This is an automated email from the ASF dual-hosted git repository.
nixon pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new cc3566b ATLAS-3387-Consider X-FORWARDED-FOR header for getting end
user IP address when connected with proxy.
cc3566b is described below
commit cc3566b0b075305c9818478df63754dfa35748f0
Author: nikhilbonte <[email protected]>
AuthorDate: Tue Aug 27 12:39:46 2019 +0530
ATLAS-3387-Consider X-FORWARDED-FOR header for getting end user IP address
when connected with proxy.
Signed-off-by: nixonrodrigues <[email protected]>
(cherry picked from commit 331fb430e86d27e30f8640f54e9774f6600761c9)
---
.../apache/atlas/authorize/AtlasAccessRequest.java | 35 ++++++++++++++++++++--
.../atlas/authorize/AtlasAdminAccessRequest.java | 3 +-
.../atlas/authorize/AtlasAuthorizationUtils.java | 22 ++++++++++++++
.../atlas/authorize/AtlasEntityAccessRequest.java | 5 ++--
.../authorize/AtlasRelationshipAccessRequest.java | 3 +-
.../authorize/AtlasSearchResultScrubRequest.java | 3 +-
.../atlas/authorize/AtlasTypeAccessRequest.java | 3 +-
.../main/java/org/apache/atlas/RequestContext.java | 26 ++++++++++++----
.../org/apache/atlas/web/filters/AuditFilter.java | 1 +
9 files changed, 87 insertions(+), 14 deletions(-)
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
index b031f4c..c76a871 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -30,6 +30,7 @@ import org.slf4j.LoggerFactory;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -43,6 +44,8 @@ public class AtlasAccessRequest {
private String user = null;
private Set<String> userGroups = null;
private String clientIPAddress = null;
+ private List<String> forwardedAddresses;
+ private String remoteIPAddress;
protected AtlasAccessRequest(AtlasPrivilege action) {
@@ -50,7 +53,14 @@ public class AtlasAccessRequest {
}
protected AtlasAccessRequest(AtlasPrivilege action, String user,
Set<String> userGroups) {
- this(action, user, userGroups, new Date(), null);
+ this(action, user, userGroups, new Date(), null, null, null);
+ }
+
+ protected AtlasAccessRequest(AtlasPrivilege action, String user,
Set<String> userGroups, Date accessTime,
+ String clientIPAddress, List<String>
forwardedAddresses, String remoteIPAddress) {
+ this(action, user, userGroups, accessTime, clientIPAddress);
+ this.forwardedAddresses = forwardedAddresses;
+ this.remoteIPAddress = remoteIPAddress;
}
protected AtlasAccessRequest(AtlasPrivilege action, String user,
Set<String> userGroups, Date accessTime, String clientIPAddress) {
@@ -82,10 +92,26 @@ public class AtlasAccessRequest {
this.userGroups = userGroups;
}
+ public List<String> getForwardedAddresses() {
+ return forwardedAddresses;
+ }
+
+ public String getRemoteIPAddress() {
+ return remoteIPAddress;
+ }
+
public String getClientIPAddress() {
return clientIPAddress;
}
+ public void setForwardedAddresses(List<String> forwardedAddresses) {
+ this.forwardedAddresses = forwardedAddresses;
+ }
+
+ public void setRemoteIPAddress(String remoteIPAddress) {
+ this.remoteIPAddress = remoteIPAddress;
+ }
+
public void setClientIPAddress(String clientIPAddress) {
this.clientIPAddress = clientIPAddress;
}
@@ -168,7 +194,10 @@ public class AtlasAccessRequest {
@Override
public String toString() {
- return "AtlasAccessRequest[action=" + action + ", accessTime=" +
accessTime + ", user=" + user +
- ", userGroups=" + userGroups + ",
clientIPAddress=" + clientIPAddress + "]";
+ return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" +
accessTime +", user='" + user + '\'' +
+ ", userGroups=" + userGroups + ", clientIPAddress='" +
clientIPAddress + '\'' +
+ ", forwardedAddresses=" + forwardedAddresses + ",
remoteIPAddress='" + remoteIPAddress + '\'' +
+ ']';
+
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
index 1782b32..5f571fb 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
@@ -33,6 +33,7 @@ public class AtlasAdminAccessRequest extends
AtlasAccessRequest {
@Override
public String toString() {
return "AtlasAdminAccessRequest[action=" + getAction() + ",
accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ",
clientIPAddress=" + getClientIPAddress() + "]";
+ ", userGroups=" + getUserGroups() + ",
clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
index ac2f525..460b454 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
@@ -35,6 +35,8 @@ import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashSet;
import java.util.Set;
+import java.util.List;
+import java.util.Arrays;
public class AtlasAuthorizationUtils {
private static final Logger LOG =
LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
@@ -79,6 +81,8 @@ public class AtlasAuthorizationUtils {
request.setUser(userName, getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
authorizer.scrubSearchResults(request);
} catch (AtlasAuthorizationException e) {
@@ -99,6 +103,8 @@ public class AtlasAuthorizationUtils {
request.setUser(userName, getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -124,6 +130,8 @@ public class AtlasAuthorizationUtils {
request.setUser(getCurrentUserName(), getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -149,6 +157,8 @@ public class AtlasAuthorizationUtils {
request.setUser(getCurrentUserName(), getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -174,6 +184,8 @@ public class AtlasAuthorizationUtils {
request.setUser(getCurrentUserName(), getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+
request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+
request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -187,6 +199,16 @@ public class AtlasAuthorizationUtils {
return ret;
}
+ public static List<String>
getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest){
+ String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR");
+ String[] forwardedAddresses = null ;
+
+ if(!StringUtils.isEmpty(ipAddress)){
+ forwardedAddresses = ipAddress.split(",");
+ }
+ return forwardedAddresses != null ? Arrays.asList(forwardedAddresses)
: null;
+ }
+
public static String getRequestIpAddress(HttpServletRequest
httpServletRequest) {
String ret = "";
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
index 07ff678..951e5c9 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
@@ -107,8 +107,9 @@ public class AtlasEntityAccessRequest extends
AtlasAccessRequest {
@Override
public String toString() {
return "AtlasEntityAccessRequest[entity=" + entity + ",
classification=" + classification + ", attributeName=" + attributeName +
- ", action=" + getAction() + ",
accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() +
", clientIPAddress=" + getClientIPAddress() + "]";
+ ", action=" + getAction() + ", accessTime=" + getAccessTime()
+ ", user=" + getUser() +
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" +
getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
index d2da03c..b530c01 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
@@ -88,6 +88,7 @@ public class AtlasRelationshipAccessRequest extends
AtlasAccessRequest {
public String toString() {
return "AtlasRelationshipAccessRequest[relationshipType=" +
relationshipType + ", end1Entity=" + end1Entity + ", end2Entity=" + end2Entity +
", action=" + getAction() + ", accessTime=" + getAccessTime()
+ ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ", clientIPAddress=" +
getClientIPAddress() + "]";
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" +
getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
index c908b28..63468a7 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
@@ -47,7 +47,8 @@ public class AtlasSearchResultScrubRequest extends
AtlasAccessRequest {
@Override
public String toString() {
return "AtlasSearchResultScrubRequest[searchResult=" + searchResult +
", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" +
getUser() +
- ", userGroups=" + getUserGroups() +
", clientIPAddress=" + getClientIPAddress() + "]";
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" +
getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
index af38425..510be35 100644
---
a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
+++
b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
@@ -44,6 +44,7 @@ public class AtlasTypeAccessRequest extends
AtlasAccessRequest {
@Override
public String toString() {
return "AtlasEntityAccessRequest[typeDef=" + typeDef + ", action=" +
getAction() + ", accessTime=" + getAccessTime() +
- ", user=" + getUser() + ",
userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
"]";
+ ", user=" + getUser() + ", userGroups=" + getUserGroups() + ",
clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ",
remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git a/server-api/src/main/java/org/apache/atlas/RequestContext.java
b/server-api/src/main/java/org/apache/atlas/RequestContext.java
index 0c3ba08..79eea1c 100644
--- a/server-api/src/main/java/org/apache/atlas/RequestContext.java
+++ b/server-api/src/main/java/org/apache/atlas/RequestContext.java
@@ -29,7 +29,14 @@ import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.util.*;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+import java.util.Map;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.HashMap;
+
public class RequestContext {
private static final Logger METRICS = LoggerFactory.getLogger("METRICS");
@@ -48,10 +55,11 @@ public class RequestContext {
private final AtlasPerfMetrics metrics =
isMetricsEnabled ? new AtlasPerfMetrics() : null;
private List<EntityGuidPair> entityGuidInRequest =
null;
- private String user;
- private Set<String> userGroups;
- private String clientIPAddress;
- private DeleteType deleteType = DeleteType.DEFAULT;
+ private String user;
+ private Set<String> userGroups;
+ private String clientIPAddress;
+ private List<String> forwardedAddresses;
+ private DeleteType deleteType = DeleteType.DEFAULT;
private int maxAttempts = 1;
private int attemptCount = 1;
private boolean isImportInProgress = false;
@@ -354,4 +362,12 @@ public class RequestContext {
entity.setGuid(guid);
}
}
+
+ public List<String> getForwardedAddresses() {
+ return forwardedAddresses;
+ }
+
+ public void setForwardedAddresses(List<String> forwardedAddresses) {
+ this.forwardedAddresses = forwardedAddresses;
+ }
}
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
b/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
index e9c44b3..c663b00 100755
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
@@ -91,6 +91,7 @@ public class AuditFilter implements Filter {
requestContext.setUser(user, userGroups);
requestContext.setClientIPAddress(AtlasAuthorizationUtils.getRequestIpAddress(httpRequest));
requestContext.setCreateShellEntityForNonExistingReference(createShellEntityForNonExistingReference);
+
requestContext.setForwardedAddresses(AtlasAuthorizationUtils.getForwardedAddressesFromRequest(httpRequest));
if (StringUtils.isNotEmpty(deleteType)) {
if (deleteTypeOverrideEnabled) {
