ATLAS-968 Set group information from UGI for Ldap authentication (nixonrodrigues via shwethags)

distro/src/conf/atlas-application.properties

@@ -101,6 +101,8 @@ atlas.authentication.method.ldap.type=LDAP
 #### user credentials file
 atlas.authentication.method.file.filename=${sys:atlas.home}/conf/users-credentials.properties
 
+### groups from UGI
+#atlas.authentication.method.ldap.ugi-groups=true
 
 ######## LDAP properties #########
 #atlas.authentication.method.ldap.url=ldap://<ldap server url>:389

release-log.txt

@@ -6,6 +6,7 @@ INCOMPATIBLE CHANGES:
 
 
 ALL CHANGES:
+ATLAS-968 Set group information from UGI for Ldap authentication (nixonrodrigues via shwethags)
 ATLAS-584 Integrate CSRF prevention filter (kevalbhatt18 via shwethags)
 ATLAS-963 UI: Entity details is not display String array attribute values correctly (kevalbhatt18 via shwethags)
 ATLAS-988 HiveHookIT.testInsertIntoTable is broken (svimal2106 via shwethags)

webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java

@@ -48,6 +48,7 @@ public class AtlasADAuthenticationProvider extends
     private String adBase;
     private String adReferral;
     private String adDefaultRole;
+    private boolean groupsFromUGI;
 
     @PostConstruct
     public void setup() {
@@ -85,6 +86,9 @@ public class AtlasADAuthenticationProvider extends
                 final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
                         principal, userPassword, grantedAuths);
                 authentication = adAuthenticationProvider.authenticate(finalAuthentication);
+                if(groupsFromUGI) {
+                    authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication);
+                }
                 return authentication;
             } else {
                 throw new AtlasAuthenticationException(
@@ -109,6 +113,7 @@ public class AtlasADAuthenticationProvider extends
             this.adBase = configuration.getString("atlas.authentication.method.ldap.ad.base.dn");
             this.adReferral = configuration.getString("atlas.authentication.method.ldap.ad.referral");
             this.adDefaultRole = configuration.getString("atlas.authentication.method.ldap.ad.default.role");
+            this.groupsFromUGI = configuration.getBoolean("atlas.authentication.method.ldap.ugi-groups", true);
 
         } catch (Exception e) {
             LOG.error("Exception while setADProperties", e);

webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java

@@ -22,6 +22,7 @@ package org.apache.atlas.web.security;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.hadoop.security.UserGroupInformation;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -71,4 +72,38 @@ public abstract class AtlasAbstractAuthenticationProvider implements
         return grantedAuths;
     }
 
+
+    public Authentication getAuthenticationWithGrantedAuthorityFromUGI(
+            Authentication authentication) {
+        UsernamePasswordAuthenticationToken result = null;
+        if (authentication != null && authentication.isAuthenticated()) {
+
+            List<GrantedAuthority> grantedAuthsUGI = getAuthoritiesFromUGI(authentication
+                    .getName().toString());
+
+            final UserDetails userDetails = new User(authentication.getName()
+                    .toString(), authentication.getCredentials().toString(),
+                    grantedAuthsUGI);
+            result = new UsernamePasswordAuthenticationToken(userDetails,
+                    authentication.getCredentials(), grantedAuthsUGI);
+            result.setDetails(authentication.getDetails());
+            return result;
+        }
+        return authentication;
+    }
+
+    public List<GrantedAuthority> getAuthoritiesFromUGI(String userName) {
+        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
+        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName);
+        if (ugi != null) {
+            String[] userGroups = ugi.getGroupNames();
+            if (userGroups != null) {
+                for (String group : userGroups) {
+                    grantedAuths.add(new SimpleGrantedAuthority(group));
+                }
+            }
+        }
+        return grantedAuths;
+    }
+
 }

webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java

@@ -54,6 +54,7 @@ public class AtlasLdapAuthenticationProvider extends
     private String ldapUserSearchFilter;
     private String ldapReferral;
     private String ldapBase;
+    private boolean groupsFromUGI;
 
     @PostConstruct
     public void setup() {
@@ -107,6 +108,9 @@ public class AtlasLdapAuthenticationProvider extends
                 final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
                         principal, userPassword, grantedAuths);
                 authentication = ldapAuthenticationProvider.authenticate(finalAuthentication);
+                if(groupsFromUGI) {
+                    authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication);
+                }
                 return authentication;
             } else {
                 throw new AtlasAuthenticationException(
@@ -141,6 +145,7 @@ public class AtlasLdapAuthenticationProvider extends
                     "atlas.authentication.method.ldap.user.searchfilter");
             ldapReferral = configuration.getString("atlas.authentication.method.ldap.ad.referral");
             ldapBase = configuration.getString("atlas.authentication.method.ldap.base.dn");
+            groupsFromUGI = configuration.getBoolean("atlas.authentication.method.ldap.ugi-groups", true);
 
         } catch (Exception e) {
             LOG.error("Exception while setLdapProperties", e);