Repository: incubator-atlas Updated Branches: refs/heads/master 7753f2e86 -> a4b16bbab
ATLAS-1538 Make AtlasLdapAuthenticationProvider like Ranger for OpenLdap type Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/a4b16bba Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/a4b16bba Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/a4b16bba Branch: refs/heads/master Commit: a4b16bbabadb59ae071ff472d95df822ced71e43 Parents: 7753f2e Author: nixonrodrigues <[email protected]> Authored: Wed Feb 8 15:18:53 2017 +0530 Committer: kevalbhatt <[email protected]> Committed: Fri Mar 3 19:14:26 2017 +0530 ---------------------------------------------------------------------- release-log.txt | 1 + .../AtlasAbstractAuthenticationProvider.java | 24 +++- .../AtlasLdapAuthenticationProvider.java | 110 +++++++++++++++++-- 3 files changed, 122 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/a4b16bba/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index d9bafd6..921543c 100644 --- a/release-log.txt +++ b/release-log.txt @@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai) ALL CHANGES: +ATLAS-1538 Make AtlasLdapAuthenticationProvider like Ranger for OpenLdap type (nixonrodrigues via kevalbhatt) ATLAS-1605 Edit Entity in UI : Update button is not enabled when updating attribute of type date (Kalyanikashikar via kevalbhatt) ATLAS-1595:Create Entity in UI : All attributes are not listed for hdfs_path. (Kalyanikashikar via kevalbhatt) ATLAS-1618: updated export to support scope option - full/connected http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/a4b16bba/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java index 74bfb97..e55d2cf 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java @@ -97,18 +97,30 @@ public abstract class AtlasAbstractAuthenticationProvider implements public static List<GrantedAuthority> getAuthoritiesFromUGI(String userName) { List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>(); - Configuration config = new Configuration(); - try { - Groups gp = new Groups(config); - List<String> userGroups = gp.getGroups(userName); + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName); + if (ugi != null) { + String[] userGroups = ugi.getGroupNames(); if (userGroups != null) { for (String group : userGroups) { grantedAuths.add(new SimpleGrantedAuthority(group)); } } - } catch (java.io.IOException e) { - LOG.error("Exception while fetching groups ", e); + } + // if group empty take groups from UGI LDAP-based group mapping + if (grantedAuths != null && grantedAuths.isEmpty()) { + try { + Configuration config = new Configuration(); + Groups gp = new Groups(config); + List<String> userGroups = gp.getGroups(userName); + if (userGroups != null) { + for (String group : userGroups) { + grantedAuths.add(new SimpleGrantedAuthority(group)); + } + } + } catch (java.io.IOException e) { + LOG.error("Exception while fetching groups ", e); + } } return grantedAuths; } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/a4b16bba/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java index f5ef058..6b5ae90 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.java @@ -18,9 +18,11 @@ package org.apache.atlas.web.security; +import java.util.ArrayList; import java.util.List; import java.util.Properties; import javax.annotation.PostConstruct; + import org.apache.atlas.ApplicationProperties; import org.apache.atlas.web.model.User; import org.apache.commons.configuration.Configuration; @@ -39,11 +41,13 @@ import org.springframework.security.ldap.authentication.LdapAuthenticationProvid import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator; import org.springframework.stereotype.Component; +import org.apache.commons.lang.StringUtils; @Component public class AtlasLdapAuthenticationProvider extends AtlasAbstractAuthenticationProvider { private static Logger LOG = LoggerFactory.getLogger(AtlasLdapAuthenticationProvider.class); + private boolean isDebugEnabled = LOG.isDebugEnabled(); private String ldapURL; private String ldapUserDNPattern; @@ -67,15 +71,27 @@ public class AtlasLdapAuthenticationProvider extends public Authentication authenticate(Authentication authentication) throws AuthenticationException { try { - return getLdapBindAuthentication(authentication); + authentication = getLdapBindAuthentication(authentication); + if (authentication != null && authentication.isAuthenticated()) { + return authentication; + } else { + authentication = getLdapAuthentication(authentication); + if (authentication != null && authentication.isAuthenticated()) { + return authentication; + } + } } catch (Exception e) { throw new AtlasAuthenticationException(e.getMessage(), e.getCause()); } + return authentication; } private Authentication getLdapBindAuthentication( Authentication authentication) throws Exception { try { + if (isDebugEnabled) { + LOG.debug("==> AtlasLdapAuthenticationProvider getLdapBindAuthentication"); + } String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -115,15 +131,95 @@ public class AtlasLdapAuthenticationProvider extends } return authentication; } else { - throw new AtlasAuthenticationException( - "LDAP Authentication::userName or userPassword is null or empty for userName " - + userName); + LOG.error("LDAP Authentication::userName or userPassword is null or empty for userName " + + userName); } } catch (Exception e) { - LOG.error("LDAP Authentication Failed:", e); - throw new AtlasAuthenticationException( - "LDAP Authentication Failed", e); + LOG.error(" getLdapBindAuthentication LDAP Authentication Failed:", e); + } + if (isDebugEnabled) { + LOG.debug("<== AtlasLdapAuthenticationProvider getLdapBindAuthentication"); + } + return authentication; + } + + private Authentication getLdapAuthentication(Authentication authentication) { + + if (isDebugEnabled) { + LOG.debug("==> AtlasLdapAuthenticationProvider getLdapAuthentication"); + } + + try { + // taking the user-name and password from the authentication + // object. + String userName = authentication.getName(); + String userPassword = ""; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + + // populating LDAP context source with LDAP URL and user-DN-pattern + LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource( + ldapURL); + + ldapContextSource.setCacheEnvironmentProperties(false); + ldapContextSource.setAnonymousReadOnly(true); + + // Creating BindAuthenticator using Ldap Context Source. + BindAuthenticator bindAuthenticator = new BindAuthenticator( + ldapContextSource); + //String[] userDnPatterns = new String[] { rangerLdapUserDNPattern }; + String[] userDnPatterns = ldapUserDNPattern.split(";"); + bindAuthenticator.setUserDnPatterns(userDnPatterns); + + LdapAuthenticationProvider ldapAuthenticationProvider = null; + + if (!StringUtils.isEmpty(ldapGroupSearchBase) && !StringUtils.isEmpty(ldapGroupSearchFilter)) { + // Creating LDAP authorities populator using Ldap context source and + // Ldap group search base. + // populating LDAP authorities populator with group search + // base,group role attribute, group search filter. + DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator( + ldapContextSource, ldapGroupSearchBase); + defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(ldapGroupRoleAttribute); + defaultLdapAuthoritiesPopulator.setGroupSearchFilter(ldapGroupSearchFilter); + defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); + + // Creating Ldap authentication provider using BindAuthenticator and Ldap authentication populator + ldapAuthenticationProvider = new LdapAuthenticationProvider( + bindAuthenticator, defaultLdapAuthoritiesPopulator); + } else { + ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator); + } + + // getting user authenticated + if (userName != null && userPassword != null + && !userName.trim().isEmpty() + && !userPassword.trim().isEmpty()) { + final List<GrantedAuthority> grantedAuths = getAuthorities(userName); + + final UserDetails principal = new User(userName, userPassword, + grantedAuths); + + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken( + principal, userPassword, grantedAuths); + + authentication = ldapAuthenticationProvider + .authenticate(finalAuthentication); + if (groupsFromUGI) { + authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication); + } + return authentication; + } else { + return authentication; + } + } catch (Exception e) { + LOG.error("getLdapAuthentication LDAP Authentication Failed:", e); + } + if (isDebugEnabled) { + LOG.debug("<== AtlasLdapAuthenticationProvider getLdapAuthentication"); } + return authentication; } private void setLdapProperties() {
