Repository: incubator-ranger Updated Branches: refs/heads/master cdf6df935 -> 64582f029
RANGER-483: user credential will be stored in SHA256 hashed value instead of MD5 Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/64582f02 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/64582f02 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/64582f02 Branch: refs/heads/master Commit: 64582f029e4eedc38e636aac0144134b1146abd7 Parents: cdf6df9 Author: sneethiraj <[email protected]> Authored: Sun May 17 13:33:14 2015 -0400 Committer: sneethiraj <[email protected]> Committed: Sun May 17 13:33:14 2015 -0400 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/UserMgr.java | 24 +++- .../handler/RangerAuthenticationProvider.java | 110 ++++++++++++++++++- .../RangerAuthFailureHandler.java | 5 +- .../conf.dist/security-applicationContext.xml | 4 +- 4 files changed, 135 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 188682c..145c331 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -64,13 +64,14 @@ import org.springframework.security.authentication.encoding.Md5PasswordEncoder; import org.springframework.stereotype.Component; import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import org.springframework.security.authentication.encoding.ShaPasswordEncoder; @Component public class UserMgr { static final Logger logger = Logger.getLogger(UserMgr.class); private static final Md5PasswordEncoder md5Encoder = new Md5PasswordEncoder(); - + private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256); @Autowired RangerDaoManager daoManager; @@ -1108,7 +1109,7 @@ public class UserMgr { } public String encrypt(String loginId, String password) { - String saltEncodedpasswd = md5Encoder.encodePassword(password, loginId); + String saltEncodedpasswd = sha256Encoder.encodePassword(password, loginId); return saltEncodedpasswd; } @@ -1248,4 +1249,23 @@ public class UserMgr { } return xXPortalUser; } + @Transactional(readOnly = false, propagation = Propagation.REQUIRED) + public XXPortalUser updatePasswordInSHA256(String userName,String userPassword) { + if (userName == null || userPassword == null + || userName.trim().isEmpty() || userPassword.trim().isEmpty()){ + return null; + } + + XXPortalUser xXPortalUser = this.findByLoginId(userName); + + if (xXPortalUser == null) { + return null; + } + + String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(),userPassword); + xXPortalUser.setPassword(encryptedNewPwd); + xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); + + return xXPortalUser; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index f74e5d9..a84736b 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -28,11 +28,14 @@ import java.util.HashMap; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; import javax.security.auth.login.Configuration; + import org.apache.log4j.Logger; import org.apache.ranger.authentication.unix.jaas.RoleUserAuthorityGranter; import org.apache.ranger.common.PropertiesUtil; import org.springframework.ldap.core.support.LdapContextSource; import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.authentication.AuthenticationServiceException; +import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider; import org.springframework.security.authentication.jaas.memory.InMemoryConfiguration; @@ -49,10 +52,25 @@ import org.springframework.security.ldap.authentication.LdapAuthenticator; import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator; import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; +import org.springframework.security.provisioning.JdbcUserDetailsManager; +import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.authentication.dao.ReflectionSaltSource; +import org.springframework.security.authentication.encoding.Md5PasswordEncoder; +import org.springframework.security.authentication.encoding.ShaPasswordEncoder; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Qualifier; +import org.apache.ranger.biz.UserMgr; public class RangerAuthenticationProvider implements AuthenticationProvider { + + @Autowired + @Qualifier("userService") + private JdbcUserDetailsManager userDetailsService; + + @Autowired + UserMgr userMgr; private static Logger logger = Logger.getLogger(RangerAuthenticationProvider.class); private String rangerAuthenticationMethod; @@ -65,6 +83,9 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { + if(rangerAuthenticationMethod==null){ + rangerAuthenticationMethod="NONE"; + } if (authentication != null && rangerAuthenticationMethod!=null) { if (rangerAuthenticationMethod.equalsIgnoreCase("LDAP")) { authentication=getLdapAuthentication(authentication); @@ -89,11 +110,50 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { } } if (rangerAuthenticationMethod.equalsIgnoreCase("UNIX")) { - return getUnixAuthentication(authentication); + authentication= getUnixAuthentication(authentication); + if(authentication!=null && authentication.isAuthenticated()){ + return authentication; + } + } + String encoder="SHA256"; + try{ + authentication=getJDBCAuthentication(authentication,encoder); + }catch (BadCredentialsException e) { + }catch (AuthenticationServiceException e) { + }catch (AuthenticationException e) { + }catch (Exception e) { + } + if(authentication!=null && authentication.isAuthenticated()){ + return authentication; + } + if(authentication!=null && !authentication.isAuthenticated()){ + encoder="MD5"; + String userName = authentication.getName(); + String userPassword = null; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + try{ + authentication=getJDBCAuthentication(authentication,encoder); + }catch (BadCredentialsException e) { + throw e; + }catch (AuthenticationServiceException e) { + throw e; + }catch (AuthenticationException e) { + throw e; + }catch (Exception e) { + throw e; + } + if(authentication!=null && authentication.isAuthenticated()){ + userMgr.updatePasswordInSHA256(userName,userPassword); + return authentication; + }else{ + return authentication; + } } - return null; + return authentication; } - return null; + return authentication; } private Authentication getLdapAuthentication(Authentication authentication) { @@ -410,4 +470,48 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { } return authentication; } + + private Authentication getJDBCAuthentication(Authentication authentication,String encoder) throws AuthenticationException{ + try { + + ReflectionSaltSource saltSource = new ReflectionSaltSource(); + saltSource.setUserPropertyToUse("username"); + + DaoAuthenticationProvider authenticator = new DaoAuthenticationProvider(); + authenticator.setUserDetailsService(userDetailsService); + if(encoder!=null && "SHA256".equalsIgnoreCase(encoder)){ + authenticator.setPasswordEncoder( new ShaPasswordEncoder(256)); + }else if(encoder!=null && "MD5".equalsIgnoreCase(encoder)){ + authenticator.setPasswordEncoder( new Md5PasswordEncoder()); + } + + authenticator.setSaltSource(saltSource); + + String userName = authentication.getName(); + String userPassword = ""; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); + if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) { + final List<GrantedAuthority> grantedAuths = new ArrayList<>(); + grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN")); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN")); + final UserDetails principal = new User(userName, userPassword,grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); + authentication= authenticator.authenticate(finalAuthentication); + return authentication; + } + } catch (BadCredentialsException e) { + throw e; + }catch (AuthenticationServiceException e) { + throw e; + }catch (AuthenticationException e) { + throw e; + }catch (Exception e) { + throw e; + } + return authentication; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java index b302888..94ce93a 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java @@ -84,7 +84,10 @@ ExceptionMappingAuthenticationFailureHandler { if(msg.equalsIgnoreCase("Bad credentials")){ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); vXResponse.setMsgDesc("The username or password you entered is incorrect.."); - }else{ + }else if(msg.contains("Could not get JDBC Connection; nested exception is java.sql.SQLException: Connections could not be acquired from the underlying database!")){ + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Unable to connect to DB.."); + }else if(msg.contains("Communications link failure")){ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); vXResponse.setMsgDesc("Unable to connect to DB.."); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/resources/conf.dist/security-applicationContext.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml index f58b7ba..a648809 100644 --- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml +++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml @@ -147,11 +147,11 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd";> <!-- LDAP_SEC_SETTINGS_END --> <!-- UNIX_SEC_SETTINGS_START --> <!-- UNIX_SEC_SETTINGS_END --> - <security:authentication-provider user-service-ref="userService"> + <!-- <security:authentication-provider user-service-ref="userService"> <security:password-encoder hash="md5"> <security:salt-source user-property="username"/> </security:password-encoder> - </security:authentication-provider> + </security:authentication-provider> --> <!-- security:authentication-provider ref="rememberMeAuthenticationProvider"/ --> </security:authentication-manager>
