kylin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shaofeng...@apache.org
Subject kylin git commit: KYLIN-1219 support SSO with Spring SAML
Date Fri, 11 Dec 2015 09:35:02 GMT
Repository: kylin
Updated Branches:
  refs/heads/2.0-rc e01e4b602 -> e8de0dc50


KYLIN-1219 support SSO with Spring SAML


Project: http://git-wip-us.apache.org/repos/asf/kylin/repo
Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/e8de0dc5
Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/e8de0dc5
Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/e8de0dc5

Branch: refs/heads/2.0-rc
Commit: e8de0dc5098b81d466691078c3c3192f463eb538
Parents: e01e4b6
Author: shaofengshi <shaofengshi@apache.org>
Authored: Fri Dec 11 17:32:18 2015 +0800
Committer: shaofengshi <shaofengshi@apache.org>
Committed: Fri Dec 11 17:34:50 2015 +0800

----------------------------------------------------------------------
 build/bin/kylin.sh                              |   9 +-
 build/conf/kylin.properties                     |  37 +-
 .../test_case_data/localmeta/kylin.properties   |   4 +-
 .../test_case_data/sandbox/kylin.properties     |   4 +-
 pom.xml                                         |   2 +
 server/pom.xml                                  |  28 ++
 .../security/KylinAuthenticationProvider.java   | 101 +++++
 .../kylin/rest/security/LdapProvider.java       |   1 +
 .../rest/security/SAMLUserDetailsService.java   |  32 ++
 .../src/main/resources/applicationContext.xml   |   6 +-
 .../resources/kylin-server-log4j.properties     |   5 +
 server/src/main/resources/kylinSecurity.xml     | 452 ++++++++++++++++---
 12 files changed, 586 insertions(+), 95 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/build/bin/kylin.sh
----------------------------------------------------------------------
diff --git a/build/bin/kylin.sh b/build/bin/kylin.sh
index 9e91131..50c5ce2 100644
--- a/build/bin/kylin.sh
+++ b/build/bin/kylin.sh
@@ -49,11 +49,7 @@ then
 
 
 
-    useSandbox=`sh ${dir}/get-properties.sh kylin.sandbox`
-    spring_profile="default"
-    if [ "$useSandbox" = "true" ]
-        then spring_profile="sandbox"
-    fi
+    spring_profile=`sh ${dir}/get-properties.sh kylin.security.profile`
 
     #retrive $hive_dependency and $hbase_dependency
     source ${dir}/find-hive-dependency.sh
@@ -64,7 +60,8 @@ then
     fi
 
     export HBASE_CLASSPATH_PREFIX=${tomcat_root}/bin/bootstrap.jar:${tomcat_root}/bin/tomcat-juli.jar:${tomcat_root}/lib/*:$HBASE_CLASSPATH_PREFIX
-    export HBASE_CLASSPATH=$hive_dependency:${HBASE_CLASSPATH}
+    mkdir -p ${KYLIN_HOME}/ext
+    export HBASE_CLASSPATH=$hive_dependency:${KYLIN_HOME}/lib/*:${KYLIN_HOME}/ext/*:${HBASE_CLASSPATH}
 
     #debug if encounter NoClassDefError
     #hbase classpath

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/build/conf/kylin.properties
----------------------------------------------------------------------
diff --git a/build/conf/kylin.properties b/build/conf/kylin.properties
index cc91824..36f34a7 100644
--- a/build/conf/kylin.properties
+++ b/build/conf/kylin.properties
@@ -60,19 +60,42 @@ kylin.hbase.region.cut.small=5
 kylin.hbase.region.cut.medium=10
 kylin.hbase.region.cut.large=50
 
-## Config for Restful APP ##
-# database connection settings:
-ldap.server=
+
+## kylin security configurations
+
+# spring security profile, options: testing, ldap, saml
+# with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN to login
+kylin.security.profile=testing
+
+# default roles and admin roles in LDAP, for ldap and saml
+acl.defaultRole=ROLE_ANALYST,ROLE_MODELER
+acl.adminRole=ROLE_ADMIN
+
+#LDAP authentication configuration
+ldap.server=ldap://ldap_server:389
 ldap.username=
 ldap.password=
+
+#LDAP user account directory; 
 ldap.user.searchBase=
 ldap.user.searchPattern=
 ldap.user.groupSearchBase=
-ldap.service.searchBase=OU=
+
+#LDAP service account directory
+ldap.service.searchBase=
 ldap.service.searchPattern=
 ldap.service.groupSearchBase=
-acl.adminRole=
-acl.defaultRole=
+
+#SAML configurations for SSO
+# SAML IDP metadata file location
+saml.metadata.file=classpath:sso_metadata.xml
+saml.metadata.entityBaseURL=https://hostname/kylin
+saml.context.scheme=https
+saml.context.serverName=hostname
+saml.context.serverPort=443
+saml.context.contextPath=/kylin
+
+
 ganglia.group=
 ganglia.port=8664
 
@@ -105,5 +128,5 @@ kylin.web.contact_mail=
 #env DEV|QA|PROD
 deploy.env=DEV
 
-###########################config info for sandbox#######################
+###########################deprecated configs#######################
 kylin.sandbox=true

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/examples/test_case_data/localmeta/kylin.properties
----------------------------------------------------------------------
diff --git a/examples/test_case_data/localmeta/kylin.properties b/examples/test_case_data/localmeta/kylin.properties
index 48f01f5..a008494 100644
--- a/examples/test_case_data/localmeta/kylin.properties
+++ b/examples/test_case_data/localmeta/kylin.properties
@@ -40,7 +40,7 @@ kylin.job.yarn.app.rest.check.interval.seconds=10
 kylin.hbase.default.compression.codec=gzip
 
 
-
+kylin.security.profile=testing
 ## Config for Restful APP ##
 # database connection settings:
 ldap.server=
@@ -57,7 +57,5 @@ acl.defaultRole=
 ganglia.group=
 ganglia.port=8664
 
-###########################config info for sandbox#######################
-kylin.sandbox=true
 
 

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/examples/test_case_data/sandbox/kylin.properties
----------------------------------------------------------------------
diff --git a/examples/test_case_data/sandbox/kylin.properties b/examples/test_case_data/sandbox/kylin.properties
index 35e2927..a12bc40 100644
--- a/examples/test_case_data/sandbox/kylin.properties
+++ b/examples/test_case_data/sandbox/kylin.properties
@@ -51,6 +51,8 @@ kylin.job.yarn.app.rest.check.interval.seconds=10
 #default compression codec for htable,snappy,lzo,gzip,lz4
 kylin.hbase.default.compression.codec=gzip
 
+kylin.security.profile=testing
+
 ## Config for Restful APP ##
 # database connection settings:
 ldap.server=
@@ -96,6 +98,4 @@ kylin.web.contact_mail=
 #env DEV|QA|PROD
 deploy.env=DEV
 
-###########################config info for sandbox#######################
-kylin.sandbox=true
 

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 31ab924..b91b8d9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -92,6 +92,8 @@
 
         <!-- REST Service -->
         <spring.framework.version>3.1.2.RELEASE</spring.framework.version>
+        <spring.framework.security.extensions.version>1.0.1.RELEASE</spring.framework.security.extensions.version>
+        <opensaml.version>2.6.1</opensaml.version>
         <spring.boot.version>1.2.7.RELEASE</spring.boot.version>
 
         <!-- Calcite Version -->

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/pom.xml
----------------------------------------------------------------------
diff --git a/server/pom.xml b/server/pom.xml
index f2f9e32..515305d 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -204,6 +204,34 @@
             <version>${spring.framework.version}</version>
         </dependency>
         <dependency>
+            <groupId>org.springframework.security.extensions</groupId>
+            <artifactId>spring-security-saml2-core</artifactId>
+            <version>${spring.framework.security.extensions.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opensaml</groupId>
+            <artifactId>opensaml</artifactId>
+            <version>${opensaml.version}</version>
+            <exclusions>
+                <exclusion>
+                    <artifactId>xml-apis</artifactId>
+                    <groupId>org.apache.xerces</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>jcl-over-slf4j</artifactId>
+                    <groupId>org.slf4j</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>serializer</artifactId>
+                    <groupId>org.apache.xerces</groupId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>log4j-over-slf4j</artifactId>
+                    <groupId>org.slf4j</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
             <groupId>net.sf.ehcache</groupId>
             <artifactId>ehcache</artifactId>
             <version>2.8.1</version>

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/src/main/java/org/apache/kylin/rest/security/KylinAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/kylin/rest/security/KylinAuthenticationProvider.java
b/server/src/main/java/org/apache/kylin/rest/security/KylinAuthenticationProvider.java
new file mode 100644
index 0000000..be28bdd
--- /dev/null
+++ b/server/src/main/java/org/apache/kylin/rest/security/KylinAuthenticationProvider.java
@@ -0,0 +1,101 @@
+package org.apache.kylin.rest.security;
+
+import net.sf.ehcache.Cache;
+import net.sf.ehcache.CacheManager;
+import net.sf.ehcache.Element;
+import org.apache.kylin.rest.service.UserService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.saml.SAMLAuthenticationProvider;
+import org.springframework.util.Assert;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+/**
+ * A wrapper class for the authentication provider; Will do something more for Kylin.
+ */
+public class KylinAuthenticationProvider implements AuthenticationProvider {
+
+    private static final Logger logger = LoggerFactory.getLogger(KylinAuthenticationProvider.class);
+
+    @Autowired
+    UserService userService;
+
+    @Autowired
+    private CacheManager cacheManager;
+
+    //Embedded authentication provider
+    private AuthenticationProvider authenticationProvider;
+
+    MessageDigest md = null;
+    
+    public KylinAuthenticationProvider(AuthenticationProvider authenticationProvider) {
+        super();
+        Assert.notNull(authenticationProvider, "The embedded authenticationProvider should
not be null.");
+        this.authenticationProvider = authenticationProvider;
+        try {
+            md = MessageDigest.getInstance("MD5");
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("Failed to init Message Digest ", e);
+        }
+    }
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
+        Authentication authed = null;
+        Cache userCache = cacheManager.getCache("UserCache");
+        md.reset();
+        byte[] hashKey = md.digest((authentication.getName() + authentication.getCredentials()).getBytes());
+        String userKey = Arrays.toString(hashKey);
+
+        Element authedUser = userCache.get(userKey);
+        if (null != authedUser) {
+            authed = (Authentication) authedUser.getObjectValue();
+            SecurityContextHolder.getContext().setAuthentication(authed);
+        } else {
+            try {
+                authed = authenticationProvider.authenticate(authentication);
+                userCache.put(new Element(userKey, authed));
+            } catch (AuthenticationException e) {
+                logger.error("Failed to auth user: " + authentication.getName(), e);
+                throw e;
+            }
+
+            logger.debug("Authenticated user " + authed.toString());
+            
+            UserDetails user = (UserDetails)authed.getDetails();
+            Assert.notNull(user, "The UserDetail is null.");
+
+            logger.debug("User authorities :" + user.getAuthorities());
+            if (!userService.userExists(user.getUsername())) {
+                userService.createUser(user);
+            } else {
+                userService.updateUser(user);
+            }
+        }
+
+        return authed;
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authenticationProvider.supports(authentication);
+    }
+
+    public AuthenticationProvider getAuthenticationProvider() {
+        return authenticationProvider;
+    }
+
+    public void setAuthenticationProvider(AuthenticationProvider authenticationProvider)
{
+        this.authenticationProvider = authenticationProvider;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/src/main/java/org/apache/kylin/rest/security/LdapProvider.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/kylin/rest/security/LdapProvider.java b/server/src/main/java/org/apache/kylin/rest/security/LdapProvider.java
index b34a2bd..2dae90b 100644
--- a/server/src/main/java/org/apache/kylin/rest/security/LdapProvider.java
+++ b/server/src/main/java/org/apache/kylin/rest/security/LdapProvider.java
@@ -41,6 +41,7 @@ import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 
 /**
  * @author xduo
+ * @deprecated replaced by KylinAuthenticationProvider
  * 
  */
 public class LdapProvider extends LdapAuthenticationProvider {

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
b/server/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
new file mode 100644
index 0000000..8d13805
--- /dev/null
+++ b/server/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
@@ -0,0 +1,32 @@
+package org.apache.kylin.rest.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
+import org.springframework.security.saml.SAMLCredential;
+
+/**
+ * An implementation of SAMLUserDetailsService by delegating the query to LdapUserDetailsService.
+ */
+public class SAMLUserDetailsService implements org.springframework.security.saml.userdetails.SAMLUserDetailsService
{
+
+    private static final Logger logger = LoggerFactory.getLogger(SAMLUserDetailsService.class);
+    private LdapUserDetailsService ldapUserDetailsService;
+
+    public SAMLUserDetailsService(LdapUserDetailsService ldapUserDetailsService) {
+        this.ldapUserDetailsService = ldapUserDetailsService;
+    }
+
+    @Override
+    public Object loadUserBySAML(SAMLCredential samlCredential) throws UsernameNotFoundException
{
+        final String userEmail = samlCredential.getAttributeAsString("email");
+        logger.debug("samlCredential.email:" + userEmail);
+        final String userName = userEmail.substring(0, userEmail.indexOf("@"));
+
+        UserDetails userDetails = ldapUserDetailsService.loadUserByUsername(userName);
+        logger.debug("userDeail by search ldap with '" + userName + "' is: " + userDetails);
+        return userDetails;
+    }
+}

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/src/main/resources/applicationContext.xml
----------------------------------------------------------------------
diff --git a/server/src/main/resources/applicationContext.xml b/server/src/main/resources/applicationContext.xml
index a103b56..dd66070 100644
--- a/server/src/main/resources/applicationContext.xml
+++ b/server/src/main/resources/applicationContext.xml
@@ -85,19 +85,19 @@
 
     <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager"
           p:cacheManager-ref="ehcache"/>
-    <beans profile="default">
+    <beans profile="ldap,saml">
         <bean id="ehcache"
               class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"
               p:configLocation="classpath:ehcache.xml" p:shared="true"/>
     </beans>
-    <beans profile="sandbox,testing">
+    <beans profile="testing">
         <bean id="ehcache"
               class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"
               p:configLocation="classpath:ehcache-test.xml" p:shared="true"/>
     </beans>
 
     <!-- hbase storage/global lock Config -->
-    <beans profile="default,sandbox">
+    <beans profile="ldap,saml">
         <bean id="aclHBaseStorage" class="org.apache.kylin.rest.security.RealAclHBaseStorage"/>
         <bean id="jobLock" class="org.apache.kylin.storage.hbase.util.ZookeeperJobLock"/>
     </beans>

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/src/main/resources/kylin-server-log4j.properties
----------------------------------------------------------------------
diff --git a/server/src/main/resources/kylin-server-log4j.properties b/server/src/main/resources/kylin-server-log4j.properties
index a93627a..f4df80d 100644
--- a/server/src/main/resources/kylin-server-log4j.properties
+++ b/server/src/main/resources/kylin-server-log4j.properties
@@ -49,3 +49,8 @@ log4j.logger.org.apache.kylin.query=DEBUG, query
 log4j.logger.org.apache.kylin.rest.controller.JobController=DEBUG, job
 log4j.logger.org.apache.kylin.rest.service.JobService=DEBUG, job
 log4j.logger.org.apache.kylin.job=DEBUG, job
+
+#spring security config
+log4j.logger.org.springframework.security=INFO,file
+log4j.logger.org.opensaml=INFO,file
+log4j.logger.PROTOCOL_MESSAGE=INFO,file

http://git-wip-us.apache.org/repos/asf/kylin/blob/e8de0dc5/server/src/main/resources/kylinSecurity.xml
----------------------------------------------------------------------
diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml
index ee3c891..3b2125a 100644
--- a/server/src/main/resources/kylinSecurity.xml
+++ b/server/src/main/resources/kylinSecurity.xml
@@ -1,39 +1,16 @@
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:scr="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:tx="http://www.springframework.org/schema/tx"
+	   xmlns:scr="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans
 	http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
 	http://www.springframework.org/schema/security
 	http://www.springframework.org/schema/security/spring-security-3.1.xsd
 	http://www.springframework.org/schema/tx
-    http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">
+    http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
 
 	<scr:global-method-security pre-post-annotations="enabled">
 		<scr:expression-handler ref="expressionHandler" />
 	</scr:global-method-security>
 
-	<scr:http auto-config="true" use-expressions="true">
-		<scr:http-basic entry-point-ref="unauthorisedEntryPoint" />
-
-		<scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll" />
-		<scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()" />
-		<scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()" />
-		<scr:intercept-url pattern="/api/**/metrics" access="permitAll" />
-        <scr:intercept-url pattern="/api/cache*/**" access="permitAll" />
-		<scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"
/>
-		<scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()" />
-		<scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()" />
-		<scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()" />
-		<scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()" />
-		<scr:intercept-url pattern="/api/admin/config" access="permitAll" />
-		<scr:intercept-url pattern="/api/projects" access="permitAll" />
-		<scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')" />
-		<scr:intercept-url pattern="/api/**" access="isAuthenticated()" />
-
-		<scr:logout invalidate-session="true" delete-cookies="JSESSIONID" />
-		<scr:session-management session-fixation-protection="newSession" />
-	</scr:http>
-	
-	<!-- user auth -->
-	<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
-
 	<!-- acl config -->
 	<bean id="aclPermissionFactory" class="org.apache.kylin.rest.security.AclPermissionFactory"
/>
 
@@ -45,6 +22,12 @@
 		<constructor-arg ref="aclService" />
 		<property name="permissionFactory" ref="aclPermissionFactory" />
 	</bean>
+
+	<bean id="ldapSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
+		<constructor-arg value="${ldap.server}" />
+		<property name="userDn" value="${ldap.username}" />
+		<property name="password" value="${ldap.password}" />
+	</bean>
 	
 	<bean id="aclAuthorizationStrategy"
 		class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
@@ -70,72 +53,76 @@
 		<constructor-arg ref="auditLogger" />
 	</bean>
 	
-	<beans profile="default">
-		<bean id="ldapUserAuthProvider" class="org.apache.kylin.rest.security.LdapProvider">
+	<beans profile="ldap">
+		<bean id="kylinUserAuthProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider">
 			<constructor-arg>
-				<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
-					<constructor-arg ref="ldapSource" />
-					<property name="userSearch">
-						<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
-							<constructor-arg index="0" value="${ldap.user.searchBase}" />
-							<constructor-arg index="1" value="${ldap.user.searchPattern}" />
-							<constructor-arg index="2" ref="ldapSource" />
+				<bean id="ldapUserAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
+					<constructor-arg>
+						<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
+							<constructor-arg ref="ldapSource" />
+							<property name="userSearch">
+								<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
+									<constructor-arg index="0" value="${ldap.user.searchBase}" />
+									<constructor-arg index="1" value="${ldap.user.searchPattern}" />
+									<constructor-arg index="2" ref="ldapSource" />
+								</bean>
+							</property>
 						</bean>
-					</property>
-				</bean>
-			</constructor-arg>
-			<constructor-arg>
-				<bean class="org.apache.kylin.rest.security.AuthoritiesPopulator">
-					<constructor-arg index="0" ref="ldapSource" />
-					<constructor-arg index="1" value="${ldap.user.groupSearchBase}" />
-					<constructor-arg index="2" value="${acl.adminRole}" />
-					<constructor-arg index="3" value="${acl.defaultRole}" />
+					</constructor-arg>
+					<constructor-arg>
+						<bean class="org.apache.kylin.rest.security.AuthoritiesPopulator">
+							<constructor-arg index="0" ref="ldapSource" />
+							<constructor-arg index="1" value="${ldap.user.groupSearchBase}" />
+							<constructor-arg index="2" value="${acl.adminRole}" />
+							<constructor-arg index="3" value="${acl.defaultRole}" />
+						</bean>
+					</constructor-arg>
 				</bean>
 			</constructor-arg>
 		</bean>
 
-		<bean id="ldapServiceAccountAuthProvider" class="org.apache.kylin.rest.security.LdapProvider">
+		<bean id="kylinServiceAccountAuthProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider">
 			<constructor-arg>
-				<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
-					<constructor-arg ref="ldapSource" />
-					<property name="userSearch">
-						<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
-							<constructor-arg index="0" value="${ldap.service.searchBase}" />
-							<constructor-arg index="1" value="${ldap.service.searchPattern}" />
-							<constructor-arg index="2" ref="ldapSource" />
+				<bean id="ldapServiceAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
+					<constructor-arg>
+						<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
+							<constructor-arg ref="ldapSource" />
+							<property name="userSearch">
+								<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
+									<constructor-arg index="0" value="${ldap.service.searchBase}" />
+									<constructor-arg index="1" value="${ldap.service.searchPattern}" />
+									<constructor-arg index="2" ref="ldapSource" />
+								</bean>
+							</property>
 						</bean>
-					</property>
-				</bean>
-			</constructor-arg>
-			<constructor-arg>
-				<bean class="org.apache.kylin.rest.security.AuthoritiesPopulator">
-					<constructor-arg index="0" ref="ldapSource" />
-					<constructor-arg index="1" value="${ldap.service.groupSearchBase}" />
-					<constructor-arg index="2" value="${acl.adminRole}" />
-					<constructor-arg index="3" value="${acl.defaultRole}" />
+					</constructor-arg>
+					<constructor-arg>
+						<bean class="org.apache.kylin.rest.security.AuthoritiesPopulator">
+							<constructor-arg index="0" ref="ldapSource" />
+							<constructor-arg index="1" value="${ldap.service.groupSearchBase}" />
+							<constructor-arg index="2" value="${acl.adminRole}" />
+							<constructor-arg index="3" value="${acl.defaultRole}" />
+						</bean>
+					</constructor-arg>
 				</bean>
 			</constructor-arg>
 		</bean>
 
-		<scr:authentication-manager alias="authenticationManager">
+		<scr:authentication-manager alias="ldapAuthenticationManager">
 			<!-- do user ldap auth -->
-			<scr:authentication-provider ref="ldapUserAuthProvider"></scr:authentication-provider>
+			<scr:authentication-provider ref="kylinUserAuthProvider"></scr:authentication-provider>
 
 			<!-- do service account ldap auth -->
-			<scr:authentication-provider ref="ldapServiceAccountAuthProvider"></scr:authentication-provider>
-
-			<!-- custom user provider <authentication-provider user-service-ref="userService">
<password-encoder ref="passwordEncoder" /> </authentication-provider> -->
+			<scr:authentication-provider ref="kylinServiceAccountAuthProvider"></scr:authentication-provider>
 		</scr:authentication-manager>
 
-		<bean id="ldapSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
-			<constructor-arg value="${ldap.server}" />
-			<property name="userDn" value="${ldap.username}" />
-			<property name="password" value="${ldap.password}" />
-		</bean>
 	</beans>
 
-	<beans profile="sandbox,testing">
-		<scr:authentication-manager alias="authenticationManager">
+	<beans profile="testing">
+		<!-- user auth -->
+		<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
+		
+		<scr:authentication-manager alias="testingAuthenticationManager">
 			<scr:authentication-provider>
 				<scr:user-service>
 					<scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG"
authorities="ROLE_MODELER" />
@@ -146,4 +133,321 @@
 			</scr:authentication-provider>
 		</scr:authentication-manager>
 	</beans>
+	
+	<beans profile="testing,ldap">
+		<scr:http auto-config="true" use-expressions="true">
+			<scr:http-basic entry-point-ref="unauthorisedEntryPoint" />
+
+			<scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll" />
+			<scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()" />
+			<scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()" />
+			<scr:intercept-url pattern="/api/**/metrics" access="permitAll" />
+			<scr:intercept-url pattern="/api/cache*/**" access="permitAll" />
+			<scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"
/>
+			<scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()" />
+			<scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()" />
+			<scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()" />
+			<scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()" />
+			<scr:intercept-url pattern="/api/admin/config" access="permitAll" />
+			<scr:intercept-url pattern="/api/projects" access="permitAll" />
+			<scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')" />
+			<scr:intercept-url pattern="/api/**" access="isAuthenticated()" />
+
+			<scr:logout invalidate-session="true" delete-cookies="JSESSIONID" />
+			<scr:session-management session-fixation-protection="newSession" />
+		</scr:http>
+	</beans>
+
+	<beans profile="saml">
+		<!-- Enable auto-wiring -->
+		<context:annotation-config/>
+
+		<!-- Scan for auto-wiring classes in spring saml packages -->
+		<context:component-scan base-package="org.springframework.security.saml"/>
+
+		<!-- Unsecured pages -->
+		<scr:http security="none" pattern="/images/**"/>
+		<scr:http security="none" pattern="/css/**"/>
+		<scr:http security="none" pattern="/fonts/**"/>
+		<scr:http security="none" pattern="/js/**"/>
+		<scr:http security="none" pattern="/login/**"/>
+		<scr:http security="none" pattern="/api/projects" />
+
+		<!-- Secured pages with SAML as entry point -->
+		<scr:http entry-point-ref="samlEntryPoint" use-expressions="false">
+			<scr:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
+			<scr:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
+			<scr:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
+		</scr:http>
+
+		<!-- Central storage of cryptographic keys -->
+		<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
+			<constructor-arg value="classpath:samlKeystore.jks"/>
+			<constructor-arg type="java.lang.String" value="changeit"/>
+			<constructor-arg>
+				<map>
+					<entry key="kylin" value="changeit"/>
+				</map>
+			</constructor-arg>
+			<constructor-arg type="java.lang.String" value="kylin"/>
+		</bean>
+
+		<!-- Filters for processing of SAML messages -->
+		<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
+			<scr:filter-chain-map request-matcher="ant">
+				<scr:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
+				<scr:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
+				<scr:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
+				<scr:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
+				<scr:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
+				<scr:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
+			</scr:filter-chain-map>
+		</bean>
+
+		<!-- Handler deciding where to redirect user after successful login -->
+		<bean id="successRedirectHandler"
+			  class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
+			<property name="defaultTargetUrl" value="/models"/>
+		</bean>
+
+		<!-- Handler deciding where to redirect user after failed login -->
+		<bean id="failureRedirectHandler"
+			  class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
+			<property name="useForward" value="true"/>
+			<property name="defaultFailureUrl" value="/login"/>
+		</bean>
+
+		<!-- Handler for successful logout -->
+		<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
+			<property name="defaultTargetUrl" value="/login"/>
+		</bean>
+
+		<scr:authentication-manager alias="samlAuthenticationManager">
+			<!-- Register authentication manager for SAML provider -->
+			<scr:authentication-provider ref="kylinAuthenticationProvider"/>
+		</scr:authentication-manager>
+
+		<!-- Logger for SAML messages and events -->
+		<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
+
+		<!-- Filter automatically generates default SP metadata -->
+		<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
+			<constructor-arg>
+				<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
+					<property name="extendedMetadata">
+						<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
+							<property name="idpDiscoveryEnabled" value="false"/>
+						</bean>
+					</property>
+					<property name="entityBaseURL" value = "${saml.metadata.entityBaseURL}"/>
+				</bean>
+			</constructor-arg>
+		</bean>
+
+		<!-- Entry point to initialize authentication, default values taken from properties
file -->
+		<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
+			<property name="defaultProfileOptions">
+				<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
+					<property name="includeScoping" value="false"/>
+				</bean>
+			</property>
+		</bean>
+
+		<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents
SP metadata there -->
+		<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
+
+		<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here
-->
+		<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
+			<constructor-arg>
+				<list>
+					<!-- Example of classpath metadata with Extended Metadata -->
+					<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
+						<constructor-arg>
+							<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
+								<constructor-arg>
+									<value type="java.io.File">classpath:sso_metadata.xml</value>
+								</constructor-arg>
+								<property name="parserPool" ref="parserPool"/>
+							</bean>
+						</constructor-arg>
+						<constructor-arg>
+							<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
+							</bean>
+						</constructor-arg>
+						<property name="metadataTrustCheck" value="false"/>
+					</bean>
+				</list>
+			</constructor-arg>
+		</bean>
+
+		<bean id="ldapUserAuthoritiesPopulator" class="org.apache.kylin.rest.security.AuthoritiesPopulator">
+			<constructor-arg index="0" ref="ldapSource" />
+			<constructor-arg index="1" value="${ldap.user.groupSearchBase}" />
+			<constructor-arg index="2" value="${acl.adminRole}" />
+			<constructor-arg index="3" value="${acl.defaultRole}" />
+		</bean>
+
+		<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
+			<constructor-arg index="0" value="${ldap.user.searchBase}" />
+			<constructor-arg index="1" value="${ldap.user.searchPattern}" />
+			<constructor-arg index="2" ref="ldapSource" />
+		</bean>
+
+		
+		<bean id="samlUserDetailsService" class="org.apache.kylin.rest.security.SAMLUserDetailsService">
+			<constructor-arg>
+				<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
+					<constructor-arg ref="userSearch" />
+					<constructor-arg ref="ldapUserAuthoritiesPopulator" />
+				</bean>
+			</constructor-arg>
+		</bean>
+		
+		<bean id="kylinAuthenticationProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider">
+			<constructor-arg>
+				<!-- SAML Authentication Provider responsible for validating of received SAML messages
-->
+				<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
+					<!-- OPTIONAL property: can be used to store/load user data after login -->
+					<property name="userDetails" ref="samlUserDetailsService" />
+				</bean>
+			</constructor-arg>
+		</bean>
+		
+
+		<!-- Provider of default SAML Context -->
+		<!-- 
+		<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
+		-->
+		
+		<!-- Provider of a SAML Context behind a LoadBanlancer or reverse proxy -->
+		<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
+			<property name="scheme" value="${saml.context.scheme}"/>
+			<property name="serverName" value="${saml.context.serverName}"/>
+			<property name="serverPort" value="${saml.context.serverPort}"/>
+			<property name="includeServerPortInRequestURL" value="false"/>
+			<property name="contextPath" value="${saml.context.contextPath}"/>
+		</bean>
+		
+
+		<!-- Processing filter for WebSSO profile messages -->
+		<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
+			<property name="authenticationManager" ref="samlAuthenticationManager"/>
+			<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
+			<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
+		</bean>
+
+		<!-- Processing filter for WebSSO Holder-of-Key profile -->
+		<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
+			<property name="authenticationManager" ref="samlAuthenticationManager"/>
+			<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
+			<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
+		</bean>
+
+		<!-- Logout handler terminating local session -->
+		<bean id="logoutHandler"
+			  class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+			<property name="invalidateHttpSession" value="false"/>
+		</bean>
+
+		<!-- Override default logout processing filter with the one processing SAML messages
-->
+		<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
+			<constructor-arg index="0" ref="successLogoutHandler"/>
+			<constructor-arg index="1" ref="logoutHandler"/>
+			<constructor-arg index="2" ref="logoutHandler"/>
+		</bean>
+
+		<!-- Filter processing incoming logout messages -->
+		<!-- First argument determines URL user will be redirected to after successful global
logout -->
+		<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
+			<constructor-arg index="0" ref="successLogoutHandler"/>
+			<constructor-arg index="1" ref="logoutHandler"/>
+		</bean>
+
+		<!-- Class loading incoming SAML messages from httpRequest stream -->
+		<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
+			<constructor-arg>
+				<list>
+					<ref bean="redirectBinding"/>
+					<ref bean="postBinding"/>
+					<ref bean="artifactBinding"/>
+					<ref bean="soapBinding"/>
+					<ref bean="paosBinding"/>
+				</list>
+			</constructor-arg>
+		</bean>
+
+		<!-- SAML 2.0 WebSSO Assertion Consumer -->
+		<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
+
+		<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
+		<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
+
+		<!-- SAML 2.0 Web SSO profile -->
+		<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
+
+		<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
+		<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
+
+		<!-- SAML 2.0 ECP profile -->
+		<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
+
+		<!-- SAML 2.0 Logout Profile -->
+		<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
+
+		<!-- Bindings, encoders and decoders used for creating and parsing messages -->
+		<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
+			<constructor-arg ref="parserPool"/>
+			<constructor-arg ref="velocityEngine"/>
+		</bean>
+
+		<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
+			<constructor-arg ref="parserPool"/>
+		</bean>
+
+		<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
+			<constructor-arg ref="parserPool"/>
+			<constructor-arg ref="velocityEngine"/>
+			<constructor-arg>
+				<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
+					<constructor-arg>
+						<bean class="org.apache.commons.httpclient.HttpClient">
+							<constructor-arg>
+								<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
+							</constructor-arg>
+						</bean>
+					</constructor-arg>
+					<property name="processor">
+						<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
+							<constructor-arg ref="soapBinding"/>
+						</bean>
+					</property>
+				</bean>
+			</constructor-arg>
+		</bean>
+
+		<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
+			<constructor-arg ref="parserPool"/>
+		</bean>
+
+		<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
+			<constructor-arg ref="parserPool"/>
+		</bean>
+
+		<!-- Initialization of OpenSAML library-->
+		<bean class="org.springframework.security.saml.SAMLBootstrap"/>
+
+		<!-- Initialization of the velocity engine -->
+		<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory"
factory-method="getEngine"/>
+
+		<!-- XML parser pool needed for OpenSAML parsing -->
+		<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize">
+			<property name="builderFeatures">
+				<map>
+					<entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
+				</map>
+			</property>
+		</bean>
+
+		<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
+	</beans>
 </beans>
\ No newline at end of file


Mime
View raw message