Repository: incubator-atlas Updated Branches: refs/heads/master ab624ddab -> b28ab21ee
ATLAS-990 Hive Import metadata script fails with auth exception (nixonrodrigues via shwethags) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/8f229628 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/8f229628 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/8f229628 Branch: refs/heads/master Commit: 8f229628f96bcc283e9d05f1fdf615f5cfd93b52 Parents: ab624dd Author: Shwetha GS <[email protected]> Authored: Fri Jul 15 17:34:10 2016 +0530 Committer: Shwetha GS <[email protected]> Committed: Fri Jul 15 17:34:10 2016 +0530 ---------------------------------------------------------------------- .../atlas/security/SecureClientUtils.java | 11 ++-- pom.xml | 2 +- release-log.txt | 1 + .../web/filters/AtlasAuthenticationFilter.java | 53 ++++++++++++++++++-- 4 files changed, 53 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/8f229628/client/src/main/java/org/apache/atlas/security/SecureClientUtils.java ---------------------------------------------------------------------- diff --git a/client/src/main/java/org/apache/atlas/security/SecureClientUtils.java b/client/src/main/java/org/apache/atlas/security/SecureClientUtils.java index 1686112..0adb97a 100644 --- a/client/src/main/java/org/apache/atlas/security/SecureClientUtils.java +++ b/client/src/main/java/org/apache/atlas/security/SecureClientUtils.java @@ -68,14 +68,9 @@ public class SecureClientUtils { conf.addResource(conf.get(SSLFactory.SSL_CLIENT_CONF_KEY, SecurityProperties.SSL_CLIENT_PROPERTIES)); UserGroupInformation.setConfiguration(conf); final ConnectionConfigurator connConfigurator = newConnConfigurator(conf); - String authType = "simple"; - if (clientConfig != null) { - authType = clientConfig.getString("atlas.http.authentication.type", "simple"); - } - Authenticator authenticator = new PseudoDelegationTokenAuthenticator(); - if (!authType.equals("simple")) { - authenticator = new KerberosDelegationTokenAuthenticator(); - } + + Authenticator authenticator = new KerberosDelegationTokenAuthenticator(); + authenticator.setConnectionConfigurator(connConfigurator); final DelegationTokenAuthenticator finalAuthenticator = (DelegationTokenAuthenticator) authenticator; final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token(); http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/8f229628/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 88b7ee9..44eac62 100755 --- a/pom.xml +++ b/pom.xml @@ -366,7 +366,7 @@ <jackson.version>1.8.3</jackson.version> <tinkerpop.version>2.6.0</tinkerpop.version> <titan.version>0.5.4</titan.version> - <hadoop.version>2.7.0</hadoop.version> + <hadoop.version>2.7.1</hadoop.version> <hbase.version>1.1.2</hbase.version> <solr.version>5.5.1</solr.version> <kafka.version>0.10.0.0</kafka.version> http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/8f229628/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index df88f17..ff6dac4 100644 --- a/release-log.txt +++ b/release-log.txt @@ -6,6 +6,7 @@ INCOMPATIBLE CHANGES: ALL CHANGES: +ATLAS-990 Hive Import metadata script fails with auth exception (nixonrodrigues via shwethags) ATLAS-998 determine HA mode from property atlas.server.ids, instead of atlas.server.ha.enabled (madhan.neethiraj via shwethags) ATLAS-986 Ability to differentiate business catalog terms from traits (sumasai,svimal2106 via shwethags) ATLAS-1025 Set HIVE_HOME if hive is available in relative path to import hive script (svimal2106 via shwethags) http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/8f229628/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java index 1b70e9b..605fe89 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java @@ -30,6 +30,7 @@ import org.apache.commons.configuration.ConfigurationConverter; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; @@ -37,6 +38,7 @@ import org.apache.hadoop.security.authentication.server.AuthenticationToken; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.AuthenticationHandler; import org.apache.hadoop.security.authentication.util.Signer; +import org.apache.hadoop.security.authentication.util.SignerException; import org.apache.hadoop.security.authentication.util.SignerSecretProvider; import org.apache.log4j.NDC; import org.slf4j.Logger; @@ -67,7 +69,7 @@ import java.net.UnknownHostException; import java.security.Principal; import java.text.SimpleDateFormat; import java.util.*; - +import javax.servlet.http.Cookie; /** * This enforces authentication as part of the filter before processing the request. @@ -80,7 +82,8 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { protected static ServletContext nullContext = new NullServletContext(); private Signer signer; private SignerSecretProvider secretProvider; - public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); + public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); + private boolean isInitializedByTomcat; public AtlasAuthenticationFilter() { try { @@ -157,6 +160,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { secretProvider = AuthenticationFilter.constructSecretProvider( filterConfig.getServletContext(), super.getConfiguration(configPrefix, filterConfig), false); + this.isInitializedByTomcat = true; } catch (Exception ex) { throw new ServletException(ex); } @@ -434,6 +438,11 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { @Override public void destroy() { + + if ((this.secretProvider != null) && (this.isInitializedByTomcat)) { + this.secretProvider.destroy(); + this.secretProvider = null; + } optionsServlet.destroy(); super.destroy(); } @@ -449,11 +458,11 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { while (i.hasNext()) { String cookie = i.next(); if (!StringUtils.isEmpty(cookie)) { - if (cookie.toLowerCase().startsWith("hadoop.auth".toLowerCase()) && cookie.contains("u=")) { + if (cookie.toLowerCase().startsWith(AuthenticatedURL.AUTH_COOKIE.toLowerCase()) && cookie.contains("u=")) { String[] split = cookie.split(";"); if (split != null) { for (String s : split) { - if (!StringUtils.isEmpty(s) && s.toLowerCase().startsWith("hadoop.auth".toLowerCase())) { + if (!StringUtils.isEmpty(s) && s.toLowerCase().startsWith(AuthenticatedURL.AUTH_COOKIE.toLowerCase())) { int ustr = s.indexOf("u="); if (ustr != -1) { int andStr = s.indexOf("&", ustr); @@ -478,7 +487,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { } public static void createAuthCookie(HttpServletResponse resp, String token, String domain, String path, long expires, boolean isSecure) { - StringBuilder sb = (new StringBuilder("hadoop.auth")).append("="); + StringBuilder sb = (new StringBuilder(AuthenticatedURL.AUTH_COOKIE)).append("="); if(token != null && token.length() > 0) { sb.append("\"").append(token).append("\""); } @@ -507,4 +516,38 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { resp.addHeader("Set-Cookie", sb.toString()); } + @Override + protected AuthenticationToken getToken(HttpServletRequest request) + throws IOException, AuthenticationException { + AuthenticationToken token = null; + String tokenStr = null; + Cookie[] cookies = request.getCookies(); + if (cookies != null) { + for (Cookie cookie : cookies) { + if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) { + tokenStr = cookie.getValue(); + try { + tokenStr = this.signer.verifyAndExtract(tokenStr); + } catch (SignerException ex) { + throw new AuthenticationException(ex); + } + } + } + } + + if (tokenStr != null) { + token = AuthenticationToken.parse(tokenStr); + if(token != null) { + AuthenticationHandler authHandler = getAuthenticationHandler(); + if (!token.getType().equals(authHandler.getType())) { + throw new AuthenticationException("Invalid AuthenticationToken type"); + } + if (token.isExpired()) { + throw new AuthenticationException("AuthenticationToken expired"); + } + } + } + return token; + } + }
