> On Sept. 20, 2016, 12:59 p.m., Jonathan Hurley wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java, > > lines 39-41 > > <https://reviews.apache.org/r/52068/diff/1/?file=1504188#file1504188line39> > > > > Should this check to see if an auth token is already supplied in the > > request before returning the 401?
We only get here if authentication has failed. So if the authentication token was supplied and validated, then the flow would lead somewhere else. The name of the class and usage of it seems confusing, but it is a Spring thing. Apparently if (and only if) authentcation fails, then `org.apache.ambari.server.security.AmbariEntryPoint#commence` is invoked. So this is where we determine how to respond to the failure. I am not sure if this its only usage, but from existing Ambari code and some examples on the web, this is what it looks like to me. > On Sept. 20, 2016, 12:59 p.m., Jonathan Hurley wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java, > > lines 121-126 > > <https://reviews.apache.org/r/52068/diff/1/?file=1504189#file1504189line121> > > > > I think it's fine to keep this as-is for now; however is there a > > performant way that we can determine if there are more than 1 match and log > > a warning about it? Could really help debugging issues in the future. This is why I made it a preferred order list. I hope to change the whole Ambari user database mechanism in the future as this is not optimal. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/52068/#review149673 ----------------------------------------------------------- On Sept. 20, 2016, 10:41 a.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/52068/ > ----------------------------------------------------------- > > (Updated Sept. 20, 2016, 10:41 a.m.) > > > Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate > Cole. > > > Bugs: AMBARI-18406 > https://issues.apache.org/jira/browse/AMBARI-18406 > > > Repository: ambari > > > Description > ------- > > Users should be able to authenticate to use Ambari by providing a Kerberos > token using SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism. This > includes access to the Ambari REST API as well as the Ambari web-based UI. > > The implementation should support the ability to perform the full SPNEGO > handshake as well as access requests directly providing the appropriate HTTP > header containing the Kerberos token. For example: > > ``` > Authorization: Negotiate YIICcgY...r/vJcLO > ``` > In the full handshake model > - The client requests access to a web resource > - The server responds with an HTTP 401 status (`Unauthorized`), including the > header `WWW-Authenticate: Negotiate` > - The client generates the Kerberos data and creates a new request containing > the authentication header - `Authorization: Negotiate YIICcgY...r/vJcLO` > > Since Ambari needs to generally return a HTTP status of 403 ({{Forbidden}}) > when authentication is needed, a _hint_ must be sent along with the request > indicate to Ambari that Kerberos authentication is desired. If this _hint_ > is received, then Ambari will respond with the appropriate status and header > to initiate SPNEGO with the client. This _hint_ is an Ambari-specific header > named "X-Negotiate-Authentication" with the value of "true": > > ``` > X-Negotiate-Authentication: true > ``` > > No matter what the handshake mechanism is (or lack of), once the Kerberos > token is received by Ambari, Ambari is to parse and validate the token. If a > failure occurs, Ambari is to respond with the appropriate HTTP status and > related header(s). Upon success, the user's principal name is retrieved and > converted into a _local_ user name. The use of an auth-to-local rule set > processor may be needed to perform this translation. Using this _local_ > username, an appropriate Ambari user account is located and used as the > authenticated users identity - details, privileges, etc.... Failure to find > an appropriate Ambari user account is to result in an authentication failure > response. > > > Diffs > ----- > > ambari-project/pom.xml 2615b46 > ambari-server/pom.xml 323ce22 > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > b2fa4c0 > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java > c4d21fc > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java > 5bc5cd8 > > ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java > 2028f46 > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidator.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/AbstractPrepareKerberosServerAction.java > b6b0713 > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIndetityServerAction.java > 96540ef > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreatePrincipalsServerAction.java > e31e6ff > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosServerAction.java > db210e0 > ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml a86973c > > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java > 3c97ce9 > > ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsServiceTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosTicketValidatorTest.java > PRE-CREATION > > Diff: https://reviews.apache.org/r/52068/diff/ > > > Testing > ------- > > Manual testing > > # Local test results: > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 1:10:14.923s > [INFO] Finished at: Mon Sep 19 19:27:33 EDT 2016 > [INFO] Final Memory: 72M/692M > [INFO] > ------------------------------------------------------------------------ > > # Jenkins test results: PENDING > > > Thanks, > > Robert Levas > >
