ATLAS-1538 Make AtlasLdapAuthenticationProvider like Ranger for OpenLdap type

a4b16bba · nixonrodrigues · kevalbhatt · 7753f2e8 · a4b16bba · a4b16bba
Commit a4b16bba authored 8 years ago by nixonrodrigues Committed by kevalbhatt 8 years ago
3 changed files
--- a/release-log.txt
+++ b/release-log.txt
@@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al
 ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai)
 ALL CHANGES:
+ATLAS-1538 Make AtlasLdapAuthenticationProvider like Ranger for OpenLdap type (nixonrodrigues via kevalbhatt)
 ATLAS-1605 Edit Entity in UI : Update button is not enabled when updating attribute of type date (Kalyanikashikar via kevalbhatt)
 ATLAS-1595:Create Entity in UI : All attributes are not listed for hdfs_path. (Kalyanikashikar via kevalbhatt)
 ATLAS-1618: updated export to support scope option - full/connected

--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
@@ -97,9 +97,20 @@ public abstract class AtlasAbstractAuthenticationProvider implements
    public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) {
        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
-        Configuration config = new Configuration();
+        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
+        if (ugi != null) {
+            String[] userGroups = ugi.getGroupNames();
+            if (userGroups != null) {
+                for (String group : userGroups) {
+                    grantedAuths.add(new SimpleGrantedAuthority(group));
+                }
+            }
+        }
+        // if group empty take groups from UGI LDAP-based group mapping
+        if (grantedAuths != null && grantedAuths.isEmpty()) {
            try {
+                Configuration config = new Configuration();
                Groups gp = new Groups(config);
                List<String> userGroups = gp.getGroups(userName);
                if (userGroups != null) {
@@ -110,6 +121,7 @@ public abstract class AtlasAbstractAuthenticationProvider implements
            } catch (java.io.IOException e) {
                LOG.error("Exception while fetching groups ", e);
            }
+        }
        return grantedAuths;
    }

--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java
@@ -18,9 +18,11 @@
 package org.apache.atlas.web.security;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import javax.annotation.PostConstruct;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.model.User;
 import org.apache.commons.configuration.Configuration;
@@ -39,11 +41,13 @@ import org.springframework.security.ldap.authentication.LdapAuthenticationProvid
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.stereotype.Component;
+import org.apache.commons.lang.StringUtils;
 @Component
 public class AtlasLdapAuthenticationProvider extends
        AtlasAbstractAuthenticationProvider {
    private static Logger LOG = LoggerFactory.getLogger(AtlasLdapAuthenticationProvider.class);
+    private boolean isDebugEnabled = LOG.isDebugEnabled();
    private String ldapURL;
    private String ldapUserDNPattern;
@@ -67,15 +71,27 @@ public class AtlasLdapAuthenticationProvider extends
    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {
        try {
-            return getLdapBindAuthentication(authentication);
+            authentication = getLdapBindAuthentication(authentication);
+            if (authentication != null && authentication.isAuthenticated()) {
+                return authentication;
+            } else {
+                authentication = getLdapAuthentication(authentication);
+                if (authentication != null && authentication.isAuthenticated()) {
+                    return authentication;
+                }
+            }
        } catch (Exception e) {
            throw new AtlasAuthenticationException(e.getMessage(), e.getCause());
        }
+        return authentication;
    }
    private Authentication getLdapBindAuthentication(
            Authentication authentication) throws Exception {
        try {
+            if (isDebugEnabled) {
+                LOG.debug("==> AtlasLdapAuthenticationProvider getLdapBindAuthentication");
+            }
            String userName = authentication.getName();
            String userPassword = "";
            if (authentication.getCredentials() != null) {
@@ -115,15 +131,95 @@ public class AtlasLdapAuthenticationProvider extends
                }
                return authentication;
            } else {
-                throw new AtlasAuthenticationException(
+                LOG.error("LDAP Authentication::userName or userPassword is null or empty for userName "
-                        "LDAP Authentication::userName or userPassword is null or empty for userName "
                        + userName);
            }
        } catch (Exception e) {
-            LOG.error("LDAP Authentication Failed:", e);
+            LOG.error(" getLdapBindAuthentication LDAP Authentication Failed:", e);
-            throw new AtlasAuthenticationException(
-                    "LDAP Authentication Failed", e);
        }
+        if (isDebugEnabled) {
+            LOG.debug("<== AtlasLdapAuthenticationProvider getLdapBindAuthentication");
+        }
+        return authentication;
+    }
+    private Authentication getLdapAuthentication(Authentication authentication) {
+        if (isDebugEnabled) {
+            LOG.debug("==> AtlasLdapAuthenticationProvider getLdapAuthentication");
+        }
+        try {
+            // taking the user-name and password from the authentication
+            // object.
+            String userName = authentication.getName();
+            String userPassword = "";
+            if (authentication.getCredentials() != null) {
+                userPassword = authentication.getCredentials().toString();
+            }
+            // populating LDAP context source with LDAP URL and user-DN-pattern
+            LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(
+                    ldapURL);
+            ldapContextSource.setCacheEnvironmentProperties(false);
+            ldapContextSource.setAnonymousReadOnly(true);
+            // Creating BindAuthenticator using Ldap Context Source.
+            BindAuthenticator bindAuthenticator = new BindAuthenticator(
+                    ldapContextSource);
+            //String[] userDnPatterns = new String[] { rangerLdapUserDNPattern };
+            String[] userDnPatterns = ldapUserDNPattern.split(";");
+            bindAuthenticator.setUserDnPatterns(userDnPatterns);
+            LdapAuthenticationProvider ldapAuthenticationProvider = null;
+            if (!StringUtils.isEmpty(ldapGroupSearchBase) && !StringUtils.isEmpty(ldapGroupSearchFilter)) {
+                // Creating LDAP authorities populator using Ldap context source and
+                // Ldap group search base.
+                // populating LDAP authorities populator with group search
+                // base,group role attribute, group search filter.
+                DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(
+                        ldapContextSource, ldapGroupSearchBase);
+                defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(ldapGroupRoleAttribute);
+                defaultLdapAuthoritiesPopulator.setGroupSearchFilter(ldapGroupSearchFilter);
+                defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
+                // Creating Ldap authentication provider using BindAuthenticator and Ldap authentication populator
+                ldapAuthenticationProvider = new LdapAuthenticationProvider(
+                        bindAuthenticator, defaultLdapAuthoritiesPopulator);
+            } else {
+                ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
+            }
+            // getting user authenticated
+            if (userName != null && userPassword != null
+                    && !userName.trim().isEmpty()
+                    && !userPassword.trim().isEmpty()) {
+                final List<GrantedAuthority> grantedAuths = getAuthorities(userName);
+                final UserDetails principal = new User(userName, userPassword,
+                        grantedAuths);
+                final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
+                        principal, userPassword, grantedAuths);
+                authentication = ldapAuthenticationProvider
+                        .authenticate(finalAuthentication);
+                if (groupsFromUGI) {
+                    authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication);
+                }
+                return authentication;
+            } else {
+                return authentication;
+            }
+        } catch (Exception e) {
+            LOG.error("getLdapAuthentication LDAP Authentication Failed:", e);
+        }
+        if (isDebugEnabled) {
+            LOG.debug("<== AtlasLdapAuthenticationProvider getLdapAuthentication");
+        }
+        return authentication;
    }
    private void setLdapProperties() {