Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

Fri, 02 Nov 2018 07:33:26 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------

(Updated Nov. 2, 2018, 2:33 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
-------

This patch implements hadoop proxyuser implementation for proxy with doAs


Bugs: ATLAS-2824
    https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
-------

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-----

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 9a13cea65 
  webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java 
PRE-CREATION 


Diff: https://reviews.apache.org/r/68363/diff/4/

Changes: https://reviews.apache.org/r/68363/diff/3-4/


Testing
-------

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-


<topology>
  <gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
  </gateway>
  <service>
      <role>ATLAS</role>
      <url>{ATLAS_HOST}:21000/</url>
  </service>
  <service>
      <role>ATLAS-API</role>
      <url>{ATLAS_HOST}:21000</url>
  </service>
</topology>


Thanks,

Nixon Rodrigues

Reply via email to