Repository: atlas Updated Branches: refs/heads/master b1907a332 -> 7515915f6
ATLAS-2557: updated groups lookup for logged in user with an option to include groups from Hadoop config Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/7515915f Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/7515915f Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/7515915f Branch: refs/heads/master Commit: 7515915f6b52cdfd0f7e5e32a17f6f6cfae6b37d Parents: b1907a3 Author: nixonrodrigues <[email protected]> Authored: Fri Apr 13 01:24:35 2018 +0530 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Apr 13 09:04:56 2018 -0700 ---------------------------------------------------------------------- .../apache/atlas/utils/AuthenticationUtil.java | 14 ++++++ .../AtlasAbstractAuthenticationProvider.java | 51 ++++++++++++++------ 2 files changed, 51 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/atlas/blob/7515915f/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java ---------------------------------------------------------------------- diff --git a/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java b/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java index 09d8085..af32afc 100644 --- a/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java +++ b/intg/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java @@ -47,6 +47,20 @@ public final class AuthenticationUtil { return atlasConf.getBoolean("atlas.authentication.method.kerberos", false); } + public static boolean includeHadoopGroups(){ + boolean includeHadoopGroups = false; + + try { + Configuration configuration = ApplicationProperties.get(); + + includeHadoopGroups = configuration.getBoolean("atlas.authentication.ugi-groups.include-hadoop-groups", includeHadoopGroups); + } catch (AtlasException e) { + LOG.error("AuthenticationUtil::includeHadoopGroups(). Error while loading atlas application properties ", e); + } + + return includeHadoopGroups; + } + public static String[] getBasicAuthenticationInput() { String username = null; String password = null; http://git-wip-us.apache.org/repos/asf/atlas/blob/7515915f/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java index f77cb01..d4f9a0f 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java @@ -19,6 +19,7 @@ package org.apache.atlas.web.security; +import org.apache.commons.collections.CollectionUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.Groups; import org.apache.hadoop.security.UserGroupInformation; @@ -33,7 +34,11 @@ import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; +import java.util.Set; + +import org.apache.atlas.utils.AuthenticationUtil; public abstract class AtlasAbstractAuthenticationProvider implements AuthenticationProvider { private static final Logger LOG = LoggerFactory.getLogger(AtlasAbstractAuthenticationProvider.class); @@ -94,33 +99,51 @@ public abstract class AtlasAbstractAuthenticationProvider implements Authenticat } public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) { - List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>(); + Set<String> userGroups = new HashSet<>(); + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName); - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName); if (ugi != null) { - String[] userGroups = ugi.getGroupNames(); - if (userGroups != null) { - for (String group : userGroups) { - grantedAuths.add(new SimpleGrantedAuthority(group)); + String[] groups = ugi.getGroupNames(); + + if(LOG.isDebugEnabled()) { + LOG.debug("UserGroupInformation userGroups=" + groups); + } + + if (groups != null) { + for (String group : groups) { + userGroups.add(group); } } } - // if group empty take groups from UGI LDAP-based group mapping - if (grantedAuths != null && grantedAuths.isEmpty()) { + + // if group empty take groups from Hadoop LDAP-based group mapping + if (CollectionUtils.isEmpty(userGroups) || AuthenticationUtil.includeHadoopGroups()) { try { Configuration config = new Configuration(); - Groups gp = new Groups(config); - List<String> userGroups = gp.getGroups(userName); - if (userGroups != null) { - for (String group : userGroups) { - grantedAuths.add(new SimpleGrantedAuthority(group)); + Groups gp = new Groups(config); + List<String> groups = gp.getGroups(userName); + + if(LOG.isDebugEnabled()) { + LOG.debug("Hadoop userGroups=" + groups); + } + + if (groups != null) { + for (String group : groups) { + userGroups.add(group); } } } catch (java.io.IOException e) { LOG.error("Exception while fetching groups ", e); } } - return grantedAuths; + + List<GrantedAuthority> ret = new ArrayList<>(); + + for (String userGroup : userGroups) { + ret.add(new SimpleGrantedAuthority(userGroup)); + } + + return ret; } }
