Re: Review Request 62769: ATLAS-2166 - Added validation to prevent kerberos authentication when knox-proxy adds hadoop-auth header to proxied request

Fri, 13 Oct 2017 05:27:28 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62769/
-----------------------------------------------------------

(Updated Oct. 13, 2017, 12:25 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Madhan Neethiraj, and 
Sarath Subramanian.


Changes
-------

This patch includes changes to block proxy user in kerberos authentication, the 
proxyuserlist is read from  atlas-application 
via property atlas.proxyusers and authentication is denied for this set of user.

Tesing Done.

Verifyied adding custom properties atlas.proxyusers with one or more csv user 
and check the access blocked with 401 error code for that user.
Verified curl request with kerberos negotiate header with knox proxy url is 
blocked as intended since knox indentity is appended.
Verified Simple AtlasAuthorization Filter being called properly from Kerberos 
based login from browser as well as CURL.
Kinit and try Accessing Atlas UI from proxy url and its falling to login first 
and then login.
Form based login is happening fine, even if there is kinit done on desktop.
Curl request with kerberos negotiate header without proxy happening properly.
Verified Ranger Authorization for Kerberos and Login based authentication 
process.
Verified Atlas UI with Knox SSO enable with & without Proxy. 
Verified Atlas API with Knox SSO enable with & without Proxy.


Bugs: ATLAS-2166
    https://issues.apache.org/jira/browse/ATLAS-2166


Repository: atlas


Description
-------

Bug description:-
On refreshing Atlas page logged in via Knox proxy ,which has ATLASSESSION ID 
expired (idle for a long time) , logs in as knox user.

Fix Description :-

ATLAS-2166 - Added validation to prevent kerberos authentication when 
knox-proxy adds hadoop-auth header to proxied request


Diffs (updated)
-----

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 444b094 


Diff: https://reviews.apache.org/r/62769/diff/3/

Changes: https://reviews.apache.org/r/62769/diff/2-3/


Testing
-------

Tested Atlas UI/API  with Atlas and knox Kerberized Env with & without proxy 
and also with SSO on/off.
Tested curl with call with --negotiate headers.
Tested curl with call with hadoop-jwt knox cookie header.


Thanks,

Nixon Rodrigues

Reply via email to