Repository: incubator-ranger Updated Branches: refs/heads/master 99469d9b9 -> 8057944c2
RANGER-765 : Handle logout scenario for knox sso disabled case Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8057944c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8057944c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8057944c Branch: refs/heads/master Commit: 8057944c2ee659fa3d97969811a59ae9c380eab6 Parents: 99469d9 Author: Gautam Borad <[email protected]> Authored: Fri Dec 4 12:34:28 2015 +0530 Committer: Gautam Borad <[email protected]> Committed: Sat Dec 5 12:27:34 2015 +0530 ---------------------------------------------------------------------- security-admin/scripts/setup.sh | 5 +++ .../filter/RangerSSOAuthenticationFilter.java | 34 +++++++++++++++++--- .../conf.dist/security-applicationContext.xml | 2 +- .../src/main/webapp/scripts/utils/XAUtils.js | 34 +++++++++++++++++--- 4 files changed, 66 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8057944c/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 6753d8d..ce08686 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -688,6 +688,11 @@ update_properties() { propertyName=ranger.sso.query.param.originalurl newPropertyValue="${sso_query_param_originalurl}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + else + propertyName=ranger.sso.enabled + newPropertyValue="false" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8057944c/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java index f79db6b..b5a5268 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java @@ -28,6 +28,7 @@ import com.nimbusds.jwt.SignedJWT; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; @@ -49,9 +50,11 @@ import java.security.cert.CertificateException; import java.security.interfaces.RSAPublicKey; import java.text.ParseException; import java.util.ArrayList; +import java.util.Collection; import java.util.Date; import java.util.List; +import org.apache.ranger.biz.UserMgr; import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.security.context.RangerContextHolder; @@ -82,7 +85,10 @@ public class RangerSSOAuthenticationFilter implements Filter { private RSAPublicKey publicKey = null; private String cookieName = "hadoop-jwt"; private boolean ssoEnabled = false; - + + @Autowired + UserMgr userMgr; + @Inject public RangerSSOAuthenticationFilter(){ jwtProperties = getJwtProperties(); @@ -155,15 +161,14 @@ public class RangerSSOAuthenticationFilter implements Filter { if (userName != null && !userName.trim().isEmpty()) { final List<GrantedAuthority> grantedAuths = new ArrayList<>(); grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN")); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN")); final UserDetails principal = new User(userName, "",grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths); WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest); ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails); RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider(); authenticationProvider.setSsoEnabled(ssoEnabled); - final Authentication authentication = authenticationProvider.authenticate(finalAuthentication); + Authentication authentication = authenticationProvider.authenticate(finalAuthentication); + authentication = getGrantedAuthority(authentication); SecurityContextHolder.getContext().setAuthentication(authentication); } @@ -206,6 +211,27 @@ public class RangerSSOAuthenticationFilter implements Filter { } } + private Authentication getGrantedAuthority(Authentication authentication) { + UsernamePasswordAuthenticationToken result=null; + if(authentication!=null && authentication.isAuthenticated()){ + final List<GrantedAuthority> grantedAuths=getAuthorities(authentication.getName().toString()); + final UserDetails userDetails = new User(authentication.getName().toString(), authentication.getCredentials().toString(),grantedAuths); + result = new UsernamePasswordAuthenticationToken(userDetails,authentication.getCredentials(),grantedAuths); + result.setDetails(authentication.getDetails()); + return result; + } + return authentication; + } + + private List<GrantedAuthority> getAuthorities(String username) { + Collection<String> roleList=userMgr.getRolesByLoginId(username); + final List<GrantedAuthority> grantedAuths = new ArrayList<>(); + for(String role:roleList){ + grantedAuths.add(new SimpleGrantedAuthority(role)); + } + return grantedAuths; + } + private boolean isWebUserAgent(String userAgent) { boolean isWeb = false; if (jwtProperties != null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8057944c/security-admin/src/main/resources/conf.dist/security-applicationContext.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml index 1aead32..2f711ad 100644 --- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml +++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml @@ -53,7 +53,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd";> <security:custom-filter position="LAST" ref="userContextFormationFilter"/> <security:access-denied-handler error-page="/public/failedLogin.jsp?access_denied=1"/> - <security:logout delete-cookies="JSESSIONID,hadoop-jwt,xa_rmc" logout-url="/logout.html" success-handler-ref="customLogoutSuccessHandler" /> + <security:logout delete-cookies="JSESSIONID,xa_rmc" logout-url="/logout.html" success-handler-ref="customLogoutSuccessHandler" /> <http-basic entry-point-ref="authenticationProcessingFilterEntryPoint"/> </security:http> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8057944c/security-admin/src/main/webapp/scripts/utils/XAUtils.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index 0f3aa3d..aa904a8 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -1033,13 +1033,39 @@ define(function(require) { var vError = require('views/common/ErrorView'); var App = require('App'); var that = this; + var checksso = 'false'; + var url = 'service/plugins/checksso'; + $.ajax({ + url : url, + async : false, + type : 'GET', + headers : { + "cache-control" : "no-cache" + }, + success : function(resp) { + checksso = resp; + }, + error : function(jqXHR, textStatus, err ) { + console.log("Error in service/plugins/checksso REST call" + jqXHR.status); + checksso = jqXHR.status; + } + }); var vXPortalUser = SessionMgr.getUserProfile(); if(_.isEmpty(vXPortalUser.attributes)){ - App.rContent.show(new vError({ - status : 204 - })); - return; + if(!_.isUndefined(checksso)){ + if(checksso == '404' || checksso == 'true'){ + App.rContent.show(new vError({ + status : 204 + })); + return; + }else{ + return controller; + } + } else { + return controller; + } } + var denyControllerActions = [], denyModulesObj = []; var userModuleNames = _.pluck(vXPortalUser.get('userPermList'),'moduleName'); //TODO Temporary fix for tag based policies : need to come from server
