Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 272BA200C62 for ; Wed, 26 Apr 2017 09:36:40 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 25B96160BA8; Wed, 26 Apr 2017 07:36:40 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 41D95160B95 for ; Wed, 26 Apr 2017 09:36:39 +0200 (CEST) Received: (qmail 84020 invoked by uid 500); 26 Apr 2017 07:36:38 -0000 Mailing-List: contact commits-help@atlas.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@atlas.incubator.apache.org Delivered-To: mailing list commits@atlas.incubator.apache.org Received: (qmail 84011 invoked by uid 99); 26 Apr 2017 07:36:38 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Apr 2017 07:36:38 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1A1291B0486 for ; Wed, 26 Apr 2017 07:36:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -4.222 X-Spam-Level: X-Spam-Status: No, score=-4.222 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id i6y42TAGX4Xa for ; Wed, 26 Apr 2017 07:36:36 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 1F0825F36C for ; Wed, 26 Apr 2017 07:36:34 +0000 (UTC) Received: (qmail 83899 invoked by uid 99); 26 Apr 2017 07:36:34 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Apr 2017 07:36:34 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 17B8FDFBBB; Wed, 26 Apr 2017 07:36:34 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: nixon@apache.org To: commits@atlas.incubator.apache.org Date: Wed, 26 Apr 2017 07:36:34 -0000 Message-Id: <6b1402ef03c94aa49f1b8c2c4dfba517@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [1/2] incubator-atlas git commit: ATLAS-1680- Support for browser login using kerberos keytab archived-at: Wed, 26 Apr 2017 07:36:40 -0000 Repository: incubator-atlas Updated Branches: refs/heads/master e92593e94 -> 466372ef8 ATLAS-1680- Support for browser login using kerberos keytab Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/bcc89f3c Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/bcc89f3c Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/bcc89f3c Branch: refs/heads/master Commit: bcc89f3c459d6f02b24eae245f88f27bdbd9a65e Parents: e92593e Author: nixonrodrigues Authored: Thu Mar 30 20:10:14 2017 +0530 Committer: nixonrodrigues Committed: Wed Apr 26 13:02:41 2017 +0530 ---------------------------------------------------------------------- .../web/filters/AtlasAuthenticationFilter.java | 39 ++++++++++---------- 1 file changed, 20 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/bcc89f3c/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java index 9ead75f..a643d62 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java @@ -86,6 +86,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); private boolean isInitializedByTomcat; private Set browserUserAgents; + private boolean supportKeyTabBrowserLogin = false; public AtlasAuthenticationFilter() { try { @@ -191,16 +192,16 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { authMethod = "kerberos"; } - if(configuration.getString("atlas.authentication.method.kerberos.name.rules")!=null) { + if (configuration.getString("atlas.authentication.method.kerberos.name.rules") != null) { config.put("kerberos.name.rules", configuration.getString("atlas.authentication.method.kerberos.name.rules")); } - if(configuration.getString("atlas.authentication.method.kerberos.keytab")!=null) { + if (configuration.getString("atlas.authentication.method.kerberos.keytab") != null) { config.put("kerberos.keytab", configuration.getString("atlas.authentication.method.kerberos.keytab")); } - if(configuration.getString("atlas.authentication.method.kerberos.principal")!=null) { + if (configuration.getString("atlas.authentication.method.kerberos.principal") != null) { config.put("kerberos.principal", configuration.getString("atlas.authentication.method.kerberos.principal")); } - config.put(AuthenticationFilter.AUTH_TYPE, authMethod ); + config.put(AuthenticationFilter.AUTH_TYPE, authMethod); config.put(AuthenticationFilter.COOKIE_PATH, "/"); // add any config passed in as init parameters @@ -232,6 +233,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { LOG.debug(" AuthenticationFilterConfig: {}", config); + supportKeyTabBrowserLogin = configuration.getBoolean("atlas.authentication.method.kerberos.support.keytab.browser.login", false); String agents = configuration.getString(AtlasCSRFPreventionFilter.BROWSER_USER_AGENT_PARAM, AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT); if (agents == null) { @@ -290,7 +292,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { String requestUser = httpRequest.getRemoteUser(); NDC.push(requestUser + ":" + httpRequest.getMethod() + httpRequest.getRequestURI()); RequestContext requestContext = RequestContext.get(); - if(requestContext!=null) { + if (requestContext != null) { requestContext.setUser(requestUser); } LOG.info("Request from authenticated user: {}, URL={}", requestUser, @@ -340,14 +342,14 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { * If the request has a valid authentication token it allows the request to continue to the target resource, * otherwise it triggers an authentication sequence using the configured {@link org.apache.hadoop.security.authentication.server.AuthenticationHandler}. * - * @param request the request object. - * @param response the response object. + * @param request the request object. + * @param response the response object. * @param filterChain the filter chain object. * - * @throws IOException thrown if an IO error occurred. + * @throws IOException thrown if an IO error occurred. * @throws ServletException thrown if a processing error occurred. */ - public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper ,FilterChain filterChain ) + public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper, FilterChain filterChain) throws IOException, ServletException { boolean unauthorizedResponse = true; int errCode = HttpServletResponse.SC_UNAUTHORIZED; @@ -355,14 +357,13 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; boolean isHttps = "https".equals(httpRequest.getScheme()); - AuthenticationHandler authHandler = getAuthenticationHandler(); + AuthenticationHandler authHandler = getAuthenticationHandler(); try { boolean newToken = false; AuthenticationToken token; try { token = getToken(httpRequest); - } - catch (AuthenticationException ex) { + } catch (AuthenticationException ex) { LOG.warn("AuthenticationToken ignored: {}", ex.getMessage()); // will be sent back in a 401 unless filter authenticates authenticationEx = ex; @@ -432,7 +433,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { errCode = HttpServletResponse.SC_FORBIDDEN; } if (authenticationEx == null) { // added this code for atlas error handling and fallback - if (isBrowser(httpRequest.getHeader("User-Agent"))) { + if (!supportKeyTabBrowserLogin && isBrowser(httpRequest.getHeader("User-Agent"))) { filterChain.doFilter(request, response); } else { boolean chk = true; @@ -509,27 +510,27 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { public static void createAuthCookie(HttpServletResponse resp, String token, String domain, String path, long expires, boolean isSecure) { StringBuilder sb = (new StringBuilder(AuthenticatedURL.AUTH_COOKIE)).append("="); - if(token != null && token.length() > 0) { + if (token != null && token.length() > 0) { sb.append("\"").append(token).append("\""); } sb.append("; Version=1"); - if(path != null) { + if (path != null) { sb.append("; Path=").append(path); } - if(domain != null) { + if (domain != null) { sb.append("; Domain=").append(domain); } - if(expires >= 0L) { + if (expires >= 0L) { Date date = new Date(expires); SimpleDateFormat df = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz"); df.setTimeZone(TimeZone.getTimeZone("GMT")); sb.append("; Expires=").append(df.format(date)); } - if(isSecure) { + if (isSecure) { sb.append("; Secure"); } @@ -558,7 +559,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { if (tokenStr != null) { token = AuthenticationToken.parse(tokenStr); - if(token != null) { + if (token != null) { AuthenticationHandler authHandler = getAuthenticationHandler(); if (!token.getType().equals(authHandler.getType())) { throw new AuthenticationException("Invalid AuthenticationToken type");