This is an automated email from the ASF dual-hosted git repository. nixon pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/atlas.git
The following commit(s) were added to refs/heads/master by this push: new 25044ce ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt. 25044ce is described below commit 25044cee5d945985aaadfc68e3da992eb4cc688e Author: nixonrodrigues <ni...@apache.org> AuthorDate: Wed Oct 23 19:06:30 2019 +0530 ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt. --- .../test/resources/users-credentials.properties | 6 ++-- .../test/resources/users-credentials.properties | 4 +-- .../test/resources/users-credentials.properties | 4 +-- .../test/resources/users-credentials.properties | 4 +-- .../test/resources/users-credentials.properties | 4 +-- .../test/resources/users-credentials.properties | 4 +-- .../test/resources/users-credentials.properties | 4 +-- distro/src/conf/users-credentials.properties | 4 +-- .../test/resources/users-credentials.properties | 4 +-- .../atlas/util/CredentialProviderUtility.java | 40 ++++++++++++++++++++++ .../java/org/apache/atlas/web/dao/UserDao.java | 8 +++-- .../security/AtlasFileAuthenticationProvider.java | 26 ++++++++++++-- .../atlas/web/security/FileAuthenticationTest.java | 19 ++++++++-- .../test/resources/users-credentials.properties | 4 +-- 14 files changed, 106 insertions(+), 29 deletions(-) diff --git a/addons/falcon-bridge/src/test/resources/users-credentials.properties b/addons/falcon-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..da69923 100644 --- a/addons/falcon-bridge/src/test/resources/users-credentials.properties +++ b/addons/falcon-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ -#username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +#username=group::sha256+salt-password +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/addons/hbase-bridge/src/test/resources/users-credentials.properties b/addons/hbase-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/addons/hbase-bridge/src/test/resources/users-credentials.properties +++ b/addons/hbase-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/addons/hive-bridge/src/test/resources/users-credentials.properties b/addons/hive-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/addons/hive-bridge/src/test/resources/users-credentials.properties +++ b/addons/hive-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/addons/impala-bridge/src/test/resources/users-credentials.properties b/addons/impala-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/addons/impala-bridge/src/test/resources/users-credentials.properties +++ b/addons/impala-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/addons/kafka-bridge/src/test/resources/users-credentials.properties b/addons/kafka-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/addons/kafka-bridge/src/test/resources/users-credentials.properties +++ b/addons/kafka-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/addons/sqoop-bridge/src/test/resources/users-credentials.properties b/addons/sqoop-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/addons/sqoop-bridge/src/test/resources/users-credentials.properties +++ b/addons/sqoop-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/addons/storm-bridge/src/test/resources/users-credentials.properties b/addons/storm-bridge/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/addons/storm-bridge/src/test/resources/users-credentials.properties +++ b/addons/storm-bridge/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/distro/src/conf/users-credentials.properties b/distro/src/conf/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/distro/src/conf/users-credentials.properties +++ b/distro/src/conf/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/intg/src/test/resources/users-credentials.properties b/intg/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/intg/src/test/resources/users-credentials.properties +++ b/intg/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034 diff --git a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java index e9fd204..7875fb2 100755 --- a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java +++ b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java @@ -16,6 +16,10 @@ */ package org.apache.atlas.util; +import org.apache.atlas.web.dao.UserDao; +import org.apache.commons.cli.BasicParser; +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.Options; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.alias.CredentialProvider; @@ -71,6 +75,36 @@ public class CredentialProviderUtility { public static TextDevice textDevice = DEFAULT_TEXT_DEVICE; public static void main(String[] args) throws IOException { + Options options = new Options(); + + try { + createOptions(options); + + CommandLine cmd = new BasicParser().parse(options, args); + + boolean generatePasswordOption = cmd.hasOption("g"); + + if (generatePasswordOption) { + String userName = cmd.getOptionValue("u"); + String password = cmd.getOptionValue("p"); + + if (userName != null && password != null) { + String encryptedPassword = UserDao.encrypt(password, userName); + textDevice.printf("Your encrypted password is : " + encryptedPassword, null); + textDevice.printf("\n", null); + + } else { + textDevice.printf("Please provide username and password as input. Usage:" + + " cputil.py -g -u <username> -p <password>", null); + } + return; + } + + } catch (Exception e) { + System.out.println("Exception while generatePassword " + e.getMessage()); + return; + } + // prompt for the provider name CredentialProvider provider = getCredentialProvider(textDevice); @@ -100,6 +134,12 @@ public class CredentialProviderUtility { } } + private static void createOptions(Options options) { + options.addOption("g", "generatePassword", false, "Generate Password"); + options.addOption("u", "username", true, "UserName"); + options.addOption("p", "password", true, "Password"); + } + /** * Retrieves a password from the command line. * @param textDevice the system console. diff --git a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java index b461a6a..7fdce3a 100644 --- a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java +++ b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java @@ -28,6 +28,7 @@ import javax.annotation.PostConstruct; import org.apache.atlas.web.security.AtlasAuthenticationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.stereotype.Repository; import org.apache.atlas.ApplicationProperties; import org.apache.atlas.AtlasException; @@ -50,6 +51,8 @@ public class UserDao { private Properties userLogins; + private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256); + @PostConstruct public void init() { loadFileLoginsDetails(); @@ -106,14 +109,12 @@ public class UserDao { return userDetails; } - @VisibleForTesting public void setUserLogins(Properties userLogins) { this.userLogins = userLogins; } - public static String getSha256Hash(String base) throws AtlasAuthenticationException { try { MessageDigest digest = MessageDigest.getInstance("SHA-256"); @@ -132,4 +133,7 @@ public class UserDao { } } + public static String encrypt(String password, String salt) { + return sha256Encoder.encodePassword(password, salt); + } } diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java index f177fd4..7269d4c 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java @@ -16,7 +16,9 @@ */ package org.apache.atlas.web.security; +import org.apache.atlas.ApplicationProperties; import org.apache.atlas.web.dao.UserDao; +import org.apache.commons.configuration.Configuration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.BadCredentialsException; @@ -28,6 +30,7 @@ import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.stereotype.Component; +import javax.annotation.PostConstruct; import javax.inject.Inject; import java.util.Collection; @@ -38,12 +41,23 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication private static Logger logger = LoggerFactory.getLogger(AtlasFileAuthenticationProvider.class); private final UserDetailsService userDetailsService; + private boolean v1ValidationEnabled = true; @Inject public AtlasFileAuthenticationProvider(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; } + @PostConstruct + public void setup() { + try { + Configuration configuration = ApplicationProperties.get(); + v1ValidationEnabled = configuration.getBoolean("atlas.authentication.method.file.v1-validation.enabled", true); + } catch (Exception e) { + logger.error("Exception while setup", e); + } + } + @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = authentication.getName(); @@ -61,9 +75,15 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication } UserDetails user = userDetailsService.loadUserByUsername(username); - - String encodedPassword = UserDao.getSha256Hash(password); - + String encodedPassword = UserDao.encrypt(password, username); + + boolean isValidPassword = encodedPassword.equals(user.getPassword()); + + + if (!isValidPassword && v1ValidationEnabled) { + encodedPassword = UserDao.getSha256Hash(password); + } + if (!encodedPassword.equals(user.getPassword())) { logger.error("Wrong password " + username); throw new BadCredentialsException("Wrong password"); diff --git a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java index fe2060a..6cd5017 100644 --- a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java @@ -88,15 +88,16 @@ public class FileAuthenticationTest { TestUtils.writeConfiguration(configuration, persistDir + File.separator + ApplicationProperties.APPLICATION_PROPERTIES); } - + private void setupUserCredential(String tmpDir) throws Exception { StringBuilder credentialFileStr = new StringBuilder(1024); - credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n"); + credentialFileStr.append("admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1\n"); + credentialFileStr.append("adminv1=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n"); credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n"); credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n"); credentialFileStr.append("user= \n"); - credentialFileStr.append("user12= ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n"); + credentialFileStr.append("user12= ::43d864d8f9b53cd913fc6a665c8470595cefa4a360edeb78cf6c4eac00c0a3a0\n"); File credentialFile = new File(tmpDir, "users-credentials"); FileUtils.write(credentialFile, credentialFileStr.toString()); } @@ -123,6 +124,18 @@ public class FileAuthenticationTest { } @Test + public void testValidUserLoginWithV1password() { + + when(authentication.getName()).thenReturn("adminv1"); + when(authentication.getCredentials()).thenReturn("admin"); + + Authentication auth = authProvider.authenticate(authentication); + LOG.debug(" {}", auth); + + assertTrue(auth.isAuthenticated()); + } + + @Test public void testInValidPasswordLogin() { when(authentication.getName()).thenReturn("admin"); diff --git a/webapp/src/test/resources/users-credentials.properties b/webapp/src/test/resources/users-credentials.properties index 3fc3bb1..5046dba 100644 --- a/webapp/src/test/resources/users-credentials.properties +++ b/webapp/src/test/resources/users-credentials.properties @@ -1,3 +1,3 @@ #username=group::sha256-password -admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 -rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d +admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1 +rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034