Repository: atlas Updated Branches: refs/heads/branch-0.8 a88df54f0 -> 59fe7d56e
ATLAS-2166 - Block Knox proxy service user for kerberos authentication Change-Id: Ib7549067bad928ae90d5f39b920c162d9c776780 Signed-off-by: Madhan Neethiraj <[email protected]> (cherry picked from commit 27918145448a3b6bb7b2c7af0add7a875d684d11) Project: http://git-wip-us.apache.org/repos/asf/atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/59fe7d56 Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/59fe7d56 Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/59fe7d56 Branch: refs/heads/branch-0.8 Commit: 59fe7d56e695748301ed5f6abff980a95c9f6727 Parents: a88df54 Author: nixonrodrigues <[email protected]> Authored: Fri Oct 13 16:51:46 2017 +0530 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Oct 13 09:00:37 2017 -0700 ---------------------------------------------------------------------- .../web/filters/AtlasAuthenticationFilter.java | 47 +++++++++++++++----- 1 file changed, 36 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/atlas/blob/59fe7d56/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java index 444b094..e8020db 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java @@ -29,7 +29,6 @@ import org.apache.commons.configuration.Configuration; import org.apache.commons.configuration.ConfigurationConverter; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.security.SecurityUtil; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; @@ -47,7 +46,6 @@ import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; @@ -84,16 +82,23 @@ import java.util.regex.Pattern; @Component public class AtlasAuthenticationFilter extends AuthenticationFilter { private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthenticationFilter.class); - static final String PREFIX = "atlas.authentication.method"; - protected static ServletContext nullContext = new NullServletContext(); - private Signer signer; + + private static final String CONFIG_PROXY_USERS = "atlas.proxyusers"; + private static final String PREFIX = "atlas.authentication.method"; + private static final String[] DEFAULT_PROXY_USERS = new String[] { "knox" }; + protected static final ServletContext nullContext = new NullServletContext(); + + private Signer signer; private SignerSecretProvider secretProvider; - public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); - private boolean isInitializedByTomcat; - private Set<Pattern> browserUserAgents; - private boolean supportKeyTabBrowserLogin = false; - private Configuration configuration; - private Properties headerProperties; + private final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); + private boolean isInitializedByTomcat; + private Set<Pattern> browserUserAgents; + private boolean supportKeyTabBrowserLogin = false; + private Configuration configuration; + private Properties headerProperties; + private Set<String> atlasProxyUsers = new HashSet<>(); + + public AtlasAuthenticationFilter() { try { LOG.info("AtlasAuthenticationFilter initialization started"); @@ -252,6 +257,14 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { agents = AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT; } + String[] proxyUsers = configuration.getStringArray(CONFIG_PROXY_USERS); + + if (proxyUsers == null || proxyUsers.length == 0) { + proxyUsers = DEFAULT_PROXY_USERS; + } + + atlasProxyUsers = new HashSet<>(Arrays.asList(proxyUsers)); + parseBrowserUserAgents(agents); return config; @@ -417,6 +430,18 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { return (authToken != AuthenticationToken.ANONYMOUS) ? authToken : null; } }; + + if(StringUtils.isNotBlank(httpRequest.getRemoteUser()) && atlasProxyUsers.contains(httpRequest.getRemoteUser())){ + LOG.info("Ignoring kerberos login from proxy user "+ httpRequest.getRemoteUser()); + + httpResponse.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, ""); + httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + filterChain.doFilter(request, response); + + return; + } + + if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS) { String signedToken = signer.sign(token.toString()); createAuthCookie(httpResponse, signedToken, getCookieDomain(),
