atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 48130: ATLAS-820- Kerberized env: Authentication failing
Date Sat, 04 Jun 2016 00:32:38 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48130/#review136143
-----------------------------------------------------------




webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java (line 150)
<https://reviews.apache.org/r/48130/#comment201171>

    Rename "authMethod" ==> "kerberosAuthNEnabled"



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java (line 154)
<https://reviews.apache.org/r/48130/#comment201172>

    Should "simple" authentication be supported now?
    
    Shouldn't the flow be:
     1. if kerberos authn is enabled
         - try kerberos auth
     2. if unauthenticated && ldap authn is enabled
         - try ldap authn
     3. if unauthenticated && file authn is enabled
         - try file authn
     4. if unauthenticated
         - fail authentication



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java (line 305)
<https://reviews.apache.org/r/48130/#comment201167>

    Consider "break;" after retrieving the username from cookie.



webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java (line 98)
<https://reviews.apache.org/r/48130/#comment201163>

    Rename "authMethod" ==> "kerberosAuthNEnabled"



webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java (line 103)
<https://reviews.apache.org/r/48130/#comment201164>

    Should "simple" authentication be supported now?
    
    Shouldn't the flow be:
     1. if kerberos authn is enabled
         - try kerberos auth
     2. if unauthenticated && ldap authn is enabled
         - try ldap authn
     3. if unauthenticated && file authn is enabled
         - try file authn
     4. if unauthenticated
         - fail authentication



webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java (line
37)
<https://reviews.apache.org/r/48130/#comment201162>

    Consider using boolean types here, with variable names like:
     boolean fileAuthNEnabled = true;
     boolean ldapAuthNEnabled = false;



webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java (line
55)
<https://reviews.apache.org/r/48130/#comment201158>

    Consider using "true" as default for "atlas.authentication.method.file".



webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java (line
89)
<https://reviews.apache.org/r/48130/#comment201160>

    This else {} block can be removed, as fileAuthentication is being handled in line #99.


- Madhan Neethiraj


On June 2, 2016, 8:59 a.m., Nixon Rodrigues wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/48130/
> -----------------------------------------------------------
> 
> (Updated June 2, 2016, 8:59 a.m.)
> 
> 
> Review request for atlas, Gautam Borad, Madhan Neethiraj, Mehul Parikh, Shwetha GS, and
Hemanth Yamijala.
> 
> 
> Bugs: ATLAS-820
>     https://issues.apache.org/jira/browse/ATLAS-820
> 
> 
> Repository: atlas
> 
> 
> Description
> -------
> 
> Kerberos-Authentication-related-changes.
> 
> Changes includes.
> 
> * Adding/Configaration of AtlasAuthentication fitler into spring's filter.
> * Refactoring of authentication related properties.
> 
> 
> Diffs
> -----
> 
>   common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java f8e22f0 
>   distro/src/conf/atlas-application.properties bfa40e8 
>   distro/src/conf/policy-store.txt 339f014 
>   webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java f1ceee2 
>   webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java 2d84b10

>   webapp/src/main/java/org/apache/atlas/web/filters/KerberosAuthenticationFilter.java
PRE-CREATION 
>   webapp/src/main/java/org/apache/atlas/web/filters/MockServletContext.java PRE-CREATION

>   webapp/src/main/java/org/apache/atlas/web/listeners/GuiceServletConfig.java 010fa2a

>   webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java b7943e7 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
389a609 
>   webapp/src/main/resources/spring-security.xml bba054d 
>   webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java a07874a

> 
> Diff: https://reviews.apache.org/r/48130/diff/
> 
> 
> Testing
> -------
> 
> * Tested Quick Started in both kerberos and normal env.
> * mvn clean install.
> * Tested atlas UI in kerberized and non kerberized browser.
> * Executed curl commands with and without kinit.
> 
> kinit -kt /etc/security/keytabs/atlas.service.keytab atlas/mp-atls-495-1.openstacklocal@EXAMPLE.COM
> 
> curl url	curl -v -u admin:admin http://mp-atls-495-1.openstacklocal:21000/api/atlas/types
> curl with –negotiate	curl -k -v  --negotiate -u :  http://mp-atls-495-1.openstacklocal:21000/api/atlas/types
> curl with without negotiate	curl -k -v   -u :  http://mp-atls-495-1.openstacklocal:21000/api/atlas/types
> curl with -u admin:admin	curl -v -u admin:admin http://mp-atls-495-1.openstacklocal:21000/api/atlas/types
> with browser	google-chrome –auth-server-whitelist="mp-atls-495-1.openstacklocal"
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message