This is an automated email from the ASF dual-hosted git repository.
dockerzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git
The following commit(s) were added to refs/heads/master by this push:
new b65f3f1220 [INLONG-8389][Manager] Fix the tenant interception failure
when authentication is disable (#8390)
b65f3f1220 is described below
commit b65f3f122055f665d047ed5652dc8b1679e7f0bc
Author: vernedeng <[email protected]>
AuthorDate: Mon Jul 3 09:46:18 2023 +0800
[INLONG-8389][Manager] Fix the tenant interception failure when
authentication is disable (#8390)
---
.../org/apache/inlong/common/util/BasicAuth.java | 1 +
.../inlong/manager/web/auth/InlongShiroImpl.java | 10 ++--
.../auth/openapi/OpenAPIAuthenticatingRealm.java | 31 +++++++++++-
.../manager/web/auth/openapi/OpenAPIFilter.java | 24 ++++-----
.../manager/web/auth/openapi/SecretToken.java | 4 +-
.../web/auth/tenant/TenantAuthenticatingRealm.java | 57 ++++++++++++----------
6 files changed, 80 insertions(+), 47 deletions(-)
diff --git
a/inlong-common/src/main/java/org/apache/inlong/common/util/BasicAuth.java
b/inlong-common/src/main/java/org/apache/inlong/common/util/BasicAuth.java
index 46e5c98842..0cefbc7902 100644
--- a/inlong-common/src/main/java/org/apache/inlong/common/util/BasicAuth.java
+++ b/inlong-common/src/main/java/org/apache/inlong/common/util/BasicAuth.java
@@ -30,6 +30,7 @@ public class BasicAuth {
public static final String BASIC_AUTH_HEADER = "authorization";
public static final String BASIC_AUTH_TENANT_HEADER = "tenant";
+ public static final String DEFAULT_USER = "admin";
public static final String DEFAULT_TENANT = "public";
public static final String BASIC_AUTH_PREFIX = "Basic";
public static final String BASIC_AUTH_SEPARATOR = " ";
diff --git
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/InlongShiroImpl.java
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/InlongShiroImpl.java
index de7d2a3145..20b5b9b162 100644
---
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/InlongShiroImpl.java
+++
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/InlongShiroImpl.java
@@ -89,7 +89,7 @@ public class InlongShiroImpl implements InlongShiro {
public Collection<Realm> getShiroRealms() {
AuthorizingRealm webRealm = new WebAuthorizingRealm(userService);
webRealm.setCredentialsMatcher(getCredentialsMatcher());
- Realm apiRealm = new OpenAPIAuthenticatingRealm(userService);
+ Realm apiRealm = new OpenAPIAuthenticatingRealm(userService,
openAPIAuthEnabled);
Realm tenantRealm = new TenantAuthenticatingRealm(tenantRoleService,
inlongRoleService,
userService, tenantService);
return Arrays.asList(webRealm, apiRealm, tenantRealm);
@@ -132,12 +132,8 @@ public class InlongShiroImpl implements InlongShiro {
pathDefinitions.put("/swagger-resources", "anon");
// openapi
- if (openAPIAuthEnabled) {
- filters.put(FILTER_NAME_API, new OpenAPIFilter());
- pathDefinitions.put("/openapi/**/*",
genFiltersInOrder(FILTER_NAME_API, FILTER_NAME_TENANT));
- } else {
- pathDefinitions.put("/openapi/**/*", "anon");
- }
+ filters.put(FILTER_NAME_API, new OpenAPIFilter());
+ pathDefinitions.put("/openapi/**/*",
genFiltersInOrder(FILTER_NAME_API, FILTER_NAME_TENANT));
// other web
pathDefinitions.put("/**", genFiltersInOrder(FILTER_NAME_WEB,
FILTER_NAME_TENANT));
diff --git
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIAuthenticatingRealm.java
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIAuthenticatingRealm.java
index 4e65e2c2b4..5a5e2d97da 100644
---
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIAuthenticatingRealm.java
+++
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIAuthenticatingRealm.java
@@ -17,6 +17,8 @@
package org.apache.inlong.manager.web.auth.openapi;
+import org.apache.inlong.common.util.BasicAuth;
+import org.apache.inlong.manager.common.enums.InlongUserTypeEnum;
import org.apache.inlong.manager.common.enums.TenantUserTypeEnum;
import org.apache.inlong.manager.common.util.AESUtils;
import org.apache.inlong.manager.common.util.Preconditions;
@@ -40,9 +42,11 @@ import java.util.Date;
public class OpenAPIAuthenticatingRealm extends AuthenticatingRealm {
private final UserService userService;
+ private final boolean openAPIAuthEnabled;
- public OpenAPIAuthenticatingRealm(UserService userService) {
+ public OpenAPIAuthenticatingRealm(UserService userService, boolean
openAPIAuthEnabled) {
this.userService = userService;
+ this.openAPIAuthEnabled = openAPIAuthEnabled;
}
/**
@@ -51,6 +55,29 @@ public class OpenAPIAuthenticatingRealm extends
AuthenticatingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
authenticationToken)
throws AuthenticationException {
+ if (openAPIAuthEnabled) {
+ return doRealAuth(authenticationToken);
+ } else {
+ return doDefaultAuth(authenticationToken);
+ }
+ }
+
+ private AuthenticationInfo doDefaultAuth(AuthenticationToken
authenticationToken) {
+ try {
+ UserInfo userInfo = userService.getByName(BasicAuth.DEFAULT_USER);
+ userInfo.setRoles(Sets.newHashSet(
+ InlongUserTypeEnum.INLONG_ADMIN.name(),
+ InlongUserTypeEnum.INLONG_OPERATOR.name(),
+ TenantUserTypeEnum.TENANT_ADMIN.name(),
+ TenantUserTypeEnum.TENANT_OPERATOR.name()));
+ return new SimpleAuthenticationInfo(userInfo,
authenticationToken.getCredentials(), getName());
+ } catch (Exception e) {
+ log.error("got some exception when do default openapi auth", e);
+ throw new AuthenticationException("internal error: " +
e.getMessage());
+ }
+ }
+
+ private AuthenticationInfo doRealAuth(AuthenticationToken
authenticationToken) {
SecretToken upToken = (SecretToken) authenticationToken;
String username = upToken.getSecretId();
UserInfo userInfo = userService.getByName(username);
@@ -64,7 +91,7 @@ public class OpenAPIAuthenticatingRealm extends
AuthenticatingRealm {
: TenantUserTypeEnum.TENANT_OPERATOR.name()));
return new SimpleAuthenticationInfo(userInfo, secretKey,
getName());
} catch (Exception e) {
- log.error("decrypt secret key fail: ", e);
+ log.error("when do real openapi auth, decrypt secret key fail: ",
e);
throw new AuthenticationException("internal error: " +
e.getMessage());
}
}
diff --git
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIFilter.java
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIFilter.java
index b83957adc9..7086f3c20d 100644
---
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIFilter.java
+++
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/OpenAPIFilter.java
@@ -66,7 +66,7 @@ public class OpenAPIFilter implements Filter {
SecretToken token = parseBasicAuth(httpServletRequest);
subject.login(token);
} catch (Exception ex) {
- LOGGER.error("login error: {}", ex.getMessage());
+ LOGGER.error("login error", ex);
((HttpServletResponse)
servletResponse).sendError(HttpServletResponse.SC_FORBIDDEN, ex.getMessage());
return;
}
@@ -85,36 +85,38 @@ public class OpenAPIFilter implements Filter {
}
}
+ // return empty token if parse failed. The realm will pass the request and
use default user
+ // if the openapi auth is disable.
private SecretToken parseBasicAuth(HttpServletRequest servletRequest) {
String basicAuth =
servletRequest.getHeader(BasicAuth.BASIC_AUTH_HEADER);
if (StringUtils.isBlank(basicAuth)) {
- log.error("basic auth header is empty");
- return null;
+ log.warn("basic auth header is empty");
+ return new SecretToken();
}
// Basic auth string must be "Basic Base64(ID:Secret)"
String[] parts = basicAuth.split(BasicAuth.BASIC_AUTH_SEPARATOR);
if (parts.length != 2) {
- log.error("the length parts size error: {}", parts.length);
- return null;
+ log.warn("the length parts size error: {}", parts.length);
+ return new SecretToken();
}
if (!parts[0].equals(BasicAuth.BASIC_AUTH_PREFIX)) {
- log.error("prefix error: {}", parts[0]);
- return null;
+ log.warn("prefix error: {}", parts[0]);
+ return new SecretToken();
}
String joinedPair = new String(Base64.getDecoder().decode(parts[1]));
String[] pair = joinedPair.split(BasicAuth.BASIC_AUTH_JOINER);
if (pair.length != 2) {
- log.error("pair format error: {}", pair.length);
- return null;
+ log.warn("pair format error: {}", pair.length);
+ return new SecretToken();
}
String secretId = pair[0];
String secretKey = pair[1];
if (StringUtils.isBlank(secretId) || StringUtils.isBlank(secretKey)) {
- log.error("invalid id = {} or key = {}", secretId, secretKey);
- return null;
+ log.warn("invalid id = {} or key = {}", secretId, secretKey);
+ return new SecretToken();
}
return new SecretToken(secretId, secretKey);
diff --git
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/SecretToken.java
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/SecretToken.java
index 61d511e02f..62624296a8 100644
---
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/SecretToken.java
+++
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/openapi/SecretToken.java
@@ -19,6 +19,7 @@ package org.apache.inlong.manager.web.auth.openapi;
import lombok.AllArgsConstructor;
import lombok.Data;
+import lombok.NoArgsConstructor;
import org.apache.shiro.authc.AuthenticationToken;
/**
@@ -26,10 +27,11 @@ import org.apache.shiro.authc.AuthenticationToken;
*/
@Data
@AllArgsConstructor
+@NoArgsConstructor
public class SecretToken implements AuthenticationToken {
private String secretId;
- private String secretKey;
+ private String secretKey = "defaultKey";
@Override
public Object getPrincipal() {
diff --git
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/tenant/TenantAuthenticatingRealm.java
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/tenant/TenantAuthenticatingRealm.java
index 4cb92b66e6..6afeaaa442 100644
---
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/tenant/TenantAuthenticatingRealm.java
+++
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/auth/tenant/TenantAuthenticatingRealm.java
@@ -63,36 +63,41 @@ public class TenantAuthenticatingRealm extends
AuthenticatingRealm {
@Override
public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {
- TenantToken tenantToken = (TenantToken) token;
- String username = tenantToken.getUsername();
- String tenant = tenantToken.getTenant();
-
- InlongTenantInfo tenantInfo = tenantService.getByName(tenant);
- if (tenantInfo == null) {
- String errMsg = String.format("tenant=[%s] not found", tenant);
- log.error(errMsg);
- throw new AuthenticationException(errMsg);
- }
+ try {
+ TenantToken tenantToken = (TenantToken) token;
+ String username = tenantToken.getUsername();
+ String tenant = tenantToken.getTenant();
+
+ InlongTenantInfo tenantInfo = tenantService.getByName(tenant);
+ if (tenantInfo == null) {
+ String errMsg = String.format("tenant=[%s] not found", tenant);
+ log.error(errMsg);
+ throw new AuthenticationException(errMsg);
+ }
- InlongRoleInfo inlongRoleInfo =
inlongRoleService.getByUsername(username);
- TenantRoleInfo tenantRoleInfo =
tenantRoleService.getByUsernameAndTenant(username, tenant);
- if (inlongRoleInfo == null && tenantRoleInfo == null) {
- String errMsg = String.format("user=[%s] has no privilege for
tenant=[%s]", username, tenant);
- log.error(errMsg);
- throw new AuthenticationException(errMsg);
- }
+ InlongRoleInfo inlongRoleInfo =
inlongRoleService.getByUsername(username);
+ TenantRoleInfo tenantRoleInfo =
tenantRoleService.getByUsernameAndTenant(username, tenant);
+ if (inlongRoleInfo == null && tenantRoleInfo == null) {
+ String errMsg = String.format("user=[%s] has no privilege for
tenant=[%s]", username, tenant);
+ log.error(errMsg);
+ throw new AuthenticationException(errMsg);
+ }
- UserInfo userInfo = getUserInfo(username);
- if (inlongRoleInfo != null) {
- addRole(userInfo, inlongRoleInfo.getRoleCode());
- }
+ UserInfo userInfo = getUserInfo(username);
+ if (inlongRoleInfo != null) {
+ addRole(userInfo, inlongRoleInfo.getRoleCode());
+ }
- if (tenantRoleInfo != null) {
- addRole(userInfo, tenantRoleInfo.getRoleCode());
- }
+ if (tenantRoleInfo != null) {
+ addRole(userInfo, tenantRoleInfo.getRoleCode());
+ }
- userInfo.setTenant(tenant);
- return new SimpleAuthenticationInfo(userInfo, tenant, getName());
+ userInfo.setTenant(tenant);
+ return new SimpleAuthenticationInfo(userInfo, tenant, getName());
+ } catch (Throwable t) {
+ log.error("failed to do tenant authentication", t);
+ throw t;
+ }
}
@Override
