Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-13 Thread Larry McCay 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210524
---




webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 465 (patched)


Will this not fall through to other filters on failure? Is that what we 
really want here?



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 471 (patched)


It is probably due to the hiding of some of the logic in the previous block 
by leveraging ProxyUsers.authorize but the logic here is hard to follow on the 
surface. You may want to just add  comment/s to make sure that it is understood 
that the atlasProxyUsers is being checked in both cases.

The &&'d if and else-if checks makes for some mental gymnastics here as 
well.


- Larry McCay


On Nov. 13, 2018, 7:51 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Nov. 13, 2018, 7:51 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  e5c40d061 
>   
> webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java
>  21d4f8526 
>   webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java 
> 49d56b20c 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/7/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-13 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210522
---


Ship it!




Ship It!

- Madhan Neethiraj


On Nov. 13, 2018, 7:51 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Nov. 13, 2018, 7:51 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  e5c40d061 
>   
> webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java
>  21d4f8526 
>   webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java 
> 49d56b20c 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/7/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-13 Thread Nixon Rodrigues 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
---

(Updated Nov. 13, 2018, 7:51 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
---

This patch updates changes in SSLKerberosTest testcases and also added property 
to turn doAs on/off for trusted proxy. 
atlas.authentication.method.trustedproxy=true/false

https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/805/console


Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
---

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 e5c40d061 
  
webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java
 21d4f8526 
  webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java 
49d56b20c 


Diff: https://reviews.apache.org/r/68363/diff/7/

Changes: https://reviews.apache.org/r/68363/diff/6-7/


Testing
---

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-



  

federation
SSOCookieProvider
true

sso.authentication.provider.url
{KNOXHOST}/gateway/knoxsso/knoxauth/login.html



identity-assertion
Default
true

  
  
  ATLAS
  {ATLAS_HOST}:21000/
  
  
  ATLAS-API
  {ATLAS_HOST}:21000
  



Thanks,

Nixon Rodrigues

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-10 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210452
---


Ship it!




Ship It!

- Madhan Neethiraj


On Nov. 9, 2018, 12:59 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Nov. 9, 2018, 12:59 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  e5c40d061 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/6/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-09 Thread Nixon Rodrigues 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
---

(Updated Nov. 9, 2018, 12:59 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
---

Updated patch to reuse hadoop's ProxyUser class and code refactoring.


Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
---

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 e5c40d061 


Diff: https://reviews.apache.org/r/68363/diff/6/

Changes: https://reviews.apache.org/r/68363/diff/5-6/


Testing
---

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-



  

federation
SSOCookieProvider
true

sso.authentication.provider.url
{KNOXHOST}/gateway/knoxsso/knoxauth/login.html



identity-assertion
Default
true

  
  
  ATLAS
  {ATLAS_HOST}:21000/
  
  
  ATLAS-API
  {ATLAS_HOST}:21000
  



Thanks,

Nixon Rodrigues

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-05 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210327
---




webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 689 (patched)


shouldn't this be: "configuration == null"


- Madhan Neethiraj


On Nov. 5, 2018, 2:25 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Nov. 5, 2018, 2:25 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  e5c40d061 
>   webapp/src/main/java/org/apache/atlas/web/filters/AtlasImpersonator.java 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/5/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-05 Thread Nixon Rodrigues 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
---

(Updated Nov. 5, 2018, 2:25 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
---

Updated patch with some refactoring and code to create session for doAs user


Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
---

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 e5c40d061 
  webapp/src/main/java/org/apache/atlas/web/filters/AtlasImpersonator.java 
PRE-CREATION 


Diff: https://reviews.apache.org/r/68363/diff/5/

Changes: https://reviews.apache.org/r/68363/diff/4-5/


Testing
---

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-



  

federation
SSOCookieProvider
true

sso.authentication.provider.url
{KNOXHOST}/gateway/knoxsso/knoxauth/login.html



identity-assertion
Default
true

  
  
  ATLAS
  {ATLAS_HOST}:21000/
  
  
  ATLAS-API
  {ATLAS_HOST}:21000
  



Thanks,

Nixon Rodrigues

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-02 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210275
---




webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Line 89 (original), 93 (patched)


Is DEFAULT_PROXY_USERS needed any more? Only users explicitly specified via 
'atlas.proxyusers.' configurations should be considered as proxy-users.



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 193 (patched)


Move this const definition up, to line #93.

Also, this is duplicated in AtlasProxyUsers class; avoid this duplication.



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 494 (patched)


does this set the current logged in user as 'doAsUser'?



webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java
Lines 46 (patched)


Replace "atlas.proxyuser" with constant defined in line #19.


- Madhan Neethiraj


On Nov. 2, 2018, 2:33 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Nov. 2, 2018, 2:33 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  9a13cea65 
>   webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/4/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-11-02 Thread Nixon Rodrigues 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
---

(Updated Nov. 2, 2018, 2:33 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
---

This patch implements hadoop proxyuser implementation for proxy with doAs


Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
---

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 9a13cea65 
  webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java 
PRE-CREATION 


Diff: https://reviews.apache.org/r/68363/diff/4/

Changes: https://reviews.apache.org/r/68363/diff/3-4/


Testing
---

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-



  

federation
SSOCookieProvider
true

sso.authentication.provider.url
{KNOXHOST}/gateway/knoxsso/knoxauth/login.html



identity-assertion
Default
true

  
  
  ATLAS
  {ATLAS_HOST}:21000/
  
  
  ATLAS-API
  {ATLAS_HOST}:21000
  



Thanks,

Nixon Rodrigues

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-10-29 Thread Ashutosh Mestry 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210140
---




webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
Lines 84 (patched)


Consider inverted if.



webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
Lines 119 (patched)


Consider separate method.



webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
Lines 125 (patched)


Consider inverted if.



webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
Lines 52 (patched)


Properties.getProperty can potentially return NULL. In which case, this 
will case NPE.



webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
Lines 69 (patched)


Consider inverted if.



webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
Lines 109 (patched)


Since if is returning, else is not needed.


- Ashutosh Mestry


On Oct. 29, 2018, 1:07 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Oct. 29, 2018, 1:07 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
>  PRE-CREATION 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/TrustedProxyAuthenticator.java
>  PRE-CREATION 
>   
> webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
>  PRE-CREATION 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 
> 24be5de20 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/3/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-10-29 Thread Nixon Rodrigues 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
---

(Updated Oct. 29, 2018, 1:07 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
---

This patch is revised by implementing with TrustedProxyAuthenticator which 
handles the authentication, and also handles review comments.

Property changed to "atlas.authentication.method.trustedproxy" to enable 
trusted support


Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
---

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java 
PRE-CREATION 
  
webapp/src/main/java/org/apache/atlas/web/filters/TrustedProxyAuthenticator.java
 PRE-CREATION 
  
webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java 
PRE-CREATION 
  webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 
24be5de20 


Diff: https://reviews.apache.org/r/68363/diff/3/

Changes: https://reviews.apache.org/r/68363/diff/2-3/


Testing
---

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-



  

federation
SSOCookieProvider
true

sso.authentication.provider.url
{KNOXHOST}/gateway/knoxsso/knoxauth/login.html



identity-assertion
Default
true

  
  
  ATLAS
  {ATLAS_HOST}:21000/
  
  
  ATLAS-API
  {ATLAS_HOST}:21000
  



Thanks,

Nixon Rodrigues

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-09-07 Thread Nixon Rodrigues 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
---

(Updated Sept. 7, 2018, 2:11 p.m.)


Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
Neethiraj, and Sarath Subramanian.


Changes
---

This patch includes fix for review comments and a check to validate that 
incoming request is from trustedProxy server. Atlas validates the below 
property value with request IP.

Property :atlas.proxyserver.knox.ip


Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824


Repository: atlas


Description
---

This patch includes code to support request from knox proxy, where the proxy is 
already known and trusted to Atlas via configuration. Atlas intercepts the 
incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
to create session in Atlas. 

Configs required:-

atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups


Diffs (updated)
-

  
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
 e5c40d061 
  webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 
64c95203c 


Diff: https://reviews.apache.org/r/68363/diff/2/

Changes: https://reviews.apache.org/r/68363/diff/1-2/


Testing
---

Tested 

* Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from  Knox Proxy with Atlas Login.
* Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers


https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console

Topology Used:-



  

federation
SSOCookieProvider
true

sso.authentication.provider.url
{KNOXHOST}/gateway/knoxsso/knoxauth/login.html



identity-assertion
Default
true

  
  
  ATLAS
  {ATLAS_HOST}:21000/
  
  
  ATLAS-API
  {ATLAS_HOST}:21000
  



Thanks,

Nixon Rodrigues

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-08-15 Thread Sarath Subramanian 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review207348
---




webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 690 (patched)


consider refactoring something like:

boolean isIpTrusted(String requestHosts) {
 if (trustedProxyHosts == null) {
 return false;
 }

  return (trustedProxyHosts.size() == 1 && trustedProxyHosts.contains("*")) 
? true : trustedProxyHosts.contains(requestHosts);
}



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 701 (patched)


isTrustedProxyUsers => isTrustedProxyUser



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 706 (patched)


consider refactoring like:

boolean isTrustedProxyUserGroup(List proxyUserGroup) {
  if (trustedProxyGroups == null) {
return false;
  }

  if (trustedProxyGroups.size() == 1 && trustedProxyGroups.contains("*")) {
return true;

  } else {
  for (GrantedAuthority group : proxyUserGroup) {
 if (trustedProxyGroups.contains(group.getAuthority())) {
return true;
 }
  }
  }

  return false;
}


- Sarath Subramanian


On Aug. 15, 2018, 10:26 a.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Aug. 15, 2018, 10:26 a.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  e5c40d061 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 
> 64c95203c 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/1/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>

Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox Proxy

2018-08-15 Thread Ashutosh Mestry 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review207332
---




webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 282 (patched)


Please move constant strings to private final static fields.

Move initialization to separate method. Call it perhaps 
'fetchTrustedProxyState'



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 378 (patched)


Please move constant strings to private final static fields.



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 693 (patched)


Consider combining into single if statement.



webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 709 (patched)


Duplicate code, see line 692.
Could be in a new function that can be called at 2 places.


- Ashutosh Mestry


On Aug. 15, 2018, 5:26 p.m., Nixon Rodrigues wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> ---
> 
> (Updated Aug. 15, 2018, 5:26 p.m.)
> 
> 
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan 
> Neethiraj, and Sarath Subramanian.
> 
> 
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
> 
> 
> Repository: atlas
> 
> 
> Description
> ---
> 
> This patch includes code to support request from knox proxy, where the proxy 
> is already known and trusted to Atlas via configuration. Atlas intercepts the 
> incoming requests and if it from knox proxy. Atlas allow the knox's doAs user 
> to create session in Atlas. 
> 
> Configs required:-
> 
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy 
> support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
> 
> 
> Diffs
> -
> 
>   
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
>  e5c40d061 
>   webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 
> 64c95203c 
> 
> 
> Diff: https://reviews.apache.org/r/68363/diff/1/
> 
> 
> Testing
> ---
> 
> Tested 
> 
> * Atlas UI from  Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from  Knox Proxy with Atlas Login.
> * Atlas UI from  Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
> 
> 
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
> 
> Topology Used:-
> 
> 
> 
>   
> 
> federation
> SSOCookieProvider
> true
> 
> sso.authentication.provider.url
> {KNOXHOST}/gateway/knoxsso/knoxauth/login.html
> 
> 
> 
> identity-assertion
> Default
> true
> 
>   
>   
>   ATLAS
>   {ATLAS_HOST}:21000/
>   
>   
>   ATLAS-API
>   {ATLAS_HOST}:21000
>   
> 
> 
> 
> Thanks,
> 
> Nixon Rodrigues
> 
>