Repository: metron Updated Branches: refs/heads/master eee996302 -> fefbb376f
METRON-1844 Allow for LDAP to be used for authentication and roles (simonellistonball via justinleet) closes apache/metron#1246 Project: http://git-wip-us.apache.org/repos/asf/metron/repo Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/d0411f63 Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/d0411f63 Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/d0411f63 Branch: refs/heads/master Commit: d0411f63bb2e08f1cca81a25117fd640689bb413 Parents: eee9963 Author: Simon Elliston Ball <[email protected]> Authored: Wed Oct 17 11:46:17 2018 -0400 Committer: justinjleet <[email protected]> Committed: Fri Nov 2 09:23:52 2018 -0400 ---------------------------------------------------------------------- .../CURRENT/configuration/metron-rest-env.xml | 15 +- .../configuration/metron-security-env.xml | 139 +++++++++++++++++++ .../common-services/METRON/CURRENT/metainfo.xml | 3 + .../package/scripts/alerts_ui_commands.py | 1 + .../package/scripts/management_ui_commands.py | 1 + .../package/scripts/params/params_linux.py | 14 ++ .../CURRENT/package/scripts/rest_commands.py | 4 + .../METRON/CURRENT/package/templates/metron.j2 | 14 ++ .../METRON/CURRENT/themes/metron_theme.json | 129 +++++++++++++++++ metron-interface/metron-rest/pom.xml | 12 ++ .../src/main/config/rest_application.yml | 31 +++-- .../apache/metron/rest/MetronRestConstants.java | 1 + .../metron/rest/config/WebSecurityConfig.java | 81 +++++++++-- .../rest/controller/AlertsUIController.java | 1 + .../src/main/resources/application-vagrant.yml | 14 ++ .../metron-rest/src/main/scripts/metron-rest.sh | 5 +- 16 files changed, 431 insertions(+), 34 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml index f4b2327..ab2491b 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-rest-env.xml @@ -35,32 +35,29 @@ </property> <property> <name>metron_spring_profiles_active</name> - <description>Active Spring profiles</description> + <description>Active Spring profiles. 'jdbc' is the default profiler for authentication. 'ldap' can is also available.</description> <display-name>Active Spring profiles</display-name> - <value/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> + <value>jdbc</value> </property> - <property require-input="true"> + <property> <name>metron_jdbc_driver</name> <value></value> <description>Class name of the JDBC Driver used by Metron</description> <display-name>Metron JDBC Driver</display-name> </property> - <property require-input="true"> + <property> <name>metron_jdbc_url</name> <value></value> <description>JDBC Connection URL used by Metron</description> <display-name>Metron JDBC URL</display-name> </property> - <property require-input="true"> + <property> <name>metron_jdbc_username</name> <value></value> <description>Metron JDBC Username</description> <display-name>Metron JDBC username</display-name> </property> - <property require-input="true"> + <property> <name>metron_jdbc_password</name> <value></value> <property-type>PASSWORD</property-type> http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml new file mode 100644 index 0000000..b96653e --- /dev/null +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml @@ -0,0 +1,139 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration supports_final="true"> + <property> + <name>metron.ldap.url</name> + <display-name>LDAP URL</display-name> + <value>ldap://localhost:33369</value> + <description>LDAP Server URL</description> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.user.dnpattern</name> + <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> + <display-name>User dn pattern</display-name> + <description>LDAP user DN</description> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.user.searchbase</name> + <display-name>Group Search Base</display-name> + <value>ou=people,dc=hadoop,dc=apache,dc=org</value> + <description>LDAP group searchbase</description> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.group.searchbase</name> + <display-name>Group Search Base</display-name> + <value>ou=groups,dc=hadoop,dc=apache,dc=org</value> + <description>LDAP group searchbase</description> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.group.searchfilter</name> + <display-name>Group Search Filter</display-name> + <value>member={0}</value> + <description>LDAP group search filter</description> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.user.basedn</name> + <display-name>User Base DN</display-name> + <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value> + <description>LDAP User Base DN</description> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.user.searchfilter</name> + <display-name>User Search Filter</display-name> + <value></value> + <description>Search filter used for Bind Authentication</description> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.user.password</name> + <value>userPassword</value> + <display-name>User password attribute</display-name> + <description>LDAP attribute for the user password</description> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.group.roleattribute</name> + <value>cn</value> + <description>LDAP group role attribute</description> + <value-attributes> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>metron.ldap.bind.dn</name> + <display-name>Bind User</display-name> + <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value> + <description>Full distinguished name (DN), including common name (CN), of an LDAP user account that has privileges to search for users. </description> + <on-ambari-upgrade add="true"/> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + </property> + <property> + <name>metron.ldap.bind.password</name> + <display-name>Bind User Password</display-name> + <value></value> + <property-type>PASSWORD</property-type> + <description>Password for the account that can search for users</description> + <value-attributes> + <overridable>false</overridable> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml index ad1f7a9..97b5749 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml @@ -322,6 +322,7 @@ <scriptType>PYTHON</scriptType> </commandScript> <configuration-dependencies> + <config-type>metron-security-env</config-type> <config-type>metron-indexing-env</config-type> <config-type>metron-rest-env</config-type> <config-type>metron-pcap-env</config-type> @@ -371,6 +372,7 @@ <scriptType>PYTHON</scriptType> </commandScript> <configuration-dependencies> + <config-type>metron-security-env</config-type> <config-type>metron-rest-env</config-type> <config-type>metron-management-ui-env</config-type> </configuration-dependencies> @@ -397,6 +399,7 @@ <scriptType>PYTHON</scriptType> </commandScript> <configuration-dependencies> + <config-type>metron-security-env</config-type> <config-type>metron-rest-env</config-type> <config-type>metron-alerts-ui-env</config-type> </configuration-dependencies> http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_commands.py ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_commands.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_commands.py index f837043..e173f8d 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_commands.py +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_commands.py @@ -23,6 +23,7 @@ from resource_management.core.resources.system import Execute, File import metron_service + # Wrap major operations and functionality in this class class AlertsUICommands: __params = None http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_commands.py ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_commands.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_commands.py index 4e81df6..c918587 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_commands.py +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_commands.py @@ -22,6 +22,7 @@ from resource_management.core.logger import Logger from resource_management.core.resources.system import Execute, File from resource_management.core.exceptions import ExecutionFailed from resource_management.libraries.functions.get_user_call_output import get_user_call_output +from resource_management.libraries.functions.format import format import metron_service http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py index 458a7be..aef7f6d 100755 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py @@ -267,6 +267,20 @@ if security_enabled: if 'solr-config-env' in config['configurations']: solr_principal_name = solr_principal_name.replace('_HOST', hostname_lowercase) +# LDAP +metron_ldap_url = config['configurations']['metron-security-env']['metron.ldap.url'] +metron_ldap_userdn = config['configurations']['metron-security-env']['metron.ldap.bind.dn'] +metron_ldap_password = config['configurations']['metron-security-env']['metron.ldap.bind.password'] +metron_ldap_user_pattern = config['configurations']['metron-security-env']['metron.ldap.user.dnpattern'] +metron_ldap_user_password = config['configurations']['metron-security-env']['metron.ldap.user.password'] +metron_ldap_user_dnbase = config['configurations']['metron-security-env']['metron.ldap.user.basedn'] +metron_ldap_user_searchbase = config['configurations']['metron-security-env']['metron.ldap.user.searchbase'] +metron_ldap_user_searchfilter = config['configurations']['metron-security-env']['metron.ldap.user.searchfilter'] +metron_ldap_group_searchbase = config['configurations']['metron-security-env']['metron.ldap.group.searchbase'] +metron_ldap_group_searchfilter = config['configurations']['metron-security-env']['metron.ldap.group.searchfilter'] +metron_ldap_group_role = config['configurations']['metron-security-env']['metron.ldap.group.roleattribute'] +metron_ldap = metron_ldap_url != "" + # Management UI metron_rest_host = default("/clusterHostInfo/metron_rest_hosts", [hostname])[0] http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_commands.py ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_commands.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_commands.py index c410b94..674b744 100755 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_commands.py +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_commands.py @@ -145,8 +145,12 @@ class RestCommands: "export METRON_PID_FILE={pid_file};" "export HDP_VERSION={hdp_version};" "export METRON_RA_INDEXING_WRITER={ra_indexing_writer};" + "export METRON_LDAP_PASSWORD={metron_ldap_password!p};" + "export METRON_LDAP_USER_PASSWORD={metron_ldap_user_password!p};" "{metron_home}/bin/metron-rest.sh;" "unset METRON_JDBC_PASSWORD;" + "unset METRON_LDAP_PASSWORD;" + "unset METRON_LDAP_USER_PASSWORD;" )) Execute(cmd, http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.j2 ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.j2 b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.j2 index a7d01e5..9ceaa09 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.j2 +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.j2 @@ -21,6 +21,8 @@ METRON_PID_DIR="{{metron_pid_dir}}" METRON_REST_PORT={{metron_rest_port}} METRON_JVMFLAGS="{{metron_jvm_flags}}" METRON_SPRING_PROFILES_ACTIVE="{{metron_spring_profiles_active}}" + +#JDBC METRON_JDBC_DRIVER="{{metron_jdbc_driver}}" METRON_JDBC_URL="{{metron_jdbc_url}}" METRON_JDBC_USERNAME="{{metron_jdbc_username}}" @@ -28,6 +30,18 @@ METRON_JDBC_PLATFORM="{{metron_jdbc_platform}}" METRON_JDBC_CLIENT_PATH="{{metron_jdbc_client_path}}" METRON_TEMP_GROK_PATH="{{metron_temp_grok_path}}" METRON_SPRING_OPTIONS="{{metron_spring_options}}" + +#LDAP +METRON_LDAP_URL="{{metron_ldap_url}}" +METRON_LDAP_USERDN="{{metron_ldap_userdn}}" +METRON_LDAP_USER_PATTERN="{{metron_ldap_user_pattern}}" +METRON_LDAP_USER_DNBASE="{{metron_ldap_user_dnbase}}" +METRON_LDAP_USER_SEARCHBASE="{{metron_ldap_user_searchbase}}" +METRON_LDAP_USER_SEARCHFILTER="{{metron_ldap_user_searchfilter}}" +METRON_LDAP_GROUP_SEARCHBASE="{{metron_ldap_group_searchbase}}" +METRON_LDAP_GROUP_SEARCHFILTER="{{metron_ldap_group_searchfilter}}" +METRON_LDAP_GROUP_ROLE="{{metron_ldap_group_role}}" + ZOOKEEPER="{{zookeeper_quorum}}" BROKERLIST="{{kafka_brokers}}" HADOOP_CONF_DIR="/etc/hadoop/conf/" http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json index 7e6c83a..d3ef96a 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json @@ -422,6 +422,35 @@ } }, { + "name": "security", + "display-name": "Security", + "layout": { + "tab-columns": "2", + "tab-rows": "1", + "sections": [ + { + "name": "section-security-ldap", + "row-index": "0", + "column-index": "0", + "row-span": "1", + "column-span": "1", + "section-columns": "1", + "section-rows": "1", + "subsections": [ + { + "name": "subsection-security-ldap", + "display-name": "LDAP", + "row-index": "0", + "column-index": "0", + "row-span": "1", + "column-span": "1" + } + ] + } + ] + } + }, + { "name": "metron-pcap", "display-name": "PCAP", "layout": { @@ -856,6 +885,46 @@ "subsection-name": "subsection-alerts-ui" }, { + "config": "metron-security-env/metron.ldap.url", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.bind.dn", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.bind.password", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.user.dnpattern", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.user.password", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.user.searchbase", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.user.searchfilter", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.group.searchbase", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.group.searchfilter", + "subsection-name": "subsection-security-ldap" + }, + { + "config": "metron-security-env/metron.ldap.group.roleattribute", + "subsection-name": "subsection-security-ldap" + }, + { "config": "metron-pcap-env/pcap_topology_workers", "subsection-name": "subsection-pcap" }, @@ -1539,6 +1608,66 @@ } }, { + "config": "metron-security-env/metron.ldap.url", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.bind.dn", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.bind.password", + "widget": { + "type": "password" + } + }, + { + "config": "metron-security-env/metron.ldap.user.dnpattern", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.user.password", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.user.searchbase", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.user.searchfilter", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.group.searchbase", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.group.searchfilter", + "widget": { + "type": "text-field" + } + }, + { + "config": "metron-security-env/metron.ldap.group.roleattribute", + "widget": { + "type": "text-field" + } + }, + { "config": "metron-pcap-env/pcap_topology_workers", "widget": { "type": "text-field" http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/pom.xml ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/pom.xml b/metron-interface/metron-rest/pom.xml index 7fc373b..52b0175 100644 --- a/metron-interface/metron-rest/pom.xml +++ b/metron-interface/metron-rest/pom.xml @@ -31,6 +31,8 @@ <powermock.version>1.6.4</powermock.version> <spring.boot.version>2.0.1.RELEASE</spring.boot.version> <spring.kerberos.version>1.0.1.RELEASE</spring.kerberos.version> + <spring.ldap.core.version>2.3.2.RELEASE</spring.ldap.core.version> + <spring.security.ldap.version>5.1.1.RELEASE</spring.security.ldap.version> <swagger.version>2.5.0</swagger.version> <mysql.client.version>5.1.40</mysql.client.version> <spring-kafka.version>2.0.4.RELEASE</spring-kafka.version> @@ -118,6 +120,16 @@ </exclusions> </dependency> <dependency> + <groupId>org.springframework.ldap</groupId> + <artifactId>spring-ldap-core</artifactId> + <version>${spring.ldap.core.version}</version> + </dependency> + <dependency> + <groupId>org.springframework.security</groupId> + <artifactId>spring-security-ldap</artifactId> + <version>${spring.security.ldap.version}</version> + </dependency> + <dependency> <groupId>com.googlecode.json-simple</groupId> <artifactId>json-simple</artifactId> <version>${global_json_simple_version}</version> http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/src/main/config/rest_application.yml ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/main/config/rest_application.yml b/metron-interface/metron-rest/src/main/config/rest_application.yml index 84efc01..25851e2 100644 --- a/metron-interface/metron-rest/src/main/config/rest_application.yml +++ b/metron-interface/metron-rest/src/main/config/rest_application.yml @@ -13,14 +13,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -spring: - datasource: - driverClassName: ${METRON_JDBC_DRIVER} - url: ${METRON_JDBC_URL} - username: ${METRON_JDBC_USERNAME} - password: ${METRON_JDBC_PASSWORD} - platform: ${METRON_JDBC_PLATFORM} - continue-on-error: true zookeeper: url: ${ZOOKEEPER} @@ -62,3 +54,26 @@ pcap: page.size: ${PCAP_PAGE_SIZE} yarn.queue: ${PCAP_YARN_QUEUE} finalizer.threadpool.size: ${PCAP_FINALIZER_THREADPOOL_SIZE} + +datasource: + driverClassName: ${METRON_JDBC_DRIVER} + url: ${METRON_JDBC_URL} + username: ${METRON_JDBC_USERNAME} + password: ${METRON_JDBC_PASSWORD} + platform: ${METRON_JDBC_PLATFORM} + continue-on-error: true + +ldap: + provider: + url: ${METRON_LDAP_URL} + userdn: ${METRON_LDAP_USERDN} + password: ${METRON_LDAP_PASSWORD} + user: + dn.patterns: ${METRON_LDAP_USER_PATTERN} + passwordAttribute: ${METRON_LDAP_USER_PASSWORD} + searchBase: ${METRON_LDAP_USER_SEARCHBASE} + searchFilter: ${METRON_LDAP_USER_SEARCHFILTER} + group: + searchBase: ${METRON_LDAP_GROUP_SEARCHBASE} + searchFilter: ${METRON_LDAP_GROUP_SEARCHFILTER} + roleAttribute: ${METRON_LDAP_GROUP_ROLE} http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/MetronRestConstants.java ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/MetronRestConstants.java b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/MetronRestConstants.java index 94e8e35..80ac2bf 100644 --- a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/MetronRestConstants.java +++ b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/MetronRestConstants.java @@ -23,6 +23,7 @@ public class MetronRestConstants { public static final String DEV_PROFILE = "dev"; public static final String TEST_PROFILE = "test"; + public static final String LDAP_PROFILE = "ldap"; public static final String DOCKER_PROFILE = "docker"; public static final String CSRF_ENABLE_PROFILE = "csrf-enable"; http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java index f84cdfa..1f4b490 100644 --- a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java +++ b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java @@ -20,8 +20,14 @@ package org.apache.metron.rest.config; import static org.apache.metron.rest.MetronRestConstants.SECURITY_ROLE_ADMIN; import static org.apache.metron.rest.MetronRestConstants.SECURITY_ROLE_USER; +import java.util.Arrays; +import java.util.List; +import javax.sql.DataSource; import org.apache.metron.rest.MetronRestConstants; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.env.Environment; @@ -30,7 +36,7 @@ import org.springframework.security.config.annotation.method.configuration.Enabl import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.core.userdetails.User; +import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler; @@ -39,19 +45,37 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; -import javax.sql.DataSource; -import java.util.Arrays; -import java.util.List; - @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) @Controller public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class); @Autowired private Environment environment; + @Value("${ldap.provider.url}") + private String providerUrl; + @Value("${ldap.provider.userdn}") + private String providerUserDn; + @Value("${ldap.provider.password}") + private String providerPassword; + @Value("${ldap.user.dn.patterns}") + private String userDnPatterns; + @Value("${ldap.user.passwordAttribute}") + private String passwordAttribute; + @Value("${ldap.user.searchBase}") + private String userSearchBase; + @Value("${ldap.user.searchFilter}") + private String userSearchFilter; + @Value("${ldap.group.searchBase}") + private String groupSearchBase; + @Value("${ldap.group.roleAttribute}") + private String groupRoleAttribute; + @Value("${ldap.group.searchFilter}") + private String groupSearchFilter; + @RequestMapping(value = {"/login", "/logout", "/sensors", "/sensors*/**"}, method = RequestMethod.GET) public String handleNGRequests() { return "forward:/index.html"; @@ -87,22 +111,49 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private DataSource dataSource; @Autowired - public void configureJdbc(AuthenticationManagerBuilder auth) throws Exception { + private PasswordEncoder passwordEncoder; + + @Override + public void configure(AuthenticationManagerBuilder auth) throws Exception { + // Note that we can switch profiles on the fly in Ambari. List<String> activeProfiles = Arrays.asList(environment.getActiveProfiles()); - if (activeProfiles.contains(MetronRestConstants.DEV_PROFILE) || - activeProfiles.contains(MetronRestConstants.TEST_PROFILE)) { - auth.jdbcAuthentication().dataSource(dataSource) - .withUser("user").password("password").roles(SECURITY_ROLE_USER).and() - .withUser("user1").password("password").roles(SECURITY_ROLE_USER).and() - .withUser("user2").password("password").roles(SECURITY_ROLE_USER).and() - .withUser("admin").password("password").roles(SECURITY_ROLE_USER, SECURITY_ROLE_ADMIN); + if (activeProfiles.contains(MetronRestConstants.LDAP_PROFILE)) { + LOG.debug("Setting up LDAP authentication against {}.", providerUrl); + auth.ldapAuthentication() + .userDnPatterns(userDnPatterns) + .userSearchBase(userSearchBase) + .userSearchFilter(userSearchFilter) + .groupRoleAttribute(groupRoleAttribute) + .groupSearchFilter(groupSearchFilter) + .groupSearchBase(groupSearchBase) + .contextSource() + .url(providerUrl) + .managerDn(providerUserDn) + .managerPassword(providerPassword) + .and() + .passwordCompare() + .passwordEncoder(passwordEncoder) + .passwordAttribute(passwordAttribute); + } else if (!activeProfiles.contains(MetronRestConstants.LDAP_PROFILE) && + (activeProfiles.contains(MetronRestConstants.DEV_PROFILE) || + activeProfiles.contains(MetronRestConstants.TEST_PROFILE))) { + LOG.debug("Setting up dev/test JDBC authentication."); + auth.jdbcAuthentication().dataSource(dataSource) + .passwordEncoder(passwordEncoder) + .withUser("user").password("{noop}password").roles(SECURITY_ROLE_USER).and() + .withUser("user1").password("{noop}password").roles(SECURITY_ROLE_USER).and() + .withUser("user2").password("{noop}password").roles(SECURITY_ROLE_USER).and() + .withUser("admin").password("{noop}password") + .roles(SECURITY_ROLE_USER, SECURITY_ROLE_ADMIN); } else { - auth.jdbcAuthentication().dataSource(dataSource); + LOG.debug("Setting up JDBC authentication."); + // TODO what are we supposed to do here? + auth.jdbcAuthentication().dataSource(dataSource).passwordEncoder(NoOpPasswordEncoder.getInstance()); } } @Bean public PasswordEncoder passwordEncoder() { - return NoOpPasswordEncoder.getInstance(); + return PasswordEncoderFactories.createDelegatingPasswordEncoder(); } } http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/AlertsUIController.java ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/AlertsUIController.java b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/AlertsUIController.java index fe2968f..c3b125a 100644 --- a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/AlertsUIController.java +++ b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/AlertsUIController.java @@ -74,6 +74,7 @@ public class AlertsUIController { } } + // TODO need roles to make this work. No tests covering it, but it'll break. @Secured({"ROLE_" + SECURITY_ROLE_ADMIN}) @ApiOperation(value = "Retrieves all users' settings. Only users that are part of " + "the \"ROLE_ADMIN\" role are allowed to get all user settings.") http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/src/main/resources/application-vagrant.yml ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/main/resources/application-vagrant.yml b/metron-interface/metron-rest/src/main/resources/application-vagrant.yml index 3eea24a..5f21add 100644 --- a/metron-interface/metron-rest/src/main/resources/application-vagrant.yml +++ b/metron-interface/metron-rest/src/main/resources/application-vagrant.yml @@ -58,3 +58,17 @@ kerberos: principal: [email protected] keytab: /etc/security/keytabs/metron.headless.keytab +ldap: + provider: + url: ldap://node1:33389 + userdn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org + password: "{noop}admin-password" + user: + dn.patterns: uid={0},ou=people,dc=hadoop,dc=apache,dc=org + passwordAttribute: userPassword + searchBase: ou=people,dc=hadoop,dc=apache,dc=org + searchFilter: "" + group: + searchBase: ou=groups,dc=hadoop,dc=apache,dc=org + searchFilter: "member={0}" + roleAttribute: "cn" http://git-wip-us.apache.org/repos/asf/metron/blob/d0411f63/metron-interface/metron-rest/src/main/scripts/metron-rest.sh ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/main/scripts/metron-rest.sh b/metron-interface/metron-rest/src/main/scripts/metron-rest.sh index 7c89ae5..2c8c7e6 100644 --- a/metron-interface/metron-rest/src/main/scripts/metron-rest.sh +++ b/metron-interface/metron-rest/src/main/scripts/metron-rest.sh @@ -17,8 +17,8 @@ # limitations under the License. # -if [ -z "${METRON_JDBC_PASSWORD}" ]; then - echo "METRON_JDBC_PASSWORD unset. Exiting." +if [ -z "${METRON_JDBC_PASSWORD}" ] && [ -z "${METRON_LDAP_PASSWORD}" ]; then + echo "Authentication password unset. Exiting." exit 1 fi ## Join a list by a character @@ -35,6 +35,7 @@ METRON_REST_PORT=8082 METRON_SYSCONFIG="${METRON_SYSCONFIG:-/etc/default/metron}" METRON_LOG_DIR="${METRON_LOG_DIR:-/var/log/metron}" METRON_PID_FILE="${METRON_PID_FILE:-/var/run/metron/metron-rest.pid}" + PARSER_CONTRIB=${PARSER_CONTRIB:-$METRON_HOME/parser_contrib} INDEXING_CONTRIB=${INDEXING_CONTRIB:-$METRON_HOME/indexing_contrib} PARSER_LIB=$(find $METRON_HOME/lib/ -name metron-parsers*.jar)
