> On June 4, 2016, 12:32 a.m., Madhan Neethiraj wrote: > > webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java, > > line 155 > > <https://reviews.apache.org/r/48130/diff/2/?file=1404597#file1404597line155> > > > > Should "simple" authentication be supported now? > > > > Shouldn't the flow be: > > 1. if kerberos authn is enabled > > - try kerberos auth > > 2. if unauthenticated && ldap authn is enabled > > - try ldap authn > > 3. if unauthenticated && file authn is enabled > > - try file authn > > 4. if unauthenticated > > - fail authentication
This filter is dedicated for for Kerberos and Simple authentication and for its initialization requires anyone of the type. For non kerberos it will be initialized with simple type but it will only send authentication request only in case of Kerberos auth enabled. This Filter is at top and will handle kerberos authentication, the filters below in chain will take of authentication for form based and basic auth. > On June 4, 2016, 12:32 a.m., Madhan Neethiraj wrote: > > webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java, > > line 103 > > <https://reviews.apache.org/r/48130/diff/2/?file=1404601#file1404601line103> > > > > Should "simple" authentication be supported now? > > > > Shouldn't the flow be: > > 1. if kerberos authn is enabled > > - try kerberos auth > > 2. if unauthenticated && ldap authn is enabled > > - try ldap authn > > 3. if unauthenticated && file authn is enabled > > - try file authn > > 4. if unauthenticated > > - fail authentication This LoginProcessor is called on initialization of Atlas Server and it does a doServiceLogin, not sure whether it is required . Again here Simple Or Kerberos type are required for as auth type by design. Should we call this methos only for Kerberos type ?. - Nixon ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/48130/#review136143 ----------------------------------------------------------- On June 2, 2016, 8:59 a.m., Nixon Rodrigues wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/48130/ > ----------------------------------------------------------- > > (Updated June 2, 2016, 8:59 a.m.) > > > Review request for atlas, Gautam Borad, Madhan Neethiraj, Mehul Parikh, > Shwetha GS, and Hemanth Yamijala. > > > Bugs: ATLAS-820 > https://issues.apache.org/jira/browse/ATLAS-820 > > > Repository: atlas > > > Description > ------- > > Kerberos-Authentication-related-changes. > > Changes includes. > > * Adding/Configaration of AtlasAuthentication fitler into spring's filter. > * Refactoring of authentication related properties. > > > Diffs > ----- > > common/src/main/java/org/apache/atlas/utils/AuthenticationUtil.java f8e22f0 > distro/src/conf/atlas-application.properties bfa40e8 > distro/src/conf/policy-store.txt 339f014 > webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java f1ceee2 > > webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java > 2d84b10 > > webapp/src/main/java/org/apache/atlas/web/filters/KerberosAuthenticationFilter.java > PRE-CREATION > webapp/src/main/java/org/apache/atlas/web/filters/MockServletContext.java > PRE-CREATION > webapp/src/main/java/org/apache/atlas/web/listeners/GuiceServletConfig.java > 010fa2a > webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java > b7943e7 > > webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java > 389a609 > webapp/src/main/resources/spring-security.xml bba054d > > webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java > a07874a > > Diff: https://reviews.apache.org/r/48130/diff/ > > > Testing > ------- > > * Tested Quick Started in both kerberos and normal env. > * mvn clean install. > * Tested atlas UI in kerberized and non kerberized browser. > * Executed curl commands with and without kinit. > > kinit -kt /etc/security/keytabs/atlas.service.keytab > atlas/mp-atls-495-1.openstacklo...@example.com > > curl url curl -v -u admin:admin > http://mp-atls-495-1.openstacklocal:21000/api/atlas/types > curl with –negotiate curl -k -v --negotiate -u : > http://mp-atls-495-1.openstacklocal:21000/api/atlas/types > curl with without negotiate curl -k -v -u : > http://mp-atls-495-1.openstacklocal:21000/api/atlas/types > curl with -u admin:admin curl -v -u admin:admin > http://mp-atls-495-1.openstacklocal:21000/api/atlas/types > with browser google-chrome > –auth-server-whitelist="mp-atls-495-1.openstacklocal" > > > Thanks, > > Nixon Rodrigues > >
