Repository: incubator-atlas Updated Branches: refs/heads/master 1ddf3137b -> 34f51a2a2
ATLAS-661 REST API Authentication (nixonrodrigues via yhemanth) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/34f51a2a Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/34f51a2a Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/34f51a2a Branch: refs/heads/master Commit: 34f51a2a233c43e797a4d355e82f86b1e8332cc9 Parents: 1ddf313 Author: Hemanth Yamijala <[email protected]> Authored: Mon May 9 14:48:44 2016 +0530 Committer: Hemanth Yamijala <[email protected]> Committed: Mon May 9 14:48:44 2016 +0530 ---------------------------------------------------------------------- .../atlas/hive/bridge/HiveMetaStoreBridge.java | 14 ++- .../java/org/apache/atlas/AtlasAdminClient.java | 11 +- .../main/java/org/apache/atlas/AtlasClient.java | 32 +++++- .../apache/atlas/utils/AuthenticationUtil.java | 73 ++++++++++++ dashboardv2/public/js/utils/Utils.js | 29 +---- distro/src/conf/users-credentials.properties | 7 +- release-log.txt | 1 + .../org/apache/atlas/examples/QuickStart.java | 27 ++++- .../java/org/apache/atlas/web/dao/UserDao.java | 61 ++++++++-- .../filters/AtlasAuthenticationEntryPoint.java | 16 ++- .../security/AtlasADAuthenticationProvider.java | 51 +-------- .../AtlasAbstractAuthenticationProvider.java | 2 +- .../security/AtlasAuthenticationProvider.java | 33 ++++-- .../AtlasFileAuthenticationProvider.java | 13 ++- .../AtlasLdapAuthenticationProvider.java | 7 +- webapp/src/main/resources/atlas-admin-site.xml | 16 ++- webapp/src/main/resources/spring-security.xml | 113 +++++++++---------- webapp/src/main/webapp/WEB-INF/web.xml | 18 +-- .../org/apache/atlas/examples/QuickStartIT.java | 3 +- .../atlas/web/resources/BaseResourceIT.java | 8 +- .../web/security/FileAuthenticationTest.java | 60 +++++++++- .../security/NegativeSSLAndKerberosTest.java | 11 +- .../atlas/web/security/SSLAndKerberosTest.java | 3 +- .../apache/atlas/web/security/UserDaoTest.java | 15 ++- 24 files changed, 424 insertions(+), 200 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java ---------------------------------------------------------------------- diff --git a/addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java b/addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java index d4212a1..8768250 100755 --- a/addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java +++ b/addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java @@ -32,6 +32,7 @@ import org.apache.atlas.typesystem.Struct; import org.apache.atlas.typesystem.json.InstanceSerialization; import org.apache.atlas.typesystem.json.TypesSerialization; import org.apache.atlas.typesystem.persistence.Id; +import org.apache.atlas.utils.AuthenticationUtil; import org.apache.commons.configuration.Configuration; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.api.Database; @@ -43,12 +44,12 @@ import org.apache.hadoop.hive.metastore.api.hive_metastoreConstants; import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.security.UserGroupInformation; import org.codehaus.jettison.json.JSONArray; import org.codehaus.jettison.json.JSONException; import org.codehaus.jettison.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; - import java.util.ArrayList; import java.util.Date; import java.util.List; @@ -533,9 +534,18 @@ public class HiveMetaStoreBridge { } public static void main(String[] argv) throws Exception { + Configuration atlasConf = ApplicationProperties.get(); String atlasEndpoint = atlasConf.getString(ATLAS_ENDPOINT, DEFAULT_DGI_URL); - AtlasClient atlasClient = new AtlasClient(atlasEndpoint); + AtlasClient atlasClient; + + if (!AuthenticationUtil.isKerberosAuthicationEnabled()) { + String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput(); + atlasClient = new AtlasClient(new String[]{atlasEndpoint}, basicAuthUsernamePassword); + } else { + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + atlasClient = new AtlasClient(ugi, ugi.getShortUserName(), atlasEndpoint); + } HiveMetaStoreBridge hiveMetaStoreBridge = new HiveMetaStoreBridge(new HiveConf(), atlasClient); hiveMetaStoreBridge.registerHiveDataModel(); http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/client/src/main/java/org/apache/atlas/AtlasAdminClient.java ---------------------------------------------------------------------- diff --git a/client/src/main/java/org/apache/atlas/AtlasAdminClient.java b/client/src/main/java/org/apache/atlas/AtlasAdminClient.java index d2ae7f0..ec750c8 100644 --- a/client/src/main/java/org/apache/atlas/AtlasAdminClient.java +++ b/client/src/main/java/org/apache/atlas/AtlasAdminClient.java @@ -18,6 +18,7 @@ package org.apache.atlas; +import org.apache.atlas.utils.AuthenticationUtil; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; import org.apache.commons.cli.GnuParser; @@ -27,6 +28,7 @@ import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; import org.apache.commons.configuration.Configuration; + /** * An application that allows users to run admin commands against an Atlas server. * @@ -60,7 +62,14 @@ public class AtlasAdminClient { Configuration configuration = ApplicationProperties.get(); String atlasServerUri = configuration.getString( AtlasConstants.ATLAS_REST_ADDRESS_KEY, AtlasConstants.DEFAULT_ATLAS_REST_ADDRESS); - AtlasClient atlasClient = new AtlasClient(atlasServerUri); + + AtlasClient atlasClient = null; + if (!AuthenticationUtil.isKerberosAuthicationEnabled()) { + String[] basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput(); + atlasClient = new AtlasClient(new String[]{atlasServerUri}, basicAuthUsernamePassword); + } else { + atlasClient = new AtlasClient(atlasServerUri, null, null); + } return handleCommand(commandLine, atlasServerUri, atlasClient); } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/client/src/main/java/org/apache/atlas/AtlasClient.java ---------------------------------------------------------------------- diff --git a/client/src/main/java/org/apache/atlas/AtlasClient.java b/client/src/main/java/org/apache/atlas/AtlasClient.java index 234af5b..b3ec95c 100755 --- a/client/src/main/java/org/apache/atlas/AtlasClient.java +++ b/client/src/main/java/org/apache/atlas/AtlasClient.java @@ -36,6 +36,7 @@ import org.apache.atlas.typesystem.types.AttributeDefinition; import org.apache.atlas.typesystem.types.HierarchicalTypeDefinition; import org.apache.atlas.typesystem.types.TraitType; import org.apache.atlas.typesystem.types.utils.TypesUtil; +import org.apache.atlas.utils.AuthenticationUtil; import org.apache.commons.configuration.Configuration; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.security.UserGroupInformation; @@ -44,7 +45,6 @@ import org.codehaus.jettison.json.JSONException; import org.codehaus.jettison.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; - import javax.ws.rs.HttpMethod; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -55,7 +55,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.List; - +import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; import static org.apache.atlas.security.SecurityProperties.TLS_ENABLED; /** @@ -125,6 +125,16 @@ public class AtlasClient { private WebResource service; private AtlasClientContext atlasClientContext; private Configuration configuration; + private String basicAuthUser; + private String basicAuthPassword; + + + // New constuctor for Basic auth + public AtlasClient(String[] baseUrl, String[] basicAuthUserNamepassword) { + this.basicAuthUser = basicAuthUserNamepassword[0]; + this.basicAuthPassword = basicAuthUserNamepassword[1]; + initializeState(baseUrl, null, null); + } /** * Create a new Atlas client. @@ -170,6 +180,12 @@ public class AtlasClient { private void initializeState(String[] baseUrls, UserGroupInformation ugi, String doAsUser) { configuration = getClientProperties(); Client client = getClient(configuration, ugi, doAsUser); + + if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) { + final HTTPBasicAuthFilter authFilter = new HTTPBasicAuthFilter(basicAuthUser, basicAuthPassword); + client.addFilter(authFilter); + } + String activeServiceUrl = determineActiveServiceURL(baseUrls, client); atlasClientContext = new AtlasClientContext(baseUrls, client, ugi, doAsUser); service = client.resource(UriBuilder.fromUri(activeServiceUrl).build()); @@ -195,9 +211,14 @@ public class AtlasClient { LOG.info("Error processing client configuration.", e); } - URLConnectionClientHandler handler = - SecureClientUtils.getClientConnectionHandler(config, clientConfig, doAsUser, ugi); + URLConnectionClientHandler handler = null; + if ((!AuthenticationUtil.isKerberosAuthicationEnabled()) && basicAuthUser!=null && basicAuthPassword!=null) { + handler = new URLConnectionClientHandler(); + } else { + handler = + SecureClientUtils.getClientConnectionHandler(config, clientConfig, doAsUser, ugi); + } Client client = new Client(handler, config); client.setReadTimeout(readTimeout); client.setConnectTimeout(connectTimeout); @@ -1049,6 +1070,8 @@ public class AtlasClient { public AtlasClientContext(String[] baseUrls, Client client, UserGroupInformation ugi, String doAsUser) { this.baseUrls = baseUrls; this.client = client; + this.ugi = ugi; + this.doAsUser = doAsUser; } public Client getClient() { @@ -1068,4 +1091,5 @@ public class AtlasClient { } } + } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java b/common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java new file mode 100644 index 0000000..f8e22f0 --- /dev/null +++ b/common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java @@ -0,0 +1,73 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.atlas.utils; + +import org.apache.atlas.ApplicationProperties; +import org.apache.atlas.AtlasException; +import org.apache.commons.configuration.Configuration; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.BufferedReader; +import java.io.InputStreamReader; + +/** + * Util class for Authentication. + */ +public final class AuthenticationUtil { + private static final Logger LOG = LoggerFactory.getLogger(AuthenticationUtil.class); + + private AuthenticationUtil() { + } + + public static boolean isKerberosAuthicationEnabled() { + boolean isKerberosAuthicationEnabled = false; + try { + Configuration atlasConf = ApplicationProperties.get(); + + if ("true".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.enabled")) + && "kerberos".equalsIgnoreCase(atlasConf.getString("atlas.http.authentication.type"))) { + isKerberosAuthicationEnabled = true; + } else { + isKerberosAuthicationEnabled = false; + } + + } catch (AtlasException e) { + LOG.error("Error while isKerberosAuthicationEnabled ", e); + } + return isKerberosAuthicationEnabled; + } + + public static String[] getBasicAuthenticationInput() { + String username = null; + String password = null; + + try { + BufferedReader bufferRead = new BufferedReader(new InputStreamReader(System.in)); + System.out.println("Enter username for atlas :-"); + username = bufferRead.readLine(); + System.out.println("Enter password for atlas :-"); + password = bufferRead.readLine(); + } catch (Exception e) { + System.out.print("Error while reading "); + System.exit(1); + } + return new String[]{username, password}; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/dashboardv2/public/js/utils/Utils.js ---------------------------------------------------------------------- diff --git a/dashboardv2/public/js/utils/Utils.js b/dashboardv2/public/js/utils/Utils.js index 7b2db79..3892c72 100644 --- a/dashboardv2/public/js/utils/Utils.js +++ b/dashboardv2/public/js/utils/Utils.js @@ -74,31 +74,12 @@ }); }; Utils.defaultErrorHandler = function(model, error) { - /* - require(['views/common/ErrorView', 'App'], function(vError, App) { - if (error.status == 404) { - App.rContent.show(new vError({ - status: error.status - })); - } else if (error.status == 401) { - App.rContent.show(new vError({ - status: error.status - })); - } else if (error.status == 419) { - window.location = 'login.jsp' - } else if (error.status == "0") { - var diffTime = (new Date().getTime() - prevNetworkErrorTime); - if (diffTime > 3000) { - prevNetworkErrorTime = new Date().getTime(); - Utils.notifyError({ - content: "Network Connection Failure : " + - "It seems you are not connected to the internet. Please check your internet connection and try again" - }) + if (error.status == 401) { + window.location = '/login.jsp' + } else if (error.status == 419) { + window.location = '/login.jsp' + } - } - } - }); - */ }; Utils.localStorage = { http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/distro/src/conf/users-credentials.properties ---------------------------------------------------------------------- diff --git a/distro/src/conf/users-credentials.properties b/distro/src/conf/users-credentials.properties index 94e7cf4..212d018 100644 --- a/distro/src/conf/users-credentials.properties +++ b/distro/src/conf/users-credentials.properties @@ -1,3 +1,4 @@ -#username=password -admin=admin -user=user123 +#username=group::sha256-password +admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 +michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb +paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index d94857e..4bacdfb 100644 --- a/release-log.txt +++ b/release-log.txt @@ -3,6 +3,7 @@ Apache Atlas Release Notes --trunk - unreleased INCOMPATIBLE CHANGES: +ATLAS-661 REST API Authentication (nixonrodrigues via yhemanth) ATLAS-672 UI: Make dashboard v2 the default UI implementation (bergenholtz via yhemanth) ATLAS-532 Change Data types of all timestamps in Hive model(currently long)(sumasai via yhemanth) ATLAS-622 Introduce soft delete (shwethags) http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/examples/QuickStart.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/examples/QuickStart.java b/webapp/src/main/java/org/apache/atlas/examples/QuickStart.java index 64e6e92..70dce6b 100755 --- a/webapp/src/main/java/org/apache/atlas/examples/QuickStart.java +++ b/webapp/src/main/java/org/apache/atlas/examples/QuickStart.java @@ -18,6 +18,7 @@ package org.apache.atlas.examples; +import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; @@ -39,9 +40,9 @@ import org.apache.atlas.typesystem.types.Multiplicity; import org.apache.atlas.typesystem.types.StructTypeDefinition; import org.apache.atlas.typesystem.types.TraitType; import org.apache.atlas.typesystem.types.utils.TypesUtil; +import org.apache.atlas.utils.AuthenticationUtil; import org.apache.commons.configuration.Configuration; import org.codehaus.jettison.json.JSONArray; - import java.util.List; /** @@ -70,8 +71,24 @@ public class QuickStart { public static final String INPUT_TABLES_ATTRIBUTE = "inputTables"; public static void main(String[] args) throws Exception { + String[] basicAuthUsernamePassword = null; + if (!AuthenticationUtil.isKerberosAuthicationEnabled()) { + basicAuthUsernamePassword = AuthenticationUtil.getBasicAuthenticationInput(); + } + + runQuickstart(args, basicAuthUsernamePassword); + } + + @VisibleForTesting + static void runQuickstart(String[] args, String[] basicAuthUsernamePassword) throws Exception { String baseUrl = getServerUrl(args); - QuickStart quickStart = new QuickStart(baseUrl); + QuickStart quickStart; + + if (!AuthenticationUtil.isKerberosAuthicationEnabled()) { + quickStart = new QuickStart(baseUrl, basicAuthUsernamePassword); + } else { + quickStart = new QuickStart(baseUrl); + } // Shows how to create types in Atlas for your meta model quickStart.createTypes(); @@ -111,11 +128,17 @@ public class QuickStart { private final AtlasClient metadataServiceClient; + QuickStart(String baseUrl,String[] basicAuthUsernamePassword) { + String[] urls = baseUrl.split(","); + metadataServiceClient = new AtlasClient(urls,basicAuthUsernamePassword); + } + QuickStart(String baseUrl) throws AtlasException { String[] urls = baseUrl.split(","); metadataServiceClient = new AtlasClient(urls); } + void createTypes() throws Exception { TypesDef typesDef = createTypeDefinitions(); http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java index 76784c4..f1ceee2 100644 --- a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java +++ b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java @@ -20,8 +20,11 @@ package org.apache.atlas.web.dao; import com.google.common.annotations.VisibleForTesting; import java.io.FileInputStream; import java.io.IOException; +import java.util.ArrayList; import java.util.Properties; +import java.util.List; import javax.annotation.PostConstruct; +import org.apache.atlas.web.security.AtlasAuthenticationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Repository; @@ -29,7 +32,13 @@ import org.apache.atlas.ApplicationProperties; import org.apache.atlas.AtlasException; import org.apache.atlas.web.model.User; import org.apache.commons.configuration.Configuration; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UsernameNotFoundException; +import java.security.MessageDigest; +import org.springframework.security.core.AuthenticationException; +import org.springframework.util.StringUtils; + @Repository public class UserDao { @@ -65,21 +74,59 @@ public class UserDao { } public User loadUserByUsername(final String username) - throws UsernameNotFoundException { - String password = userLogins.getProperty(username); - if (password == null || password.isEmpty()) { + throws AuthenticationException { + String userdetailsStr = userLogins.getProperty(username); + if (userdetailsStr == null || userdetailsStr.isEmpty()) { throw new UsernameNotFoundException("Username not found." + username); } - User user = new User(); - user.setUsername(username); - user.setPassword(password); - return user; + String password = ""; + String role = ""; + String dataArr[] = userdetailsStr.split("::"); + if (dataArr != null && dataArr.length == 2) { + role = dataArr[0]; + password = dataArr[1]; + } else { + LOG.error("User role credentials is not set properly for " + username); + throw new AtlasAuthenticationException("User role credentials is not set properly for " + username ); + } + + List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>(); + if (StringUtils.hasText(role)) { + grantedAuths.add(new SimpleGrantedAuthority(role)); + } else { + LOG.error("User role credentials is not set properly for " + username); + throw new AtlasAuthenticationException("User role credentials is not set properly for " + username ); + } + + User userDetails = new User(username, password, grantedAuths); + + return userDetails; } + @VisibleForTesting public void setUserLogins(Properties userLogins) { this.userLogins = userLogins; } + + public static String getSha256Hash(String base) throws AtlasAuthenticationException { + try { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + byte[] hash = digest.digest(base.getBytes("UTF-8")); + StringBuffer hexString = new StringBuffer(); + + for (int i = 0; i < hash.length; i++) { + String hex = Integer.toHexString(0xff & hash[i]); + if (hex.length() == 1) hexString.append('0'); + hexString.append(hex); + } + return hexString.toString(); + + } catch (Exception ex) { + throw new AtlasAuthenticationException("Exception while encoding password.", ex); + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java index b77bd28..382b494 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java @@ -21,8 +21,6 @@ import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - -import org.apache.atlas.Atlas; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.AuthenticationException; @@ -31,15 +29,23 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt @SuppressWarnings("deprecation") class AtlasAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint { - private static final Logger LOG = LoggerFactory.getLogger(Atlas.class); + private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthenticationEntryPoint.class); private String loginPath = "/login.jsp"; @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { - LOG.debug("redirecting to login page loginPath" + loginPath); - response.sendRedirect(loginPath); + + String ajaxRequestHeader = request.getHeader("X-Requested-With"); + response.setHeader("X-Frame-Options", "DENY"); + + if ("XMLHttpRequest".equals(ajaxRequestHeader)) { + response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + } else { + LOG.debug("redirecting to login page loginPath" + loginPath); + response.sendRedirect(loginPath); + } } } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java index 96dca45..9e5df45 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java @@ -25,16 +25,12 @@ import javax.annotation.PostConstruct; import org.apache.atlas.util.PropertiesUtil; import org.apache.atlas.web.model.User; import org.apache.log4j.Logger; -import org.springframework.ldap.core.support.LdapContextSource; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.security.ldap.DefaultSpringSecurityContextSource; -import org.springframework.security.ldap.authentication.BindAuthenticator; -import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; -import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; +import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; import org.springframework.stereotype.Component; @Component @@ -44,6 +40,7 @@ public class AtlasADAuthenticationProvider extends .getLogger(AtlasADAuthenticationProvider.class); private String adURL; + private String adDomain; private String adBindDN; private String adBindPassword; private String adUserSearchFilter; @@ -74,17 +71,10 @@ public class AtlasADAuthenticationProvider extends if (authentication.getCredentials() != null) { userPassword = authentication.getCredentials().toString(); } - LdapContextSource ldapContextSource = getLdapContextSource(); - if (adUserSearchFilter == null - || adUserSearchFilter.trim().isEmpty()) { - adUserSearchFilter = "(sAMAccountName={0})"; - } - - BindAuthenticator bindAuthenticator = getBindAuthenticator(ldapContextSource); + ActiveDirectoryLdapAuthenticationProvider adAuthenticationProvider = + new ActiveDirectoryLdapAuthenticationProvider(adDomain, adURL); - LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider( - bindAuthenticator); if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) { @@ -93,9 +83,7 @@ public class AtlasADAuthenticationProvider extends grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken( principal, userPassword, grantedAuths); - authentication = ldapAuthenticationProvider - .authenticate(finalAuthentication); - authentication = getAuthenticationWithGrantedAuthority(authentication); + authentication = adAuthenticationProvider.authenticate(finalAuthentication); return authentication; } else { throw new AtlasAuthenticationException( @@ -109,6 +97,7 @@ public class AtlasADAuthenticationProvider extends } private void setADProperties() { + adDomain = PropertiesUtil.getProperty("atlas.ad.domain", adDomain); adURL = PropertiesUtil.getProperty("atlas.ad.url", adURL); adBindDN = PropertiesUtil.getProperty("atlas.ad.bind.dn", adBindDN); adBindPassword = PropertiesUtil.getProperty("atlas.ad.bind.password", @@ -122,32 +111,4 @@ public class AtlasADAuthenticationProvider extends adDefaultRole); } - private LdapContextSource getLdapContextSource() throws Exception { - - LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource( - adURL); - ldapContextSource.setUserDn(adBindDN); - ldapContextSource.setPassword(adBindPassword); - ldapContextSource.setReferral(adReferral); - ldapContextSource.setCacheEnvironmentProperties(true); - ldapContextSource.setAnonymousReadOnly(false); - ldapContextSource.setPooled(true); - ldapContextSource.afterPropertiesSet(); - - return ldapContextSource; - - } - - private BindAuthenticator getBindAuthenticator( - LdapContextSource ldapContextSource) throws Exception { - FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch( - adBase, adUserSearchFilter, ldapContextSource); - userSearch.setSearchSubtree(true); - BindAuthenticator bindAuthenticator = new BindAuthenticator( - ldapContextSource); - bindAuthenticator.setUserSearch(userSearch); - bindAuthenticator.afterPropertiesSet(); - return bindAuthenticator; - } - } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java index b2b11da..5f1a245 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java @@ -67,7 +67,7 @@ public abstract class AtlasAbstractAuthenticationProvider implements */ protected List<GrantedAuthority> getAuthorities(String username) { final List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>(); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER")); + grantedAuths.add(new SimpleGrantedAuthority("DATA_SCIENTIST")); return grantedAuths; } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java index 7f87bd5..389a609 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java @@ -18,6 +18,7 @@ package org.apache.atlas.web.security; import javax.annotation.PostConstruct; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -70,12 +71,20 @@ public class AtlasAuthenticationProvider extends .authenticate(authentication); } else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP .name())) { - authentication = ldapAuthenticationProvider - .authenticate(authentication); + try { + authentication = ldapAuthenticationProvider + .authenticate(authentication); + } catch (Exception ex) { + LOG.error("Error while LDAP authentication", ex); + } } else if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD .name())) { - authentication = adAuthenticationProvider - .authenticate(authentication); + try { + authentication = adAuthenticationProvider + .authenticate(authentication); + } catch (Exception ex) { + LOG.error("Error while AD authentication", ex); + } } else { LOG.error("Invalid authentication method :" + atlasAuthenticationMethod); @@ -84,10 +93,20 @@ public class AtlasAuthenticationProvider extends if (authentication != null && authentication.isAuthenticated()) { return authentication; } else { - LOG.error("Authentication failed."); - throw new AtlasAuthenticationException("Authentication failed."); + // If the LDAP/AD authentication fails try the local file login method + if (atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.AD + .name()) || atlasAuthenticationMethod.equalsIgnoreCase(AUTH_METHOD.LDAP + .name())) { + authentication = fileAuthenticationProvider + .authenticate(authentication); + } + if (authentication != null && authentication.isAuthenticated()) { + return authentication; + } else { + LOG.error("Authentication failed."); + throw new AtlasAuthenticationException("Authentication failed."); + } } } - } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java index b3e3354..3e1e2e6 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java @@ -18,6 +18,7 @@ package org.apache.atlas.web.security; import java.util.Collection; +import org.apache.atlas.web.dao.UserDao; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.BadCredentialsException; @@ -28,6 +29,7 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.stereotype.Component; + @Component public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthenticationProvider { @@ -46,6 +48,7 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication throw new BadCredentialsException( "Username can't be null or empty."); } + if (password == null || password.isEmpty()) { logger.error("Password can't be null or empty."); throw new BadCredentialsException( @@ -53,16 +56,16 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication } UserDetails user = userDetailsService.loadUserByUsername(username); - - if (!password.equals(user.getPassword())) { + + String encodedPassword = UserDao.getSha256Hash(password); + + if (!encodedPassword.equals(user.getPassword())) { logger.error("Wrong password " + username); throw new BadCredentialsException("Wrong password"); } - Collection<? extends GrantedAuthority> authorities = getAuthorities(username); + Collection<? extends GrantedAuthority> authorities = user.getAuthorities(); authentication = new UsernamePasswordAuthenticationToken(username, password, authorities); - authentication = getAuthenticationWithGrantedAuthority(authentication); - return authentication; } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java index d911c1b..e66b930 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java @@ -19,9 +19,7 @@ package org.apache.atlas.web.security; import java.util.List; - import javax.annotation.PostConstruct; - import org.apache.atlas.util.PropertiesUtil; import org.apache.atlas.web.model.User; import org.apache.log4j.Logger; @@ -107,9 +105,7 @@ public class AtlasLdapAuthenticationProvider extends grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken( principal, userPassword, grantedAuths); - authentication = ldapAuthenticationProvider - .authenticate(finalAuthentication); - authentication = getAuthenticationWithGrantedAuthority(authentication); + authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); return authentication; } else { throw new AtlasAuthenticationException( @@ -168,7 +164,6 @@ public class AtlasLdapAuthenticationProvider extends defaultLdapAuthoritiesPopulator .setGroupSearchFilter(ldapGroupSearchFilter); defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); - return defaultLdapAuthoritiesPopulator; } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/resources/atlas-admin-site.xml ---------------------------------------------------------------------- diff --git a/webapp/src/main/resources/atlas-admin-site.xml b/webapp/src/main/resources/atlas-admin-site.xml index ab8ba3d..c4b4be7 100644 --- a/webapp/src/main/resources/atlas-admin-site.xml +++ b/webapp/src/main/resources/atlas-admin-site.xml @@ -34,7 +34,7 @@ <property> <name>atlas.ldap.group.searchfilter</name> <display-name>Group Search Filter</display-name> - <value>(member=uid={0},ou=People,dc=example,dc=com) + <value>(member=uid={0},ou=Users,dc=example,dc=com) </value> <description></description> </property> @@ -91,18 +91,22 @@ <!-- #AD info start --> <property> <name>atlas.ad.url</name> - <value>ldap://172.25.16.111:389</value> + <value>ldap://13.76.128.185:389</value> <description></description> </property> - + <property> + <name>atlas.ad.domain</name> + <value>example.com</value> + <description>Ad Domain</description> + </property> <property> <name>atlas.ad.bind.dn</name> - <value>CN=team,CN=Users,DC=SME,DC=support,DC=com</value> + <value>CN=adadmin admin,CN=Users,DC=example,DC=com</value> <description>AD bind dn or manager dn</description> </property> <property> <name>atlas.ad.bind.password</name> - <value>Abcd1234!!</value> + <value>p@ssword</value> <description>AD bind password</description> </property> <property> @@ -113,7 +117,7 @@ </property> <property> <name>atlas.ad.base.dn</name> - <value>DC=SME,DC=support,DC=com</value> + <value>dc=example,dc=com</value> <description>AD base dn or search base</description> </property> <property> http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/resources/spring-security.xml ---------------------------------------------------------------------- diff --git a/webapp/src/main/resources/spring-security.xml b/webapp/src/main/resources/spring-security.xml index 8533473..d90b9d6 100644 --- a/webapp/src/main/resources/spring-security.xml +++ b/webapp/src/main/resources/spring-security.xml @@ -11,13 +11,13 @@ language governing permissions and limitations under the License. --> <beans:beans xmlns="http://www.springframework.org/schema/security"; - xmlns:beans="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:security="http://www.springframework.org/schema/security"; - xmlns:util="http://www.springframework.org/schema/util"; - xmlns:oauth="http://www.springframework.org/schema/security/oauth2"; - xmlns:context="http://www.springframework.org/schema/context"; - xsi:schemaLocation="http://www.springframework.org/schema/beans + xmlns:beans="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:util="http://www.springframework.org/schema/util"; + xmlns:oauth="http://www.springframework.org/schema/security/oauth2"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd @@ -28,65 +28,62 @@ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd";> - <security:http pattern="/login.jsp" security="none" /> - <security:http pattern="/css/**" security="none" /> - <security:http pattern="/lib/**" security="none" /> + <security:http pattern="/login.jsp" security="none" /> + <security:http pattern="/css/**" security="none" /> + <security:http pattern="/lib/**" security="none" /> - <security:http disable-url-rewriting="true" - use-expressions="true" create-session="always" - entry-point-ref="authenticationProcessingFilterEntryPoint"> - <security:session-management - session-fixation-protection="newSession" /> - <intercept-url pattern="/**" access="isAuthenticated()" /> - <security:custom-filter position="FORM_LOGIN_FILTER" - ref="atlasUsernamePasswordAuthenticationFilter" /> - <security:logout delete-cookies="JSESSIONID" - logout-url="/logout.html" /> - <http-basic entry-point-ref="authenticationProcessingFilterEntryPoint" /> - </security:http> + <security:http disable-url-rewriting="true" + use-expressions="true" create-session="always" + entry-point-ref="entryPoint"> + <security:session-management + session-fixation-protection="newSession" /> + <intercept-url pattern="/**" access="isAuthenticated()" /> - <beans:bean id="atlasUsernamePasswordAuthenticationFilter" - class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> - <beans:property name="authenticationManager" - ref="authenticationManager" /> - <beans:property name="authenticationSuccessHandler" - ref="ajaxAuthSuccessHandler" /> - <beans:property name="authenticationFailureHandler" - ref="ajaxAuthFailureHandler" /> - </beans:bean> + <form-login + login-page="/login.jsp" + default-target-url="/index.html" + authentication-failure-url="/login.jsp?error=true" + username-parameter="j_username" + password-parameter="j_password" /> - <beans:bean id="authenticationProcessingFilterEntryPoint" + <security:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID" + logout-url="/logout.html" /> + <http-basic /> + </security:http> + + <beans:bean id="formAuthenticationEntryPoint" class="org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint"> - <beans:property name="loginFormUrl" - value="/login.jsp" /> - <beans:property name="forceHttps" value="false" /> - </beans:bean> + <beans:property name="loginFormUrl" value="/login.jsp" /> + </beans:bean> + + <beans:bean id="authenticationEntryPoint" + class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> + <beans:property name="realmName" value="atlas.com" /> + </beans:bean> - <beans:bean id="ajaxAuthSuccessHandler" - class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> - <beans:property name="defaultTargetUrl" - value="/index.html" /> - </beans:bean> + <beans:bean id="entryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint"> + <beans:constructor-arg> + <beans:map> + <beans:entry key="hasHeader('User-Agent','Mozilla')" value-ref="formAuthenticationEntryPoint" /> + </beans:map> + </beans:constructor-arg> + <beans:property name="defaultEntryPoint" ref="authenticationEntryPoint"/> + </beans:bean> - <beans:bean id="ajaxAuthFailureHandler" - class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> - <beans:property name="defaultFailureUrl" - value="/login.jsp?login_error=true " /> - </beans:bean> - <beans:bean id="atlasAuthenticationProvider" + <beans:bean id="atlasAuthenticationProvider" class="org.apache.atlas.web.security.AtlasAuthenticationProvider"> - </beans:bean> + </beans:bean> + + <security:authentication-manager + alias="authenticationManager"> + <security:authentication-provider + ref="atlasAuthenticationProvider" /> + </security:authentication-manager> + - <security:authentication-manager - alias="authenticationManager"> - <security:authentication-provider - ref="atlasAuthenticationProvider" /> - </security:authentication-manager> + <security:global-method-security + pre-post-annotations="enabled" /> - <security:global-method-security - pre-post-annotations="enabled" /> - - <context:component-scan base-package="org.apache.atlas.web" /> - + <context:component-scan base-package="org.apache.atlas.web" /> </beans:beans> http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/webapp/src/main/webapp/WEB-INF/web.xml b/webapp/src/main/webapp/WEB-INF/web.xml index deb97d9..f0b606e 100755 --- a/webapp/src/main/webapp/WEB-INF/web.xml +++ b/webapp/src/main/webapp/WEB-INF/web.xml @@ -38,6 +38,16 @@ --> <filter> + <filter-name>springSecurityFilterChain</filter-name> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> + </filter> + + <filter-mapping> + <filter-name>springSecurityFilterChain</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>guiceFilter</filter-name> <filter-class>com.google.inject.servlet.GuiceFilter</filter-class> </filter> @@ -63,14 +73,6 @@ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> - <filter> - <filter-name>springSecurityFilterChain</filter-name> - <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - </filter> - <filter-mapping> - <filter-name>springSecurityFilterChain</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> </web-app> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/test/java/org/apache/atlas/examples/QuickStartIT.java ---------------------------------------------------------------------- diff --git a/webapp/src/test/java/org/apache/atlas/examples/QuickStartIT.java b/webapp/src/test/java/org/apache/atlas/examples/QuickStartIT.java index cfe7488..cdf6049 100644 --- a/webapp/src/test/java/org/apache/atlas/examples/QuickStartIT.java +++ b/webapp/src/test/java/org/apache/atlas/examples/QuickStartIT.java @@ -39,7 +39,8 @@ public class QuickStartIT extends BaseResourceIT { @BeforeClass public void runQuickStart() throws Exception { super.setUp(); - QuickStart.main(new String[]{}); + + QuickStart.runQuickstart(new String[]{}, new String[]{"admin", "admin"}); } @Test http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java ---------------------------------------------------------------------- diff --git a/webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java b/webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java index ab3aa23..d1d1988 100755 --- a/webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java +++ b/webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java @@ -49,6 +49,7 @@ import org.apache.atlas.typesystem.types.StructTypeDefinition; import org.apache.atlas.typesystem.types.TraitType; import org.apache.atlas.typesystem.types.TypeUtils; import org.apache.atlas.typesystem.types.utils.TypesUtil; +import org.apache.atlas.utils.AuthenticationUtil; import org.apache.atlas.utils.ParamChecker; import org.apache.atlas.web.util.Servlets; import org.apache.commons.configuration.Configuration; @@ -87,7 +88,12 @@ public abstract class BaseResourceIT { client.resource(UriBuilder.fromUri(baseUrl).build()); service = client.resource(UriBuilder.fromUri(baseUrl).build()); - serviceClient = new AtlasClient(baseUrl); + + if (!AuthenticationUtil.isKerberosAuthicationEnabled()) { + serviceClient = new AtlasClient(new String[]{baseUrl}, new String[]{"admin", "admin"}); + } else { + serviceClient = new AtlasClient(baseUrl); + } } protected void createType(TypesDef typesDef) throws Exception { http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java ---------------------------------------------------------------------- diff --git a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java index 7e4c2c8..ae98b61 100644 --- a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java @@ -19,6 +19,7 @@ package org.apache.atlas.web.security; import java.io.File; +import java.util.Collection; import org.apache.atlas.ApplicationProperties; import org.apache.atlas.web.TestUtils; import org.apache.commons.configuration.PropertiesConfiguration; @@ -31,6 +32,7 @@ import org.springframework.context.ApplicationContext; import org.springframework.context.support.ClassPathXmlApplicationContext; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; import org.testng.annotations.AfterClass; import org.testng.annotations.BeforeClass; import org.testng.annotations.Test; @@ -87,9 +89,11 @@ public class FileAuthenticationTest { private void setupUserCredential(String tmpDir) throws Exception { StringBuilder credentialFileStr = new StringBuilder(1024); - credentialFileStr.append("admin=admin123\n"); - credentialFileStr.append("user=user123\n"); - credentialFileStr.append("test=test123\n"); + credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n"); + credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n"); + credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n"); + credentialFileStr.append("user= \n"); + credentialFileStr.append("user12= ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n"); File credentialFile = new File(tmpDir, "users-credentials"); FileUtils.write(credentialFile, credentialFileStr.toString()); } @@ -98,7 +102,7 @@ public class FileAuthenticationTest { public void testValidUserLogin() { when(authentication.getName()).thenReturn("admin"); - when(authentication.getCredentials()).thenReturn("admin123"); + when(authentication.getCredentials()).thenReturn("admin"); Authentication auth = authProvider.authenticate(authentication); LOG.debug(" " + auth); @@ -133,6 +137,54 @@ public class FileAuthenticationTest { } } + @Test + public void testLoginWhenRoleIsNotSet() { + + when(authentication.getName()).thenReturn("user12"); // for this user role is not set properly + when(authentication.getCredentials()).thenReturn("user12"); + try { + Authentication auth = authProvider.authenticate(authentication); + LOG.debug(" " + auth); + } catch (AtlasAuthenticationException uExp) { + Assert.assertTrue(uExp.getMessage().startsWith("User role credentials is not set properly for")); + } + } + + + @Test + public void testLoginWhenRolePasswordNotSet() { + + when(authentication.getName()).thenReturn("user"); // for this user password details are set blank + when(authentication.getCredentials()).thenReturn("P@ssword"); + try { + Authentication auth = authProvider.authenticate(authentication); + LOG.debug(" " + auth); + } catch (UsernameNotFoundException uExp) { + Assert.assertTrue(uExp.getMessage().startsWith("Username not found")); + } + } + + @Test + public void testUserRoleMapping() { + + when(authentication.getName()).thenReturn("admin"); + when(authentication.getCredentials()).thenReturn("admin"); + + Authentication auth = authProvider.authenticate(authentication); + LOG.debug(" " + auth); + + Assert.assertTrue(auth.isAuthenticated()); + + Collection<? extends GrantedAuthority> authorities = auth.getAuthorities(); + + String role = ""; + for (GrantedAuthority gauth : authorities) { + role = gauth.getAuthority(); + } + Assert.assertTrue("ADMIN".equals(role)); + } + + @AfterClass public void tearDown() throws Exception { http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java ---------------------------------------------------------------------- diff --git a/webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java b/webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java index 9aac32a..4d7794a 100755 --- a/webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java @@ -60,7 +60,6 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest { // client will actually only leverage subset of these properties final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl); - configuration.setProperty("atlas.http.authentication.type", "kerberos"); TestUtils.writeConfiguration(configuration, persistDir + File.separator + ApplicationProperties.APPLICATION_PROPERTIES); @@ -76,6 +75,7 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest { configuration.setProperty(TLS_ENABLED, true); configuration.setProperty("atlas.http.authentication.enabled", "true"); + configuration.setProperty("atlas.http.authentication.type", "kerberos"); configuration.setProperty("atlas.http.authentication.kerberos.principal", "HTTP/localhost@" + kdc.getRealm()); configuration.setProperty("atlas.http.authentication.kerberos.keytab", httpKeytabFile.getAbsolutePath()); configuration.setProperty("atlas.http.authentication.kerberos.name.rules", @@ -84,6 +84,10 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest { TestUtils.writeConfiguration(configuration, persistDir + File.separator + ApplicationProperties.APPLICATION_PROPERTIES); + // save original setting + originalConf = System.getProperty("atlas.conf"); + System.setProperty("atlas.conf", persistDir); + dgiClient = new AtlasClient(DGI_URL) { @Override protected PropertiesConfiguration getClientProperties() { @@ -91,9 +95,7 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest { } }; - // save original setting - originalConf = System.getProperty("atlas.conf"); - System.setProperty("atlas.conf", persistDir); + secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) { @Override public Configuration getConfiguration() { @@ -125,7 +127,6 @@ public class NegativeSSLAndKerberosTest extends BaseSSLAndKerberosTest { Assert.fail("Should have failed with GSSException"); } catch(Exception e) { e.printStackTrace(); - Assert.assertTrue(e.getMessage().contains("Mechanism level: Failed to find any Kerberos tgt")); } } } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java ---------------------------------------------------------------------- diff --git a/webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java b/webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java index 2be52e7..b550f70 100755 --- a/webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java @@ -69,7 +69,7 @@ public class SSLAndKerberosTest extends BaseSSLAndKerberosTest { // client will actually only leverage subset of these properties final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl); - configuration.setProperty("atlas.http.authentication.type", "kerberos"); + TestUtils.writeConfiguration(configuration, persistDir + File.separator + ApplicationProperties.APPLICATION_PROPERTIES); @@ -83,6 +83,7 @@ public class SSLAndKerberosTest extends BaseSSLAndKerberosTest { configuration.load(url); configuration.setProperty(TLS_ENABLED, true); configuration.setProperty("atlas.http.authentication.enabled", "true"); + configuration.setProperty("atlas.http.authentication.type", "kerberos"); configuration.setProperty("atlas.http.authentication.kerberos.principal", "HTTP/localhost@" + kdc.getRealm()); configuration.setProperty("atlas.http.authentication.kerberos.keytab", httpKeytabFile.getAbsolutePath()); configuration.setProperty("atlas.http.authentication.kerberos.name.rules", http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/34f51a2a/webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java ---------------------------------------------------------------------- diff --git a/webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java b/webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java index 5b5c70e..2648ca7 100644 --- a/webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java @@ -16,11 +16,12 @@ */ package org.apache.atlas.web.security; +import java.util.Collection; import java.util.Properties; - import org.apache.atlas.web.dao.UserDao; import org.apache.atlas.web.model.User; import org.junit.Assert; +import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.testng.annotations.Test; @@ -30,21 +31,27 @@ public class UserDaoTest { public void testUserDaowithValidUserLoginAndPassword() { Properties userLogins = new Properties(); - userLogins.put("admin", "admin123"); + userLogins.put("admin", "ADMIN::admin123"); UserDao user = new UserDao(); user.setUserLogins(userLogins); User userBean = user.loadUserByUsername("admin"); Assert.assertTrue(userBean.getPassword().equals("admin123")); + Collection<? extends GrantedAuthority> authorities = userBean.getAuthorities(); + String role = ""; + for (GrantedAuthority gauth : authorities) { + role = gauth.getAuthority(); + } + Assert.assertTrue("ADMIN".equals(role)); } @Test public void testUserDaowithInValidLogin() { boolean hadException = false; Properties userLogins = new Properties(); - userLogins.put("admin", "admin123"); - userLogins.put("test", "test123"); + userLogins.put("admin", "ADMIN::admin123"); + userLogins.put("test", "DATA_STEWARD::test123"); UserDao user = new UserDao(); user.setUserLogins(userLogins);
