Return-Path: 
 <dev-return-5204-apmail-atlas-dev-archive=atlas.apache.org@atlas.incubator.apache.org>
X-Original-To: apmail-atlas-dev-archive@minotaur.apache.org
Delivered-To: apmail-atlas-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 89145195DB
	for <apmail-atlas-dev-archive@minotaur.apache.org>;
 Wed, 27 Apr 2016 13:37:28 +0000 (UTC)
Received: (qmail 7837 invoked by uid 500); 27 Apr 2016 13:37:28 -0000
Delivered-To: apmail-atlas-dev-archive@atlas.apache.org
Received: (qmail 7789 invoked by uid 500); 27 Apr 2016 13:37:28 -0000
Mailing-List: contact dev-help@atlas.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@atlas.incubator.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@atlas.incubator.apache.org>
List-Post: <mailto:dev@atlas.incubator.apache.org>
List-Id: <dev.atlas.incubator.apache.org>
Reply-To: dev@atlas.incubator.apache.org
Delivered-To: mailing list dev@atlas.incubator.apache.org
Received: (qmail 7778 invoked by uid 99); 27 Apr 2016 13:37:28 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO
 spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Apr 2016 13:37:28 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id B399FC07CC
	for <dev@atlas.apache.org>; Wed, 27 Apr 2016 13:37:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level: 
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=6.31
	tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2,
	KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-0.001] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id O3_-yYvtJv4Y for <dev@atlas.apache.org>;
	Wed, 27 Apr 2016 13:37:25 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP
 id 0F1975F297
	for <dev@atlas.incubator.apache.org>; Wed, 27 Apr 2016 13:37:23 +0000 (UTC)
Received: (qmail 7762 invoked by uid 99); 27 Apr 2016 13:37:22 -0000
Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Apr 2016 13:37:22 +0000
Received: from reviews.apache.org (localhost [127.0.0.1])
	by reviews.apache.org (Postfix) with ESMTP id AB1F42B3620;
	Wed, 27 Apr 2016 13:37:17 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary="===============9219384036523631945=="
MIME-Version: 1.0
Subject: Re: Review Request 46699: ATLAS-661 :  Rest API Authentication.
From: Shwetha GS <sshivalingamurthy@hortonworks.com>
To: Erik Bergenholtz <ebergenholtz@hortonworks.com>,
 Hemanth Yamijala <yhemanth@gmail.com>,
 Selvamohan Neethiraj <sneethiraj@hortonworks.com>,
 Shwetha GS <sshivalingamurthy@hortonworks.com>
Cc: atlas <dev@atlas.incubator.apache.org>,
 Nixon Rodrigues <nixon.rodrigues@freestoneinfotech.com>
Date: Wed, 27 Apr 2016 13:37:17 -0000
Message-ID: <20160427133717.26196.42731@reviews.apache.org>
X-ReviewBoard-URL: https://reviews.apache.org/
Auto-Submitted: auto-generated
Sender: Shwetha GS <noreply@reviews.apache.org>
X-ReviewGroup: atlas
X-Auto-Response-Suppress: DR, RN, OOF, AutoReply
X-ReviewRequest-URL: https://reviews.apache.org/r/46699/
X-Sender: Shwetha GS <noreply@reviews.apache.org>
References: <20160426162909.26196.36019@reviews.apache.org>
In-Reply-To: <20160426162909.26196.36019@reviews.apache.org>
Reply-To: Shwetha GS <sshivalingamurthy@hortonworks.com>
X-ReviewRequest-Repository: atlas

--===============9219384036523631945==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46699/#review130775
-----------------------------------------------------------



We currently support the following authentication methods:
1. hadoop simple auth - assumes the username passed in the request. Doesn't do any authentication
2. hadoop kerberos auth - using kerberos keytab
3. simple file based authentication - username and password passed in the request, authenticated against file contents
4. LDAP - username and password passed in the request, authenticated against LDAP server. If authentication fails, falls back to file based
5. AD - username and password passed in the request, authenticated against AD server. If authentication fails, falls back to file based

Assuming my above understanding is right, (correct me if I am wrong):

For a single request, at both client and server, only one of the above authentication methods should be used. For example, requests coming from UI may use LDAP(with fall back to file based), requests from another source may use kerberos. There are couple of issues now:
1. Currently, there are 2 authentication filters - AtlasAuthenticationProvider(handles 3,4, and 5 above) and AtlasAuthenticationFilter(handles 1&2 above, enabled with atlas.http.authentication.enabled=true). Both the filters will be enabled which means request will go through both which doesn't make sense. They need to be merged so that only one of the authentication methods is used for a request
2. AtlasAuthenticationFilter sets user in RequestContext which is used for audit. Once the above 1st issue is sorted out, hopefully there is single place where authentication is done so that the request user is set from authenticated user
3. AtlasClient now sets both username and password(used for file based/ldap/ad) and kerberos token(if kerberos enabled). There should be just one authentication mechanism for a request even at client
4. With kerberos authentication, how do we get the authorities for the user


The utilities like quick_start, import-hive, atlas-admin etc can't always use 'admin' user. They should be allowed to run as the user running the command as long as they have authorisation to create entities API or to get admin status


webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java (line 70)
<https://reviews.apache.org/r/46699/#comment194672>

    Why is this hard-coded? This method shouldn't even be used. AtlasADAuthenticationProvider has DefaultLdapAuthoritiesPopulator, AtlasFileAuthenticationProvider loads from file etc



webapp/src/main/webapp/WEB-INF/web.xml 
<https://reviews.apache.org/r/46699/#comment194673>

    Please avoid moving lines without any changes. Makes it difficult to review



webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java (line 33)
<https://reviews.apache.org/r/46699/#comment194676>

    Add tests. There are no tests at all for the changes made


- Shwetha GS


On April 26, 2016, 4:29 p.m., Nixon Rodrigues wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46699/
> -----------------------------------------------------------
> 
> (Updated April 26, 2016, 4:29 p.m.)
> 
> 
> Review request for atlas, Erik Bergenholtz, Shwetha GS, Selvamohan Neethiraj, Suma Shivaprasad, and Hemanth Yamijala.
> 
> 
> Bugs: ATLAS-661
>     https://issues.apache.org/jira/browse/ATLAS-661
> 
> 
> Repository: atlas
> 
> 
> Description
> -------
> 
> Introduced Rest API Authentication.
> Introduced role and encoded password in user-credential file.
> Authentication to fall back to file type if LDAP fails.
> Changes in quick_start.py, atlas_admin.py & import_hive.sh to take password argument for basic authentication
> 
> 
> Diffs
> -----
> 
>   addons/hive-bridge/src/bin/import-hive.sh 8df94f2 
>   addons/hive-bridge/src/main/java/org/apache/atlas/hive/bridge/HiveMetaStoreBridge.java 104c0c5 
>   client/src/main/java/org/apache/atlas/AtlasAdminClient.java 473f72a 
>   client/src/main/java/org/apache/atlas/AtlasClient.java be34802 
>   dashboardv2/public/js/utils/Utils.js 7b2db79 
>   distro/src/conf/users-credentials.properties 94e7cf4 
>   webapp/src/main/java/org/apache/atlas/examples/QuickStart.java 79b8124 
>   webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java 76784c4 
>   webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationEntryPoint.java b77bd28 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java b2b11da 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java 7f87bd5 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java b3e3354 
>   webapp/src/main/resources/spring-security.xml 8533473 
>   webapp/src/main/webapp/WEB-INF/web.xml deb97d9 
>   webapp/src/test/java/org/apache/atlas/web/resources/BaseResourceIT.java 54d8d92 
>   webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java 7e4c2c8 
>   webapp/src/test/java/org/apache/atlas/web/security/UserDaoTest.java 5b5c70e 
> 
> Diff: https://reviews.apache.org/r/46699/diff/
> 
> 
> Testing
> -------
> 
> Manual Testing done.
> performed mvn clean install
> performed mvn clean package -Pdist
> 
> Found Failed tests: 
>   HiveLineageJerseyResourceIT.setUp:52->setupInstances:169->table:234->BaseResourceIT.createInstance:129 » AtlasService
>   
> Tests run: 10, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 22.476 sec <<< FAILURE! - in org.apache.atlas.repository.graph.GraphBackedRepositoryHardDeleteTest
> testDisconnectBidirectionalReferences(org.apache.atlas.repository.graph.GraphBackedRepositoryHardDeleteTest)  Time elapsed: 0.566 sec  <<< FAILURE!
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>


--===============9219384036523631945==--