Repository: incubator-atlas Updated Branches: refs/heads/master aa67f8aee -> 42de59132
ATLAS-1508: Make AtlasADAuthenticationProvider like Ranger ADLdap Methods Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/42de5913 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/42de5913 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/42de5913 Branch: refs/heads/master Commit: 42de5913256e7e40c2833de6ee76d7a3eea698b1 Parents: aa67f8a Author: Greg Senia <[email protected]> Authored: Tue Feb 14 21:31:50 2017 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Feb 14 21:53:24 2017 -0800 ---------------------------------------------------------------------- release-log.txt | 1 + .../security/AtlasADAuthenticationProvider.java | 84 +++++++++++++++++--- 2 files changed, 75 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/42de5913/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 33dc8ce..f3bbc06 100644 --- a/release-log.txt +++ b/release-log.txt @@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai) ALL CHANGES: +ATLAS-1508 Make AtlasADAuthenticationProvider like Ranger ADLdap Methods (gss2002 via mneethiraj) ATLAS-1555 Move classification endpoint from Entities API to Entity API and remove Entities API (svimal2106) ATLAS-1548 Create entity : Change PUT and POST object structure based on new API Changes (kevalbhatt) ATLAS-1522 entity type attributes (like hive_table.sd, hive_table.columns) should use AtlasObjectId as value instead of entire entity contents (mneethiraj) http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/42de5913/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java index 3a6a9e1..d78990b 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasADAuthenticationProvider.java @@ -29,12 +29,17 @@ import org.apache.commons.configuration.Configuration; import org.apache.commons.configuration.ConfigurationConverter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.ldap.core.support.LdapContextSource; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.ldap.DefaultSpringSecurityContextSource; +import org.springframework.security.ldap.authentication.BindAuthenticator; +import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; +import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; import org.springframework.stereotype.Component; @Component @@ -58,17 +63,75 @@ public class AtlasADAuthenticationProvider extends } @Override - public Authentication authenticate(Authentication authentication) - throws AuthenticationException { + public Authentication authenticate(Authentication authentication) { + Authentication auth = getADBindAuthentication(authentication); + if (auth != null && auth.isAuthenticated()) { + return auth; + } else { + auth = getADAuthentication(authentication); + if (auth != null && auth.isAuthenticated()) { + return auth; + } + } + if (auth == null) { + throw new AtlasAuthenticationException("AD Authentication Failed"); + } + return auth; + } + + private Authentication getADBindAuthentication (Authentication authentication) { try { - return getADBindAuthentication(authentication); + String userName = authentication.getName(); + String userPassword = ""; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + + LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(adURL); + ldapContextSource.setUserDn(adBindDN); + ldapContextSource.setPassword(adBindPassword); + ldapContextSource.setReferral(adReferral); + ldapContextSource.setCacheEnvironmentProperties(true); + ldapContextSource.setAnonymousReadOnly(false); + ldapContextSource.setPooled(true); + ldapContextSource.afterPropertiesSet(); + + if (adUserSearchFilter==null || adUserSearchFilter.trim().isEmpty()) { + adUserSearchFilter="(sAMAccountName={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adBase, adUserSearchFilter,ldapContextSource); + userSearch.setSearchSubtree(true); + + BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); + bindAuthenticator.setUserSearch(userSearch); + bindAuthenticator.afterPropertiesSet(); + + LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator); + + if (userName != null && userPassword != null + && !userName.trim().isEmpty() + && !userPassword.trim().isEmpty()) { + final List<GrantedAuthority> grantedAuths = getAuthorities(userName); + final UserDetails principal = new User(userName, userPassword, + grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken( + principal, userPassword, grantedAuths); + authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + if (groupsFromUGI) { + authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication); + } + return authentication; + } else { + LOG.error("AD Authentication Failed userName or userPassword is null or empty"); + return null; + } } catch (Exception e) { - throw new AtlasAuthenticationException(e.getMessage(), e.getCause()); + LOG.error("AD Authentication Failed:", e); + return null; } } - private Authentication getADBindAuthentication(Authentication authentication) - throws Exception { + private Authentication getADAuthentication(Authentication authentication) { try { String userName = authentication.getName(); String userPassword = ""; @@ -78,6 +141,8 @@ public class AtlasADAuthenticationProvider extends ActiveDirectoryLdapAuthenticationProvider adAuthenticationProvider = new ActiveDirectoryLdapAuthenticationProvider(adDomain, adURL); + adAuthenticationProvider.setConvertSubErrorCodesToExceptions(true); + adAuthenticationProvider.setUseAuthenticationRequestCredentials(true); if (userName != null && userPassword != null && !userName.trim().isEmpty() @@ -93,13 +158,12 @@ public class AtlasADAuthenticationProvider extends } return authentication; } else { - throw new AtlasAuthenticationException( - "AD Authentication Failed userName or userPassword is null or empty"); + LOG.error("AD Authentication Failed userName or userPassword is null or empty"); + return null; } } catch (Exception e) { LOG.error("AD Authentication Failed:", e); - throw new AtlasAuthenticationException("AD Authentication Failed ", - e); + return null; } }
