Skip to content

A
atlas
Commit bcc89f3c by nixonrodrigues Committed by nixonrodrigues
Options

ATLAS-1680- Support for browser login using kerberos keytab

parent e92593e9
Showing with 16 additions and 15 deletions
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
......@@ -86,6 +86,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
private boolean isInitializedByTomcat;
private Set<Pattern> browserUserAgents;
private boolean supportKeyTabBrowserLogin = false;
public AtlasAuthenticationFilter() {
try {
......@@ -191,16 +192,16 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
authMethod = "kerberos";
}
if(configuration.getString("atlas.authentication.method.kerberos.name.rules")!=null) {
if (configuration.getString("atlas.authentication.method.kerberos.name.rules") != null) {
config.put("kerberos.name.rules", configuration.getString("atlas.authentication.method.kerberos.name.rules"));
}
if(configuration.getString("atlas.authentication.method.kerberos.keytab")!=null) {
if (configuration.getString("atlas.authentication.method.kerberos.keytab") != null) {
config.put("kerberos.keytab", configuration.getString("atlas.authentication.method.kerberos.keytab"));
}
if(configuration.getString("atlas.authentication.method.kerberos.principal")!=null) {
if (configuration.getString("atlas.authentication.method.kerberos.principal") != null) {
config.put("kerberos.principal", configuration.getString("atlas.authentication.method.kerberos.principal"));
}
config.put(AuthenticationFilter.AUTH_TYPE, authMethod );
config.put(AuthenticationFilter.AUTH_TYPE, authMethod);
config.put(AuthenticationFilter.COOKIE_PATH, "/");
// add any config passed in as init parameters
......@@ -232,6 +233,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
LOG.debug(" AuthenticationFilterConfig: {}", config);
supportKeyTabBrowserLogin = configuration.getBoolean("atlas.authentication.method.kerberos.support.keytab.browser.login", false);
String agents = configuration.getString(AtlasCSRFPreventionFilter.BROWSER_USER_AGENT_PARAM, AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT);
if (agents == null) {
......@@ -290,7 +292,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
String requestUser = httpRequest.getRemoteUser();
NDC.push(requestUser + ":" + httpRequest.getMethod() + httpRequest.getRequestURI());
RequestContext requestContext = RequestContext.get();
if(requestContext!=null) {
if (requestContext != null) {
requestContext.setUser(requestUser);
}
LOG.info("Request from authenticated user: {}, URL={}", requestUser,
......@@ -347,7 +349,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
* @throws IOException thrown if an IO error occurred.
* @throws ServletException thrown if a processing error occurred.
*/
public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper ,FilterChain filterChain )
public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper, FilterChain filterChain)
throws IOException, ServletException {
boolean unauthorizedResponse = true;
int errCode = HttpServletResponse.SC_UNAUTHORIZED;
......@@ -361,8 +363,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
AuthenticationToken token;
try {
token = getToken(httpRequest);
}
catch (AuthenticationException ex) {
} catch (AuthenticationException ex) {
LOG.warn("AuthenticationToken ignored: {}", ex.getMessage());
// will be sent back in a 401 unless filter authenticates
authenticationEx = ex;
......@@ -432,7 +433,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
errCode = HttpServletResponse.SC_FORBIDDEN;
}
if (authenticationEx == null) { // added this code for atlas error handling and fallback
if (isBrowser(httpRequest.getHeader("User-Agent"))) {
if (!supportKeyTabBrowserLogin && isBrowser(httpRequest.getHeader("User-Agent"))) {
filterChain.doFilter(request, response);
} else {
boolean chk = true;
......@@ -509,27 +510,27 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
public static void createAuthCookie(HttpServletResponse resp, String token, String domain, String path, long expires, boolean isSecure) {
StringBuilder sb = (new StringBuilder(AuthenticatedURL.AUTH_COOKIE)).append("=");
if(token != null && token.length() > 0) {
if (token != null && token.length() > 0) {
sb.append("\"").append(token).append("\"");
}
sb.append("; Version=1");
if(path != null) {
if (path != null) {
sb.append("; Path=").append(path);
}
if(domain != null) {
if (domain != null) {
sb.append("; Domain=").append(domain);
}
if(expires >= 0L) {
if (expires >= 0L) {
Date date = new Date(expires);
SimpleDateFormat df = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz");
df.setTimeZone(TimeZone.getTimeZone("GMT"));
sb.append("; Expires=").append(df.format(date));
}
if(isSecure) {
if (isSecure) {
sb.append("; Secure");
}
......@@ -558,7 +559,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
if (tokenStr != null) {
token = AuthenticationToken.parse(tokenStr);
if(token != null) {
if (token != null) {
AuthenticationHandler authHandler = getAuthenticationHandler();
if (!token.getType().equals(authHandler.getType())) {
throw new AuthenticationException("Invalid AuthenticationToken type");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment