From bcc89f3c459d6f02b24eae245f88f27bdbd9a65e Mon Sep 17 00:00:00 2001 From: nixonrodrigues <nixon.rodrigues@freestoneinfotech.com> Date: Thu, 30 Mar 2017 20:10:14 +0530 Subject: [PATCH] ATLAS-1680- Support for browser login using kerberos keytab --- webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java index 9ead75f..a643d62 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java @@ -86,6 +86,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); private boolean isInitializedByTomcat; private Set<Pattern> browserUserAgents; + private boolean supportKeyTabBrowserLogin = false; public AtlasAuthenticationFilter() { try { @@ -191,16 +192,16 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { authMethod = "kerberos"; } - if(configuration.getString("atlas.authentication.method.kerberos.name.rules")!=null) { + if (configuration.getString("atlas.authentication.method.kerberos.name.rules") != null) { config.put("kerberos.name.rules", configuration.getString("atlas.authentication.method.kerberos.name.rules")); } - if(configuration.getString("atlas.authentication.method.kerberos.keytab")!=null) { + if (configuration.getString("atlas.authentication.method.kerberos.keytab") != null) { config.put("kerberos.keytab", configuration.getString("atlas.authentication.method.kerberos.keytab")); } - if(configuration.getString("atlas.authentication.method.kerberos.principal")!=null) { + if (configuration.getString("atlas.authentication.method.kerberos.principal") != null) { config.put("kerberos.principal", configuration.getString("atlas.authentication.method.kerberos.principal")); } - config.put(AuthenticationFilter.AUTH_TYPE, authMethod ); + config.put(AuthenticationFilter.AUTH_TYPE, authMethod); config.put(AuthenticationFilter.COOKIE_PATH, "/"); // add any config passed in as init parameters @@ -232,6 +233,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { LOG.debug(" AuthenticationFilterConfig: {}", config); + supportKeyTabBrowserLogin = configuration.getBoolean("atlas.authentication.method.kerberos.support.keytab.browser.login", false); String agents = configuration.getString(AtlasCSRFPreventionFilter.BROWSER_USER_AGENT_PARAM, AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT); if (agents == null) { @@ -290,7 +292,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { String requestUser = httpRequest.getRemoteUser(); NDC.push(requestUser + ":" + httpRequest.getMethod() + httpRequest.getRequestURI()); RequestContext requestContext = RequestContext.get(); - if(requestContext!=null) { + if (requestContext != null) { requestContext.setUser(requestUser); } LOG.info("Request from authenticated user: {}, URL={}", requestUser, @@ -340,14 +342,14 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { * If the request has a valid authentication token it allows the request to continue to the target resource, * otherwise it triggers an authentication sequence using the configured {@link org.apache.hadoop.security.authentication.server.AuthenticationHandler}. * - * @param request the request object. - * @param response the response object. + * @param request the request object. + * @param response the response object. * @param filterChain the filter chain object. * - * @throws IOException thrown if an IO error occurred. + * @throws IOException thrown if an IO error occurred. * @throws ServletException thrown if a processing error occurred. */ - public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper ,FilterChain filterChain ) + public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper, FilterChain filterChain) throws IOException, ServletException { boolean unauthorizedResponse = true; int errCode = HttpServletResponse.SC_UNAUTHORIZED; @@ -355,14 +357,13 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; boolean isHttps = "https".equals(httpRequest.getScheme()); - AuthenticationHandler authHandler = getAuthenticationHandler(); + AuthenticationHandler authHandler = getAuthenticationHandler(); try { boolean newToken = false; AuthenticationToken token; try { token = getToken(httpRequest); - } - catch (AuthenticationException ex) { + } catch (AuthenticationException ex) { LOG.warn("AuthenticationToken ignored: {}", ex.getMessage()); // will be sent back in a 401 unless filter authenticates authenticationEx = ex; @@ -432,7 +433,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { errCode = HttpServletResponse.SC_FORBIDDEN; } if (authenticationEx == null) { // added this code for atlas error handling and fallback - if (isBrowser(httpRequest.getHeader("User-Agent"))) { + if (!supportKeyTabBrowserLogin && isBrowser(httpRequest.getHeader("User-Agent"))) { filterChain.doFilter(request, response); } else { boolean chk = true; @@ -509,27 +510,27 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { public static void createAuthCookie(HttpServletResponse resp, String token, String domain, String path, long expires, boolean isSecure) { StringBuilder sb = (new StringBuilder(AuthenticatedURL.AUTH_COOKIE)).append("="); - if(token != null && token.length() > 0) { + if (token != null && token.length() > 0) { sb.append("\"").append(token).append("\""); } sb.append("; Version=1"); - if(path != null) { + if (path != null) { sb.append("; Path=").append(path); } - if(domain != null) { + if (domain != null) { sb.append("; Domain=").append(domain); } - if(expires >= 0L) { + if (expires >= 0L) { Date date = new Date(expires); SimpleDateFormat df = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz"); df.setTimeZone(TimeZone.getTimeZone("GMT")); sb.append("; Expires=").append(df.format(date)); } - if(isSecure) { + if (isSecure) { sb.append("; Secure"); } @@ -558,7 +559,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { if (tokenStr != null) { token = AuthenticationToken.parse(tokenStr); - if(token != null) { + if (token != null) { AuthenticationHandler authHandler = getAuthenticationHandler(); if (!token.getType().equals(authHandler.getType())) { throw new AuthenticationException("Invalid AuthenticationToken type"); -- libgit2 0.27.1