webapp/src/main/java/org/apache/atlas/web/listeners/LoginProcessor.java - incubator-atlas - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.atlas.web.listeners;

 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.AtlasException;
 import org.apache.atlas.security.SecurityProperties;
 import org.apache.commons.configuration.ConfigurationException;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.Shell;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;

 /**
  * A class capable of performing a simple or kerberos login.
  */
 public class LoginProcessor {

     private static final Logger LOG = LoggerFactory.getLogger(LoginProcessor.class);
     public static final String ATLAS_AUTHENTICATION_PREFIX = "atlas.authentication.";
     public static final String AUTHENTICATION_KERBEROS_METHOD = ATLAS_AUTHENTICATION_PREFIX + "method.kerberos";
     public static final String AUTHENTICATION_PRINCIPAL = ATLAS_AUTHENTICATION_PREFIX + "principal";
     public static final String AUTHENTICATION_KEYTAB = ATLAS_AUTHENTICATION_PREFIX + "keytab";

     /**
      * Perform a SIMPLE login based on established OS identity or a kerberos based login using the configured
      * principal and keytab (via atlas-application.properties).
      */
     public void login() {
         // first, let's see if we're running in a hadoop cluster and have the env configured
         boolean isHadoopCluster = isHadoopCluster();
         Configuration hadoopConfig = isHadoopCluster ? getHadoopConfiguration() : new Configuration(false);
         org.apache.commons.configuration.Configuration configuration = getApplicationConfiguration();
         if (!isHadoopCluster) {
             // need to read the configured authentication choice and create the UGI configuration
             setupHadoopConfiguration(hadoopConfig, configuration);
         }
         doServiceLogin(hadoopConfig, configuration);
     }

     protected void doServiceLogin(Configuration hadoopConfig,
             org.apache.commons.configuration.Configuration configuration) {
         UserGroupInformation.setConfiguration(hadoopConfig);

         UserGroupInformation ugi = null;
         UserGroupInformation.AuthenticationMethod authenticationMethod =
                 SecurityUtil.getAuthenticationMethod(hadoopConfig);
         try {
             if (authenticationMethod == UserGroupInformation.AuthenticationMethod.SIMPLE) {
                 UserGroupInformation.loginUserFromSubject(null);
             } else if (authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS) {
                 String bindAddress = getHostname(configuration);
                 UserGroupInformation.loginUserFromKeytab(
                         getServerPrincipal(configuration.getString(AUTHENTICATION_PRINCIPAL), bindAddress),
                         configuration.getString(AUTHENTICATION_KEYTAB));
             }
             LOG.info("Logged in user {}", UserGroupInformation.getLoginUser());
         } catch (IOException e) {
             throw new IllegalStateException(String.format("Unable to perform %s login.", authenticationMethod), e);
         }
     }

     private String getHostname(org.apache.commons.configuration.Configuration configuration) {
         String bindAddress = configuration.getString(SecurityProperties.BIND_ADDRESS);
         if (bindAddress == null) {
             LOG.info("No host name configured.  Defaulting to local host name.");
             try {
                 bindAddress = InetAddress.getLocalHost().getHostName();
             } catch (UnknownHostException e) {
                 throw new IllegalStateException(e);
             }
         }
         return bindAddress;
     }

     protected void setupHadoopConfiguration(Configuration hadoopConfig, org.apache.commons.configuration.Configuration
             configuration) {
         String authMethod = "";
         String kerberosAuthNEnabled = configuration != null ? configuration.getString(AUTHENTICATION_KERBEROS_METHOD) : null;
         // getString may return null, and would like to log the nature of the default setting
         if (kerberosAuthNEnabled == null || kerberosAuthNEnabled.equalsIgnoreCase("false")) {
             LOG.info("No authentication method configured.  Defaulting to simple authentication");
             authMethod = "simple";
         } else if (kerberosAuthNEnabled.equalsIgnoreCase("true")) {
             authMethod = "kerberos";
         }
         SecurityUtil
                 .setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.valueOf(authMethod.toUpperCase()),
                         hadoopConfig);
     }

     /**
      * Return a server (service) principal.  The token "_HOST" in the principal will be replaced with the local host
      * name (e.g. dgi/_HOST will be changed to dgi/localHostName)
      * @param principal the input principal containing an option "_HOST" token
      * @return the service principal.
      * @throws IOException
      */
     private String getServerPrincipal(String principal, String host) throws IOException {
         return SecurityUtil.getServerPrincipal(principal, host);
     }

     /**
      * Returns a Hadoop configuration instance.
      * @return the configuration.
      */
     protected Configuration getHadoopConfiguration() {
         return new Configuration();
     }

     /**
      * Returns the metadata application configuration.
      * @return the metadata configuration.
      * @throws ConfigurationException
      */
     protected org.apache.commons.configuration.Configuration getApplicationConfiguration() {
         try {
             return ApplicationProperties.get();
         } catch (AtlasException e) {
             LOG.warn("Error reading application configuration", e);
         }
         return null;
     }

     /**
      * Uses a hadoop shell to discern whether a hadoop cluster is available/configured.
      * @return true if a hadoop cluster is detected.
      */
     protected boolean isHadoopCluster() {
         boolean isHadoopCluster = false;
         try {
             isHadoopCluster = Shell.getHadoopHome() != null;
         } catch (IOException e) {
             // ignore - false is default setting
         }
         return isHadoopCluster;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.atlas.web.listeners;

	import org.apache.atlas.ApplicationProperties;
	import org.apache.atlas.AtlasException;
	import org.apache.atlas.security.SecurityProperties;
	import org.apache.commons.configuration.ConfigurationException;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.SecurityUtil;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.util.Shell;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.io.IOException;
	import java.net.InetAddress;
	import java.net.UnknownHostException;

	/**
	* A class capable of performing a simple or kerberos login.
	*/
	public class LoginProcessor {

	private static final Logger LOG = LoggerFactory.getLogger(LoginProcessor.class);
	public static final String ATLAS_AUTHENTICATION_PREFIX = "atlas.authentication.";
	public static final String AUTHENTICATION_KERBEROS_METHOD = ATLAS_AUTHENTICATION_PREFIX + "method.kerberos";
	public static final String AUTHENTICATION_PRINCIPAL = ATLAS_AUTHENTICATION_PREFIX + "principal";
	public static final String AUTHENTICATION_KEYTAB = ATLAS_AUTHENTICATION_PREFIX + "keytab";

	/**
	* Perform a SIMPLE login based on established OS identity or a kerberos based login using the configured
	* principal and keytab (via atlas-application.properties).
	*/
	public void login() {
	// first, let's see if we're running in a hadoop cluster and have the env configured
	boolean isHadoopCluster = isHadoopCluster();
	Configuration hadoopConfig = isHadoopCluster ? getHadoopConfiguration() : new Configuration(false);
	org.apache.commons.configuration.Configuration configuration = getApplicationConfiguration();
	if (!isHadoopCluster) {
	// need to read the configured authentication choice and create the UGI configuration
	setupHadoopConfiguration(hadoopConfig, configuration);
	}
	doServiceLogin(hadoopConfig, configuration);
	}

	protected void doServiceLogin(Configuration hadoopConfig,
	org.apache.commons.configuration.Configuration configuration) {
	UserGroupInformation.setConfiguration(hadoopConfig);

	UserGroupInformation ugi = null;
	UserGroupInformation.AuthenticationMethod authenticationMethod =
	SecurityUtil.getAuthenticationMethod(hadoopConfig);
	try {
	if (authenticationMethod == UserGroupInformation.AuthenticationMethod.SIMPLE) {
	UserGroupInformation.loginUserFromSubject(null);
	} else if (authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS) {
	String bindAddress = getHostname(configuration);
	UserGroupInformation.loginUserFromKeytab(
	getServerPrincipal(configuration.getString(AUTHENTICATION_PRINCIPAL), bindAddress),
	configuration.getString(AUTHENTICATION_KEYTAB));
	}
	LOG.info("Logged in user {}", UserGroupInformation.getLoginUser());
	} catch (IOException e) {
	throw new IllegalStateException(String.format("Unable to perform %s login.", authenticationMethod), e);
	}
	}

	private String getHostname(org.apache.commons.configuration.Configuration configuration) {
	String bindAddress = configuration.getString(SecurityProperties.BIND_ADDRESS);
	if (bindAddress == null) {
	LOG.info("No host name configured. Defaulting to local host name.");
	try {
	bindAddress = InetAddress.getLocalHost().getHostName();
	} catch (UnknownHostException e) {
	throw new IllegalStateException(e);
	}
	}
	return bindAddress;
	}

	protected void setupHadoopConfiguration(Configuration hadoopConfig, org.apache.commons.configuration.Configuration
	configuration) {
	String authMethod = "";
	String kerberosAuthNEnabled = configuration != null ? configuration.getString(AUTHENTICATION_KERBEROS_METHOD) : null;
	// getString may return null, and would like to log the nature of the default setting
	if (kerberosAuthNEnabled == null \|\| kerberosAuthNEnabled.equalsIgnoreCase("false")) {
	LOG.info("No authentication method configured. Defaulting to simple authentication");
	authMethod = "simple";
	} else if (kerberosAuthNEnabled.equalsIgnoreCase("true")) {
	authMethod = "kerberos";
	}
	SecurityUtil
	.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.valueOf(authMethod.toUpperCase()),
	hadoopConfig);
	}

	/**
	* Return a server (service) principal. The token "_HOST" in the principal will be replaced with the local host
	* name (e.g. dgi/_HOST will be changed to dgi/localHostName)
	* @param principal the input principal containing an option "_HOST" token
	* @return the service principal.
	* @throws IOException
	*/
	private String getServerPrincipal(String principal, String host) throws IOException {
	return SecurityUtil.getServerPrincipal(principal, host);
	}

	/**
	* Returns a Hadoop configuration instance.
	* @return the configuration.
	*/
	protected Configuration getHadoopConfiguration() {
	return new Configuration();
	}

	/**
	* Returns the metadata application configuration.
	* @return the metadata configuration.
	* @throws ConfigurationException
	*/
	protected org.apache.commons.configuration.Configuration getApplicationConfiguration() {
	try {
	return ApplicationProperties.get();
	} catch (AtlasException e) {
	LOG.warn("Error reading application configuration", e);
	}
	return null;
	}

	/**
	* Uses a hadoop shell to discern whether a hadoop cluster is available/configured.
	* @return true if a hadoop cluster is detected.
	*/
	protected boolean isHadoopCluster() {
	boolean isHadoopCluster = false;
	try {
	isHadoopCluster = Shell.getHadoopHome() != null;
	} catch (IOException e) {
	// ignore - false is default setting
	}
	return isHadoopCluster;
	}
	}