ATLAS-3667 : Option to store Ldap/AD bind password in jceks keystore file

Signed-off-by: nixonrodrigues <nixon@apache.org>

ATLAS-3667 : Option to store Ldap/AD bind password in jceks keystore file
f30fd67f · chaitali borole · nixonrodrigues · 27dc446d · f30fd67f · f30fd67f
Commit f30fd67f authored Mar 20, 2020 by chaitali borole Committed by nixonrodrigues Mar 24, 2020
Showing with 54 additions and 4 deletions

ApplicationProperties.java ...src/main/java/org/apache/atlas/ApplicationProperties.java +29 -0

CredentialProviderUtility.java ...java/org/apache/atlas/util/CredentialProviderUtility.java +25 -4

No files found.
--- a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
+++ b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
@@ -18,6 +18,7 @@
 package org.apache.atlas;

 import org.apache.atlas.security.InMemoryJAASConfiguration;
+import org.apache.atlas.security.SecurityUtil;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.configuration.ConfigurationConverter;
 import org.apache.commons.configuration.ConfigurationException;
@@ -56,6 +57,10 @@ public final class ApplicationProperties extends PropertiesConfiguration {
    public static final String  STORAGE_BACKEND_HBASE           = "hbase";
    public static final String  STORAGE_BACKEND_HBASE2          = "hbase2";
    public static final String  INDEX_BACKEND_SOLR              = "solr";
+    public static final String  LDAP_TYPE                       =  "atlas.authentication.method.ldap.type";
+    public static final String  LDAP_AD_BIND_PASSWORD           =  "atlas.authentication.method.ldap.ad.bind.password";
+    public static final String  LDAP_BIND_PASSWORD              =  "atlas.authentication.method.ldap.bind.password";
+    public static final String  MASK_LDAP_PASSWORD              =  "*****";
    public static final String  DEFAULT_GRAPHDB_BACKEND         = GRAPHBD_BACKEND_JANUS;
    public static final boolean DEFAULT_SOLR_WAIT_SEARCHER      = true;
    public static final boolean DEFAULT_INDEX_MAP_NAME          = false;
@@ -135,6 +140,8 @@ public final class ApplicationProperties extends PropertiesConfiguration {

            appProperties.setDefaults();

+            setLdapPasswordFromKeystore(appProperties);
+
            Configuration configuration = appProperties.interpolatedConfiguration();

            logConfiguration(configuration);
@@ -269,6 +276,28 @@ public final class ApplicationProperties extends PropertiesConfiguration {
        return inStr;
    }

+    private static void setLdapPasswordFromKeystore(Configuration configuration) {
+        try {
+            if (configuration.getString(LDAP_TYPE).equalsIgnoreCase("ldap")) {
+                String maskPasssword = configuration.getString(LDAP_BIND_PASSWORD);
+                if (MASK_LDAP_PASSWORD.equals(maskPasssword)) {
+                    String password = SecurityUtil.getPassword(configuration, LDAP_BIND_PASSWORD);
+                    configuration.clearProperty(LDAP_BIND_PASSWORD);
+                    configuration.addProperty(LDAP_BIND_PASSWORD, password);
+                }
+            } else if (configuration.getString(LDAP_TYPE).equalsIgnoreCase("ad")) {
+                String maskPasssword = configuration.getString(LDAP_AD_BIND_PASSWORD);
+                if (MASK_LDAP_PASSWORD.equals(maskPasssword)) {
+                    String password = SecurityUtil.getPassword(configuration, LDAP_AD_BIND_PASSWORD);
+                    configuration.clearProperty(LDAP_AD_BIND_PASSWORD);
+                    configuration.addProperty(LDAP_AD_BIND_PASSWORD, password);
+                }
+            }
+        } catch (Exception e) {
+            LOG.error("Error in getting secure password ", e);
+        }
+    }
+
    private void setDefaults() {
        AtlasRunMode runMode = AtlasRunMode.valueOf(getString(ATLAS_RUN_MODE, DEFAULT_ATLAS_RUN_MODE.name()));


--- a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
+++ b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
@@ -28,7 +28,6 @@ import org.apache.hadoop.security.alias.CredentialProviderFactory;
 import java.io.Console;
 import java.io.IOException;
 import java.util.Arrays;
-
 import static org.apache.atlas.security.SecurityProperties.KEYSTORE_PASSWORD_KEY;
 import static org.apache.atlas.security.SecurityProperties.SERVER_CERT_PASSWORD_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY;
@@ -40,7 +39,6 @@ import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_K
 */
 public class CredentialProviderUtility {
    private static final String[] KEYS = new String[] { KEYSTORE_PASSWORD_KEY, TRUSTSTORE_PASSWORD_KEY, SERVER_CERT_PASSWORD_KEY };
-
    public static abstract class TextDevice {
        public abstract void printf(String fmt, Object... params);

@@ -75,11 +73,17 @@ public class CredentialProviderUtility {
        try {
            CommandLine cmd                    = new DefaultParser().parse(createOptions(), args);
            boolean     generatePasswordOption = cmd.hasOption("g");
+            String      key                    = cmd.getOptionValue("k");
+            char[]      cred                   = null;
+            String      providerPath           = cmd.getOptionValue("f");
+
+            if (cmd.hasOption("p")) {
+                cred = cmd.getOptionValue("p").toCharArray();
+            }

            if (generatePasswordOption) {
                String userName = cmd.getOptionValue("u");
                String password = cmd.getOptionValue("p");
-
                if (userName != null && password != null) {
                    String  encryptedPassword = UserDao.encrypt(password);
                    boolean silentOption      = cmd.hasOption("s");
@@ -95,6 +99,20 @@ public class CredentialProviderUtility {

                return;
            }
+
+            if (key != null && cred != null && providerPath != null) {
+                if (!StringUtils.isEmpty(String.valueOf(cred))) {
+                    Configuration conf = new Configuration(false);
+                    conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, providerPath);
+                    CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0);
+                    provider.createCredentialEntry(key, cred);
+                    provider.flush();
+                    System.out.println("Password is stored in Credential Provider");
+                } else {
+                    System.out.println("Please enter a valid password");
+                }
+                return;
+            }
        } catch (Exception e) {
            System.out.println("Exception while generatePassword  " + e.getMessage());
            return;
@@ -134,6 +152,8 @@ public class CredentialProviderUtility {
    private static Options createOptions() {
        Options options = new Options();

+        options.addOption("k", "ldapkey", true, "key");
+        options.addOption("f", "ldapPath", true, "path");
        options.addOption("g", "generatePassword", false, "Generate Password");
        options.addOption("s", "silent", false, "Silent");
        options.addOption("u", "username", true, "UserName");
@@ -203,4 +223,4 @@ public class CredentialProviderUtility {

        return null;
    }
-}
+}
\ No newline at end of file