atlas-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject atlas git commit: ATLAS-2166 - Block Knox proxy service user for kerberos authentication
Date Fri, 13 Oct 2017 16:00:17 GMT
Repository: atlas
Updated Branches:
  refs/heads/master 48feaa352 -> 279181454


ATLAS-2166 - Block Knox proxy service user for kerberos authentication

Change-Id: Ib7549067bad928ae90d5f39b920c162d9c776780

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/27918145
Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/27918145
Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/27918145

Branch: refs/heads/master
Commit: 27918145448a3b6bb7b2c7af0add7a875d684d11
Parents: 48feaa3
Author: nixonrodrigues <nixon@apache.org>
Authored: Fri Oct 13 16:51:46 2017 +0530
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Fri Oct 13 08:46:00 2017 -0700

----------------------------------------------------------------------
 .../web/filters/AtlasAuthenticationFilter.java  | 47 +++++++++++++++-----
 1 file changed, 36 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/atlas/blob/27918145/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
index 444b094..e8020db 100644
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
@@ -29,7 +29,6 @@ import org.apache.commons.configuration.Configuration;
 import org.apache.commons.configuration.ConfigurationConverter;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
@@ -47,7 +46,6 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -84,16 +82,23 @@ import java.util.regex.Pattern;
 @Component
 public class AtlasAuthenticationFilter extends AuthenticationFilter {
     private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthenticationFilter.class);
-    static final String PREFIX = "atlas.authentication.method";
-    protected static ServletContext nullContext = new NullServletContext();
-    private Signer signer;
+
+    private   static final String         CONFIG_PROXY_USERS  = "atlas.proxyusers";
+    private   static final String         PREFIX              = "atlas.authentication.method";
+    private   static final String[]       DEFAULT_PROXY_USERS = new String[] { "knox" };
+    protected static final ServletContext nullContext         = new NullServletContext();
+
+    private Signer               signer;
     private SignerSecretProvider secretProvider;
-    public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
-    private boolean isInitializedByTomcat;
-    private Set<Pattern> browserUserAgents;
-    private boolean supportKeyTabBrowserLogin = false;
-    private Configuration configuration;
-    private Properties headerProperties;
+    private final boolean        isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
+    private boolean              isInitializedByTomcat;
+    private Set<Pattern>         browserUserAgents;
+    private boolean              supportKeyTabBrowserLogin = false;
+    private Configuration        configuration;
+    private Properties           headerProperties;
+    private Set<String>          atlasProxyUsers = new HashSet<>();
+
+
     public AtlasAuthenticationFilter() {
         try {
             LOG.info("AtlasAuthenticationFilter initialization started");
@@ -252,6 +257,14 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
             agents = AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT;
         }
 
+        String[] proxyUsers = configuration.getStringArray(CONFIG_PROXY_USERS);
+
+        if (proxyUsers == null || proxyUsers.length == 0) {
+            proxyUsers = DEFAULT_PROXY_USERS;
+        }
+
+        atlasProxyUsers = new HashSet<>(Arrays.asList(proxyUsers));
+
         parseBrowserUserAgents(agents);
 
         return config;
@@ -417,6 +430,18 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
                             return (authToken != AuthenticationToken.ANONYMOUS) ? authToken
: null;
                         }
                     };
+
+                    if(StringUtils.isNotBlank(httpRequest.getRemoteUser()) && atlasProxyUsers.contains(httpRequest.getRemoteUser())){
+                        LOG.info("Ignoring kerberos login from proxy user "+ httpRequest.getRemoteUser());
+
+                        httpResponse.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "");
+                        httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+                        filterChain.doFilter(request, response);
+
+                        return;
+                    }
+
+
                     if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS)
{
                         String signedToken = signer.sign(token.toString());
                         createAuthCookie(httpResponse, signedToken, getCookieDomain(),


Mime
View raw message