Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

Wed, 15 Aug 2018 10:26:26 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------

Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Bugs: ATLAS-2824
    https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
-------

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs
-----

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 e5c40d061 
  webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 
64c95203c 


Diff: https://reviews.apache.org/r/68363/diff/1/


Testing
-------

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-


<topology>
  <gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
  </gateway>
  <service>
      <role>ATLAS</role>
      <url>{ATLAS_HOST}:21000/</url>
  </service>
  <service>
      <role>ATLAS-API</role>
      <url>{ATLAS_HOST}:21000</url>
  </service>
</topology>


Thanks,

Nixon Rodrigues

Reply via email to