Merge branch 'master' into tag-policy
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
index f95e10e..9d14ae6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
@@ -22,6 +22,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.util.*;
+import java.util.Map.Entry;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -96,6 +97,7 @@
dataSource2HadoopConfigHolder.put(aDatasourceName, ret) ;
}
}
+
return ret ;
}
@@ -265,14 +267,15 @@
userName = prop.getProperty(RANGER_LOGIN_USER_NAME_PROP) ;
keyTabFile = prop.getProperty(RANGER_LOGIN_KEYTAB_FILE_PROP) ;
password = prop.getProperty(RANGER_LOGIN_PASSWORD) ;
-
- if ( getHadoopSecurityAuthentication() != null) {
- isKerberosAuth = ( getHadoopSecurityAuthentication().equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD));
+
+ String hadoopSecurityAuthenticationn = getHadoopSecurityAuthentication();
+
+ if ( hadoopSecurityAuthenticationn != null) {
+ isKerberosAuth = ( hadoopSecurityAuthenticationn.equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD));
}
else {
isKerberosAuth = (userName != null) && (userName.indexOf("@") > -1) ;
}
-
}
}
@@ -342,21 +345,26 @@
}
public String getHadoopSecurityAuthentication() {
- Properties repoParam = null ;
String ret = null;
-
- HashMap<String,Properties> resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ;
-
- if ( resourceName2PropertiesMap != null) {
- repoParam=resourceName2PropertiesMap.get(DEFAULT_RESOURCE_NAME);
+ String sectionName = RANGER_SECTION_NAME;
+
+ if ( defaultConfigFile != null) {
+ sectionName = defaultConfigFile;
}
-
- if ( repoParam != null ) {
- ret = (String)repoParam.get(HADOOP_SECURITY_AUTHENTICATION);
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("==> HadoopConfigHolder.getHadoopSecurityAuthentication( " + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + ")" );
}
+
+ ret = getProperties(sectionName,HADOOP_SECURITY_AUTHENTICATION);
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("<== HadoopConfigHolder.getHadoopSecurityAuthentication(" + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + " Value : " + ret + ")" );
+ }
+
return ret;
- }
-
+ }
+
public String getUserName() {
return userName;
}
@@ -377,6 +385,32 @@
return rangerInternalPropertyKeys;
}
+
+ private String getProperties(String sectionName, String property) {
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("==> HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + ")" );
+ }
+
+ Properties repoParam = null ;
+ String ret = null;
+
+ HashMap<String,Properties> resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ;
+
+ if ( resourceName2PropertiesMap != null) {
+ repoParam=resourceName2PropertiesMap.get(sectionName);
+ }
+
+ if ( repoParam != null ) {
+ ret = (String)repoParam.get(property);
+ }
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("<== HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + " Value : " + ret);
+ }
+
+ return ret;
+ }
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 77fdb90..93fbcd4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -71,7 +71,9 @@
}
StringBuffer perfTagBuffer = new StringBuffer();
- perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
+ if (policy != null) {
+ perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
+ }
perfTag = perfTagBuffer.toString();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
index f22a87a..43d2254 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
@@ -113,32 +113,35 @@
List<RangerServiceResource> serviceResources = getServiceResourcesByService(serviceName);
- Set<Long> tagsToDelete = new HashSet<Long>();
+ if (serviceResources != null) {
+
+ Set<Long> tagsToDelete = new HashSet<Long>();
- for (RangerServiceResource serviceResource : serviceResources) {
- Long resourceId = serviceResource.getId();
+ for (RangerServiceResource serviceResource : serviceResources) {
+ Long resourceId = serviceResource.getId();
- List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId);
+ List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId);
- if (isResourePrivateTag) {
+ if (isResourePrivateTag) {
+ for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
+ Long tagId = tagResourceMap.getTagId();
+ RangerTag tag = getTag(tagId);
+ tagsToDelete.add(tag.getId());
+ }
+ }
for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
- Long tagId = tagResourceMap.getTagId();
- RangerTag tag = getTag(tagId);
- tagsToDelete.add(tag.getId());
+ deleteTagResourceMap(tagResourceMap.getId());
}
}
- for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
- deleteTagResourceMap(tagResourceMap.getId());
+
+ for (RangerServiceResource serviceResource : serviceResources) {
+ deleteServiceResource(serviceResource.getId());
}
- }
- for (RangerServiceResource serviceResource : serviceResources) {
- deleteServiceResource(serviceResource.getId());
- }
-
- for (Long tagId : tagsToDelete) {
- deleteTag(tagId);
+ for (Long tagId : tagsToDelete) {
+ deleteTag(tagId);
+ }
}
if (LOG.isDebugEnabled()) {
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
index ff1f39f..ff93dfe 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
@@ -82,6 +82,19 @@
{
"itemId": 4,
+ "name": "hadoop.security.authentication",
+ "type": "enum",
+ "subType": "authnType",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Authentication Type",
+ "defaultValue": "simple"
+ },
+
+ {
+ "itemId": 5,
"name": "commonNameForCertificate",
"type": "string",
"mandatory": false,
@@ -90,11 +103,31 @@
"uiHint":"",
"label": "Common Name for Certificate"
}
+
],
"enums":
[
-
+ {
+ "itemId": 1,
+ "name": "authnType",
+ "elements":
+ [
+ {
+ "itemId": 1,
+ "name": "simple",
+ "label": "Simple"
+ },
+
+ {
+ "itemId": 2,
+ "name": "kerberos",
+ "label": "Kerberos"
+ }
+ ],
+
+ "defaultIndex": 0
+ }
],
"contextEnrichers":
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index cb07b17..0893f44 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -126,12 +126,6 @@
}
],
"contextEnrichers": [
- {
- "itemId": 1,
- "name" : "TagEnricher",
- "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
- "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", "tagRefresherPollingInterval":60000, "dataFile":"/etc/ranger/data/resourceTags.txt"}
- }
],
"policyConditions": [
{
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
index fc07760..0f3ed89 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
@@ -19,6 +19,9 @@
package org.apache.ranger.services.yarn.client;
+import java.net.Authenticator;
+import java.net.PasswordAuthentication;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -26,6 +29,7 @@
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
+import javax.security.auth.Subject;
import org.apache.commons.io.FilenameUtils;
import org.apache.log4j.Logger;
@@ -40,7 +44,7 @@
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
-public class YarnClient {
+public class YarnClient extends BaseClient {
public static final Logger LOG = Logger.getLogger(YarnClient.class) ;
@@ -57,16 +61,27 @@
String userName;
String password;
- public YarnClient(String yarnQueueUrl, String yarnUserName, String yarnPassWord) {
+ public YarnClient(String serviceName, Map<String, String> configs) {
+
+ super(serviceName,configs,"yarn-client") ;
+
+ this.yarnQUrl = configs.get("yarn.url");
+ this.userName = configs.get("username");
+ this.password = configs.get("password");
- this.yarnQUrl = yarnQueueUrl;
- this.userName = yarnUserName ;
- this.password = yarnPassWord;
-
+ if (this.yarnQUrl == null || this.yarnQUrl.isEmpty()) {
+ LOG.error("No value found for configuration 'yarn.url'. YARN resource lookup will fail");
+ }
+ if (this.userName == null || this.userName.isEmpty()) {
+ LOG.error("No value found for configuration 'usename'. YARN resource lookup will fail");
+ }
+ if (this.password == null || this.password.isEmpty()) {
+ LOG.error("No value found for configuration 'password'. YARN resource lookup will fail");
+ }
+
if (LOG.isDebugEnabled()) {
- LOG.debug("Yarn Client is build with url [" + yarnQueueUrl + "] user: [" + yarnPassWord + "], password: [" + "" + "]");
+ LOG.debug("Yarn Client is build with url [" + this.yarnQUrl + "] user: [" + this.userName + "], password: [" + "*********" + "]");
}
-
}
public List<String> getQueueList(final String queueNameMatching, final List<String> existingQueueList) {
@@ -74,107 +89,122 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Getting Yarn queue list for queueNameMatching : " + queueNameMatching);
}
- final String errMsg = errMessage;
+ final String errMsg = errMessage;
List<String> ret = null;
-
- Callable<List<String>> yarnQueueListGetter = new Callable<List<String>>() {
+
+ Callable<List<String>> callableYarnQListGetter = new Callable<List<String>>() {
+
@Override
public List<String> call() {
-
- List<String> lret = new ArrayList<String>();
-
- String url = yarnQUrl + YARN_LIST_API_ENDPOINT ;
-
- Client client = null ;
- ClientResponse response = null ;
-
- try {
- client = Client.create() ;
-
- WebResource webResource = client.resource(url);
-
- response = webResource.accept(EXPECTED_MIME_TYPE)
- .get(ClientResponse.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("getQueueList():calling " + url);
- }
-
- if (response != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getQueueList():response.getStatus()= " + response.getStatus());
- }
- if (response.getStatus() == 200) {
- String jsonString = response.getEntity(String.class);
- Gson gson = new GsonBuilder().setPrettyPrinting().create();
- YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class);
- if (yarnQResponse != null) {
- List<String> yarnQueueList = yarnQResponse.getQueueNames();
- if (yarnQueueList != null) {
- for ( String yarnQueueName : yarnQueueList) {
- if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) {
- continue;
- }
- if (queueNameMatching == null || queueNameMatching.isEmpty()
- || yarnQueueName.startsWith(queueNameMatching)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName);
+ List<String> yarnQueueListGetter = null;
+
+ Subject subj = getLoginSubject();
+
+ if (subj != null) {
+ yarnQueueListGetter = Subject.doAs(subj, new PrivilegedAction<List<String>>() {
+
+ @Override
+ public List<String> run() {
+
+ List<String> lret = new ArrayList<String>();
+
+ String url = yarnQUrl + YARN_LIST_API_ENDPOINT ;
+
+ Client client = null ;
+
+ ClientResponse response = null ;
+
+ try {
+ client = Client.create() ;
+
+ WebResource webResource = client.resource(url);
+
+ response = webResource.accept(EXPECTED_MIME_TYPE)
+ .get(ClientResponse.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getQueueList():calling " + url);
+ }
+
+ if (response != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getQueueList():response.getStatus()= " + response.getStatus());
+ }
+ if (response.getStatus() == 200) {
+ String jsonString = response.getEntity(String.class);
+ Gson gson = new GsonBuilder().setPrettyPrinting().create();
+ YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class);
+ if (yarnQResponse != null) {
+ List<String> yarnQueueList = yarnQResponse.getQueueNames();
+ if (yarnQueueList != null) {
+ for ( String yarnQueueName : yarnQueueList) {
+ if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) {
+ continue;
+ }
+ if (queueNameMatching == null || queueNameMatching.isEmpty()
+ || yarnQueueName.startsWith(queueNameMatching)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName);
+ }
+ lret.add(yarnQueueName) ;
+ }
}
- lret.add(yarnQueueName) ;
}
}
- }
+ } else{
+ LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list");
+ String jsonString = response.getEntity(String.class);
+ LOG.info(jsonString);
+ lret = null;
}
- } else{
- LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list");
- String jsonString = response.getEntity(String.class);
- LOG.info(jsonString);
+ } else {
+ lret = null;
+ String msgDesc = "Unable to get a valid response for "
+ + "expected mime type : [" + EXPECTED_MIME_TYPE
+ + "] URL : " + url + " - got null response.";
+ LOG.error(msgDesc);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ throw hdpException;
+ }
+ } catch (HadoopException he) {
lret = null;
- }
- } else {
- lret = null;
- String msgDesc = "Unable to get a valid response for "
- + "expected mime type : [" + EXPECTED_MIME_TYPE
- + "] URL : " + url + " - got null response.";
- LOG.error(msgDesc);
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc,
- msgDesc + errMsg, null, null);
- throw hdpException;
- }
- } catch (HadoopException he) {
- lret = null;
- throw he;
- } catch (Throwable t) {
- lret = null;
- String msgDesc = "Exception while getting Yarn Queue List."
- + " URL : " + url;
- HadoopException hdpException = new HadoopException(msgDesc,
- t);
-
- LOG.error(msgDesc, t);
+ throw he;
+ } catch (Throwable t) {
+ lret = null;
+ String msgDesc = "Exception while getting Yarn Queue List."
+ + " URL : " + url;
+ HadoopException hdpException = new HadoopException(msgDesc,
+ t);
- hdpException.generateResponseDataMap(false,
- BaseClient.getMessage(t), msgDesc + errMsg, null,
- null);
- throw hdpException;
-
- } finally {
- if (response != null) {
- response.close();
+ LOG.error(msgDesc, t);
+
+ hdpException.generateResponseDataMap(false,
+ BaseClient.getMessage(t), msgDesc + errMsg, null,
+ null);
+ throw hdpException;
+
+ } finally {
+ if (response != null) {
+ response.close();
+ }
+
+ if (client != null) {
+ client.destroy();
+ }
+ }
+ return lret ;
}
-
- if (client != null) {
- client.destroy();
- }
+ } );
}
- return lret ;
- }
- } ;
+ return yarnQueueListGetter;
+ }
+ };
try {
- ret = timedTask(yarnQueueListGetter, 5, TimeUnit.SECONDS);
+ ret = timedTask(callableYarnQListGetter, 5, TimeUnit.SECONDS);
} catch ( Throwable t) {
LOG.error("Unable to get Yarn Queue list from [" + yarnQUrl + "]", t) ;
String msgDesc = "Unable to get a valid response for "
@@ -243,12 +273,7 @@
+ errMsg, null, null);
throw hdpException;
} else {
- String yarnUrl = configs.get("yarn.url");
- String yarnUserName = configs.get("username");
- String yarnPassWord = configs.get("password");
- yarnClient = new YarnClient (yarnUrl, yarnUserName,
- yarnPassWord);
-
+ yarnClient = new YarnClient (serviceName, configs);
}
return yarnClient;
}
@@ -299,5 +324,4 @@
TimeUnit timeUnit) throws Exception {
return callableObj.call();
}
-
}
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
index e2cc2ef..1d39998 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
@@ -19,25 +19,17 @@
package org.apache.ranger.services.yarn.client;
+import java.util.Map;
+
import org.apache.log4j.Logger;
public class YarnConnectionMgr {
public static final Logger LOG = Logger.getLogger(YarnConnectionMgr.class);
-
- public static YarnClient getYarnClient(final String yarnURL, String userName, String password) {
- YarnClient yarnClient = null;
- if (yarnURL == null || yarnURL.isEmpty()) {
- LOG.error("Can not create YarnClient: yarnURL is empty");
- } else if (userName == null || userName.isEmpty()) {
- LOG.error("Can not create YarnClient: YarnuserName is empty");
- } else if (password == null || password.isEmpty()) {
- LOG.error("Can not create YarnClient: YarnPassWord is empty");
- } else {
- yarnClient = new YarnClient(yarnURL, userName, password);
- }
- return yarnClient;
+
+ public static YarnClient getYarnClient(String serviceName, Map<String, String> configs) {
+ return new YarnClient(serviceName, configs);
}
}
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
index 95d29c0..97fdf19 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
@@ -65,23 +65,17 @@
} else {
yarnQueueName = userInput;
}
-
-
+
if (configs == null || configs.isEmpty()) {
LOG.error("Connection Config is empty");
-
} else {
-
- String url = configs.get("yarn.url");
- String username = configs.get("username");
- String password = configs.get("password");
- resultList = getYarnResource(url, username, password,yarnQueueName,yarnQueueList) ;
+ resultList = getYarnResource(serviceName, configs, yarnQueueName,yarnQueueList) ;
}
return resultList ;
}
- public static List<String> getYarnResource(String url, String username, String password,String yarnQueueName, List<String> yarnQueueList) {
- final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(url, username, password);
+ public static List<String> getYarnResource(String serviceName, Map<String, String> configs, String yarnQueueName, List<String> yarnQueueList) {
+ final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(serviceName, configs);
List<String> topologyList = null;
if (yarnClient != null) {
synchronized(yarnClient) {
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
index 6a91834..237fb50 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
@@ -43,6 +43,8 @@
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
+ request.getServletContext().removeAttribute(request.getRequestedSessionId());
+
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("X-Frame-Options", "DENY");
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index 0b61498..b3d59eb 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -133,6 +133,7 @@
if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){
if (request.getSession() != null)
request.getSession().setAttribute("locallogin","true");
+ request.getServletContext().setAttribute(request.getSession().getId(), "locallogin");
}
super.commence(request, response, authException);
}
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index af3c58a..f79db6b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -108,26 +108,37 @@
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)servletRequest;
+ if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid())
+ {
+ if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString().equals("locallogin")){
+ ssoEnabled = false;
+ httpRequest.getSession().setAttribute("locallogin","true");
+ httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId());
+ }
+ }
+
RangerSecurityContext context = RangerContextHolder.getSecurityContext();
UserSessionBase session = context != null ? context.getUserSession() : null;
ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
- String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent");
- if(((HttpServletRequest) servletRequest).getSession() != null){
- if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){
+ String userAgent = httpRequest.getHeader("User-Agent");
+ if(httpRequest.getSession() != null){
+ if(httpRequest.getSession().getAttribute("locallogin") != null){
ssoEnabled = false;
servletRequest.setAttribute("ssoEnabled", false);
filterChain.doFilter(servletRequest, servletResponse);
return;
}
- }
+ }
+
//If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
- if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
+ if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
//if jwt properties are loaded and is current not authenticated then it will go for sso authentication
+ //Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script
if (jwtProperties != null && !isAuthenticated()) {
- HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
- String serializedJWT = getJWTFromCookie(httpServletRequest);
+ String serializedJWT = getJWTFromCookie(httpRequest);
// if we get the hadoop-jwt token from the cookies then will process it further
if (serializedJWT != null) {
SignedJWT jwtToken = null;
@@ -144,9 +155,11 @@
if (userName != null && !userName.trim().isEmpty()) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
final UserDetails principal = new User(userName, "",grantedAuths);
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
- WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
authenticationProvider.setSsoEnabled(ssoEnabled);
@@ -158,7 +171,7 @@
}
// if the token is not valid then redirect to knox sso
else {
- String ssourl = constructLoginURL(httpServletRequest);
+ String ssourl = constructLoginURL(httpRequest);
if(LOG.isDebugEnabled())
LOG.debug("SSO URL = " + ssourl);
httpServletResponse.sendRedirect(ssourl);
@@ -169,7 +182,7 @@
}
// if the jwt token is not available then redirect it to knox sso
else {
- String ssourl = constructLoginURL(httpServletRequest);
+ String ssourl = constructLoginURL(httpRequest);
if(LOG.isDebugEnabled())
LOG.debug("SSO URL = " + ssourl);
httpServletResponse.sendRedirect(ssourl);
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
index 0bb9648..c6301c3 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -49,10 +49,10 @@
events: function() {
var events = {};
//events['change ' + this.ui.input] = 'onInputChange';
- events['click ' + this.ui.logout] = 'onLogout';
+ events['click ' + this.ui.logout] = 'checkKnoxSSO';
return events;
},
- onLogout : function(){
+ onLogout : function(checksso){
var url = 'security-admin-web/logout.html',
that = this;
$.ajax({
@@ -62,8 +62,15 @@
"cache-control" : "no-cache"
},
success : function() {
- that.checkKnoxSSO()
-// window.location.replace('login.jsp');
+ if(!_.isUndefined(checksso) && checksso){
+ if(checksso == 'false'){
+ window.location.replace('locallogin');
+ }else{
+ window.location.replace('');
+ }
+ } else {
+ window.location.replace('login.jsp');
+ }
},
error : function(jqXHR, textStatus, err ) {
}
@@ -71,7 +78,7 @@
});
},
checkKnoxSSO : function(){
- var url = 'service/plugins/checksso';
+ var that =this, url = 'service/plugins/checksso';
$.ajax({
url : url,
type : 'GET',
@@ -79,19 +86,13 @@
"cache-control" : "no-cache"
},
success : function(resp) {
- console.log(resp)
- if(!_.isUndefined(resp) && resp){
- window.location.replace('');
- } else {
- window.location.replace('login.jsp');
- }
+ that.onLogout(resp);
},
error : function(jqXHR, textStatus, err ) {
if( jqXHR.status == 419 ){
window.location.replace('login.jsp');
}
}
-
});
},
/**
