----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62769/ -----------------------------------------------------------
(Updated Oct. 13, 2017, 12:25 p.m.) Review request for atlas, Apoorv Naik, Ashutosh Mestry, Madhan Neethiraj, and Sarath Subramanian. Changes ------- This patch includes changes to block proxy user in kerberos authentication, the proxyuserlist is read from atlas-application via property atlas.proxyusers and authentication is denied for this set of user. Tesing Done. Verifyied adding custom properties atlas.proxyusers with one or more csv user and check the access blocked with 401 error code for that user. Verified curl request with kerberos negotiate header with knox proxy url is blocked as intended since knox indentity is appended. Verified Simple AtlasAuthorization Filter being called properly from Kerberos based login from browser as well as CURL. Kinit and try Accessing Atlas UI from proxy url and its falling to login first and then login. Form based login is happening fine, even if there is kinit done on desktop. Curl request with kerberos negotiate header without proxy happening properly. Verified Ranger Authorization for Kerberos and Login based authentication process. Verified Atlas UI with Knox SSO enable with & without Proxy. Verified Atlas API with Knox SSO enable with & without Proxy. Bugs: ATLAS-2166 https://issues.apache.org/jira/browse/ATLAS-2166 Repository: atlas Description ------- Bug description:- On refreshing Atlas page logged in via Knox proxy ,which has ATLASSESSION ID expired (idle for a long time) , logs in as knox user. Fix Description :- ATLAS-2166 - Added validation to prevent kerberos authentication when knox-proxy adds hadoop-auth header to proxied request Diffs (updated) ----- webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java 444b094 Diff: https://reviews.apache.org/r/62769/diff/3/ Changes: https://reviews.apache.org/r/62769/diff/2-3/ Testing ------- Tested Atlas UI/API with Atlas and knox Kerberized Env with & without proxy and also with SSO on/off. Tested curl with call with --negotiate headers. Tested curl with call with hadoop-jwt knox cookie header. Thanks, Nixon Rodrigues