthentication LDAP Authentication Failed:", e);
+        }
+        if (isDebugEnabled) {
+            LOG.debug("<== AtlasLdapAuthenticationProvider getLdapAuthentication");
         }
+        return authentication;
     }
 
     private void setLdapProperties() {