ATLAS-2166 - Block Knox proxy service user for kerberos authentication
Change-Id: Ib7549067bad928ae90d5f39b920c162d9c776780
Signed-off-by: Madhan Neethiraj <madhan@apache.org>
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
index 444b094..e8020db 100644
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
@@ -29,7 +29,6 @@
import org.apache.commons.configuration.ConfigurationConverter;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
@@ -47,7 +46,6 @@
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
@@ -84,16 +82,23 @@
@Component
public class AtlasAuthenticationFilter extends AuthenticationFilter {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthenticationFilter.class);
- static final String PREFIX = "atlas.authentication.method";
- protected static ServletContext nullContext = new NullServletContext();
- private Signer signer;
+
+ private static final String CONFIG_PROXY_USERS = "atlas.proxyusers";
+ private static final String PREFIX = "atlas.authentication.method";
+ private static final String[] DEFAULT_PROXY_USERS = new String[] { "knox" };
+ protected static final ServletContext nullContext = new NullServletContext();
+
+ private Signer signer;
private SignerSecretProvider secretProvider;
- public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
- private boolean isInitializedByTomcat;
- private Set<Pattern> browserUserAgents;
- private boolean supportKeyTabBrowserLogin = false;
- private Configuration configuration;
- private Properties headerProperties;
+ private final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
+ private boolean isInitializedByTomcat;
+ private Set<Pattern> browserUserAgents;
+ private boolean supportKeyTabBrowserLogin = false;
+ private Configuration configuration;
+ private Properties headerProperties;
+ private Set<String> atlasProxyUsers = new HashSet<>();
+
+
public AtlasAuthenticationFilter() {
try {
LOG.info("AtlasAuthenticationFilter initialization started");
@@ -252,6 +257,14 @@
agents = AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT;
}
+ String[] proxyUsers = configuration.getStringArray(CONFIG_PROXY_USERS);
+
+ if (proxyUsers == null || proxyUsers.length == 0) {
+ proxyUsers = DEFAULT_PROXY_USERS;
+ }
+
+ atlasProxyUsers = new HashSet<>(Arrays.asList(proxyUsers));
+
parseBrowserUserAgents(agents);
return config;
@@ -417,6 +430,18 @@
return (authToken != AuthenticationToken.ANONYMOUS) ? authToken : null;
}
};
+
+ if(StringUtils.isNotBlank(httpRequest.getRemoteUser()) && atlasProxyUsers.contains(httpRequest.getRemoteUser())){
+ LOG.info("Ignoring kerberos login from proxy user "+ httpRequest.getRemoteUser());
+
+ httpResponse.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "");
+ httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ filterChain.doFilter(request, response);
+
+ return;
+ }
+
+
if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS) {
String signedToken = signer.sign(token.toString());
createAuthCookie(httpResponse, signedToken, getCookieDomain(),