Merge branch 'master' into tag-policy
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java index f95e10e..9d14ae6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
@@ -22,6 +22,7 @@ import java.io.IOException; import java.io.InputStream; import java.util.*; +import java.util.Map.Entry; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -96,6 +97,7 @@ dataSource2HadoopConfigHolder.put(aDatasourceName, ret) ; } } + return ret ; } @@ -265,14 +267,15 @@ userName = prop.getProperty(RANGER_LOGIN_USER_NAME_PROP) ; keyTabFile = prop.getProperty(RANGER_LOGIN_KEYTAB_FILE_PROP) ; password = prop.getProperty(RANGER_LOGIN_PASSWORD) ; - - if ( getHadoopSecurityAuthentication() != null) { - isKerberosAuth = ( getHadoopSecurityAuthentication().equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD)); + + String hadoopSecurityAuthenticationn = getHadoopSecurityAuthentication(); + + if ( hadoopSecurityAuthenticationn != null) { + isKerberosAuth = ( hadoopSecurityAuthenticationn.equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD)); } else { isKerberosAuth = (userName != null) && (userName.indexOf("@") > -1) ; } - } } @@ -342,21 +345,26 @@ } public String getHadoopSecurityAuthentication() { - Properties repoParam = null ; String ret = null; - - HashMap<String,Properties> resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ; - - if ( resourceName2PropertiesMap != null) { - repoParam=resourceName2PropertiesMap.get(DEFAULT_RESOURCE_NAME); + String sectionName = RANGER_SECTION_NAME; + + if ( defaultConfigFile != null) { + sectionName = defaultConfigFile; } - - if ( repoParam != null ) { - ret = (String)repoParam.get(HADOOP_SECURITY_AUTHENTICATION); + + if ( LOG.isDebugEnabled() ) { + LOG.debug("==> HadoopConfigHolder.getHadoopSecurityAuthentication( " + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + ")" ); } + + ret = getProperties(sectionName,HADOOP_SECURITY_AUTHENTICATION); + + if ( LOG.isDebugEnabled() ) { + LOG.debug("<== HadoopConfigHolder.getHadoopSecurityAuthentication(" + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + " Value : " + ret + ")" ); + } + return ret; - } - + } + public String getUserName() { return userName; } @@ -377,6 +385,32 @@ return rangerInternalPropertyKeys; } + + private String getProperties(String sectionName, String property) { + + if ( LOG.isDebugEnabled() ) { + LOG.debug("==> HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + ")" ); + } + + Properties repoParam = null ; + String ret = null; + + HashMap<String,Properties> resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ; + + if ( resourceName2PropertiesMap != null) { + repoParam=resourceName2PropertiesMap.get(sectionName); + } + + if ( repoParam != null ) { + ret = (String)repoParam.get(property); + } + + if ( LOG.isDebugEnabled() ) { + LOG.debug("<== HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + " Value : " + ret); + } + + return ret; + } }
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 77fdb90..93fbcd4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -71,7 +71,9 @@ } StringBuffer perfTagBuffer = new StringBuffer(); - perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName()); + if (policy != null) { + perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName()); + } perfTag = perfTagBuffer.toString();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java index f22a87a..43d2254 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
@@ -113,32 +113,35 @@ List<RangerServiceResource> serviceResources = getServiceResourcesByService(serviceName); - Set<Long> tagsToDelete = new HashSet<Long>(); + if (serviceResources != null) { + + Set<Long> tagsToDelete = new HashSet<Long>(); - for (RangerServiceResource serviceResource : serviceResources) { - Long resourceId = serviceResource.getId(); + for (RangerServiceResource serviceResource : serviceResources) { + Long resourceId = serviceResource.getId(); - List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId); + List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId); - if (isResourePrivateTag) { + if (isResourePrivateTag) { + for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) { + Long tagId = tagResourceMap.getTagId(); + RangerTag tag = getTag(tagId); + tagsToDelete.add(tag.getId()); + } + } for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) { - Long tagId = tagResourceMap.getTagId(); - RangerTag tag = getTag(tagId); - tagsToDelete.add(tag.getId()); + deleteTagResourceMap(tagResourceMap.getId()); } } - for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) { - deleteTagResourceMap(tagResourceMap.getId()); + + for (RangerServiceResource serviceResource : serviceResources) { + deleteServiceResource(serviceResource.getId()); } - } - for (RangerServiceResource serviceResource : serviceResources) { - deleteServiceResource(serviceResource.getId()); - } - - for (Long tagId : tagsToDelete) { - deleteTag(tagId); + for (Long tagId : tagsToDelete) { + deleteTag(tagId); + } } if (LOG.isDebugEnabled()) {
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json index ff1f39f..ff93dfe 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
@@ -82,6 +82,19 @@ { "itemId": 4, + "name": "hadoop.security.authentication", + "type": "enum", + "subType": "authnType", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Authentication Type", + "defaultValue": "simple" + }, + + { + "itemId": 5, "name": "commonNameForCertificate", "type": "string", "mandatory": false, @@ -90,11 +103,31 @@ "uiHint":"", "label": "Common Name for Certificate" } + ], "enums": [ - + { + "itemId": 1, + "name": "authnType", + "elements": + [ + { + "itemId": 1, + "name": "simple", + "label": "Simple" + }, + + { + "itemId": 2, + "name": "kerberos", + "label": "Kerberos" + } + ], + + "defaultIndex": 0 + } ], "contextEnrichers":
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json index cb07b17..0893f44 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -126,12 +126,6 @@ } ], "contextEnrichers": [ - { - "itemId": 1, - "name" : "TagEnricher", - "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", - "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", "tagRefresherPollingInterval":60000, "dataFile":"/etc/ranger/data/resourceTags.txt"} - } ], "policyConditions": [ {
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java index fc07760..0f3ed89 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
@@ -19,6 +19,9 @@ package org.apache.ranger.services.yarn.client; +import java.net.Authenticator; +import java.net.PasswordAuthentication; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -26,6 +29,7 @@ import java.util.concurrent.Callable; import java.util.concurrent.TimeUnit; +import javax.security.auth.Subject; import org.apache.commons.io.FilenameUtils; import org.apache.log4j.Logger; @@ -40,7 +44,7 @@ import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; -public class YarnClient { +public class YarnClient extends BaseClient { public static final Logger LOG = Logger.getLogger(YarnClient.class) ; @@ -57,16 +61,27 @@ String userName; String password; - public YarnClient(String yarnQueueUrl, String yarnUserName, String yarnPassWord) { + public YarnClient(String serviceName, Map<String, String> configs) { + + super(serviceName,configs,"yarn-client") ; + + this.yarnQUrl = configs.get("yarn.url"); + this.userName = configs.get("username"); + this.password = configs.get("password"); - this.yarnQUrl = yarnQueueUrl; - this.userName = yarnUserName ; - this.password = yarnPassWord; - + if (this.yarnQUrl == null || this.yarnQUrl.isEmpty()) { + LOG.error("No value found for configuration 'yarn.url'. YARN resource lookup will fail"); + } + if (this.userName == null || this.userName.isEmpty()) { + LOG.error("No value found for configuration 'usename'. YARN resource lookup will fail"); + } + if (this.password == null || this.password.isEmpty()) { + LOG.error("No value found for configuration 'password'. YARN resource lookup will fail"); + } + if (LOG.isDebugEnabled()) { - LOG.debug("Yarn Client is build with url [" + yarnQueueUrl + "] user: [" + yarnPassWord + "], password: [" + "" + "]"); + LOG.debug("Yarn Client is build with url [" + this.yarnQUrl + "] user: [" + this.userName + "], password: [" + "*********" + "]"); } - } public List<String> getQueueList(final String queueNameMatching, final List<String> existingQueueList) { @@ -74,107 +89,122 @@ if (LOG.isDebugEnabled()) { LOG.debug("Getting Yarn queue list for queueNameMatching : " + queueNameMatching); } - final String errMsg = errMessage; + final String errMsg = errMessage; List<String> ret = null; - - Callable<List<String>> yarnQueueListGetter = new Callable<List<String>>() { + + Callable<List<String>> callableYarnQListGetter = new Callable<List<String>>() { + @Override public List<String> call() { - - List<String> lret = new ArrayList<String>(); - - String url = yarnQUrl + YARN_LIST_API_ENDPOINT ; - - Client client = null ; - ClientResponse response = null ; - - try { - client = Client.create() ; - - WebResource webResource = client.resource(url); - - response = webResource.accept(EXPECTED_MIME_TYPE) - .get(ClientResponse.class); - - if (LOG.isDebugEnabled()) { - LOG.debug("getQueueList():calling " + url); - } - - if (response != null) { - if (LOG.isDebugEnabled()) { - LOG.debug("getQueueList():response.getStatus()= " + response.getStatus()); - } - if (response.getStatus() == 200) { - String jsonString = response.getEntity(String.class); - Gson gson = new GsonBuilder().setPrettyPrinting().create(); - YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class); - if (yarnQResponse != null) { - List<String> yarnQueueList = yarnQResponse.getQueueNames(); - if (yarnQueueList != null) { - for ( String yarnQueueName : yarnQueueList) { - if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) { - continue; - } - if (queueNameMatching == null || queueNameMatching.isEmpty() - || yarnQueueName.startsWith(queueNameMatching)) { - if (LOG.isDebugEnabled()) { - LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName); + List<String> yarnQueueListGetter = null; + + Subject subj = getLoginSubject(); + + if (subj != null) { + yarnQueueListGetter = Subject.doAs(subj, new PrivilegedAction<List<String>>() { + + @Override + public List<String> run() { + + List<String> lret = new ArrayList<String>(); + + String url = yarnQUrl + YARN_LIST_API_ENDPOINT ; + + Client client = null ; + + ClientResponse response = null ; + + try { + client = Client.create() ; + + WebResource webResource = client.resource(url); + + response = webResource.accept(EXPECTED_MIME_TYPE) + .get(ClientResponse.class); + + if (LOG.isDebugEnabled()) { + LOG.debug("getQueueList():calling " + url); + } + + if (response != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("getQueueList():response.getStatus()= " + response.getStatus()); + } + if (response.getStatus() == 200) { + String jsonString = response.getEntity(String.class); + Gson gson = new GsonBuilder().setPrettyPrinting().create(); + YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class); + if (yarnQResponse != null) { + List<String> yarnQueueList = yarnQResponse.getQueueNames(); + if (yarnQueueList != null) { + for ( String yarnQueueName : yarnQueueList) { + if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) { + continue; + } + if (queueNameMatching == null || queueNameMatching.isEmpty() + || yarnQueueName.startsWith(queueNameMatching)) { + if (LOG.isDebugEnabled()) { + LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName); + } + lret.add(yarnQueueName) ; + } } - lret.add(yarnQueueName) ; } } - } + } else{ + LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list"); + String jsonString = response.getEntity(String.class); + LOG.info(jsonString); + lret = null; } - } else{ - LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list"); - String jsonString = response.getEntity(String.class); - LOG.info(jsonString); + } else { + lret = null; + String msgDesc = "Unable to get a valid response for " + + "expected mime type : [" + EXPECTED_MIME_TYPE + + "] URL : " + url + " - got null response."; + LOG.error(msgDesc); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, + msgDesc + errMsg, null, null); + throw hdpException; + } + } catch (HadoopException he) { lret = null; - } - } else { - lret = null; - String msgDesc = "Unable to get a valid response for " - + "expected mime type : [" + EXPECTED_MIME_TYPE - + "] URL : " + url + " - got null response."; - LOG.error(msgDesc); - HadoopException hdpException = new HadoopException(msgDesc); - hdpException.generateResponseDataMap(false, msgDesc, - msgDesc + errMsg, null, null); - throw hdpException; - } - } catch (HadoopException he) { - lret = null; - throw he; - } catch (Throwable t) { - lret = null; - String msgDesc = "Exception while getting Yarn Queue List." - + " URL : " + url; - HadoopException hdpException = new HadoopException(msgDesc, - t); - - LOG.error(msgDesc, t); + throw he; + } catch (Throwable t) { + lret = null; + String msgDesc = "Exception while getting Yarn Queue List." + + " URL : " + url; + HadoopException hdpException = new HadoopException(msgDesc, + t); - hdpException.generateResponseDataMap(false, - BaseClient.getMessage(t), msgDesc + errMsg, null, - null); - throw hdpException; - - } finally { - if (response != null) { - response.close(); + LOG.error(msgDesc, t); + + hdpException.generateResponseDataMap(false, + BaseClient.getMessage(t), msgDesc + errMsg, null, + null); + throw hdpException; + + } finally { + if (response != null) { + response.close(); + } + + if (client != null) { + client.destroy(); + } + } + return lret ; } - - if (client != null) { - client.destroy(); - } + } ); } - return lret ; - } - } ; + return yarnQueueListGetter; + } + }; try { - ret = timedTask(yarnQueueListGetter, 5, TimeUnit.SECONDS); + ret = timedTask(callableYarnQListGetter, 5, TimeUnit.SECONDS); } catch ( Throwable t) { LOG.error("Unable to get Yarn Queue list from [" + yarnQUrl + "]", t) ; String msgDesc = "Unable to get a valid response for " @@ -243,12 +273,7 @@ + errMsg, null, null); throw hdpException; } else { - String yarnUrl = configs.get("yarn.url"); - String yarnUserName = configs.get("username"); - String yarnPassWord = configs.get("password"); - yarnClient = new YarnClient (yarnUrl, yarnUserName, - yarnPassWord); - + yarnClient = new YarnClient (serviceName, configs); } return yarnClient; } @@ -299,5 +324,4 @@ TimeUnit timeUnit) throws Exception { return callableObj.call(); } - }
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java index e2cc2ef..1d39998 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
@@ -19,25 +19,17 @@ package org.apache.ranger.services.yarn.client; +import java.util.Map; + import org.apache.log4j.Logger; public class YarnConnectionMgr { public static final Logger LOG = Logger.getLogger(YarnConnectionMgr.class); - - public static YarnClient getYarnClient(final String yarnURL, String userName, String password) { - YarnClient yarnClient = null; - if (yarnURL == null || yarnURL.isEmpty()) { - LOG.error("Can not create YarnClient: yarnURL is empty"); - } else if (userName == null || userName.isEmpty()) { - LOG.error("Can not create YarnClient: YarnuserName is empty"); - } else if (password == null || password.isEmpty()) { - LOG.error("Can not create YarnClient: YarnPassWord is empty"); - } else { - yarnClient = new YarnClient(yarnURL, userName, password); - } - return yarnClient; + + public static YarnClient getYarnClient(String serviceName, Map<String, String> configs) { + return new YarnClient(serviceName, configs); } }
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java index 95d29c0..97fdf19 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
@@ -65,23 +65,17 @@ } else { yarnQueueName = userInput; } - - + if (configs == null || configs.isEmpty()) { LOG.error("Connection Config is empty"); - } else { - - String url = configs.get("yarn.url"); - String username = configs.get("username"); - String password = configs.get("password"); - resultList = getYarnResource(url, username, password,yarnQueueName,yarnQueueList) ; + resultList = getYarnResource(serviceName, configs, yarnQueueName,yarnQueueList) ; } return resultList ; } - public static List<String> getYarnResource(String url, String username, String password,String yarnQueueName, List<String> yarnQueueList) { - final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(url, username, password); + public static List<String> getYarnResource(String serviceName, Map<String, String> configs, String yarnQueueName, List<String> yarnQueueList) { + final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(serviceName, configs); List<String> topologyList = null; if (yarnClient != null) { synchronized(yarnClient) {
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java index 6a91834..237fb50 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
@@ -43,6 +43,8 @@ HttpServletResponse response, Authentication authentication) throws IOException, ServletException { + request.getServletContext().removeAttribute(request.getRequestedSessionId()); + response.setContentType("application/json;charset=UTF-8"); response.setHeader("Cache-Control", "no-cache"); response.setHeader("X-Frame-Options", "DENY");
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java index 0b61498..b3d59eb 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -133,6 +133,7 @@ if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){ if (request.getSession() != null) request.getSession().setAttribute("locallogin","true"); + request.getServletContext().setAttribute(request.getSession().getId(), "locallogin"); } super.commence(request, response, authException); }
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java index af3c58a..f79db6b 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -108,26 +108,37 @@ @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest)servletRequest; + if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid()) + { + if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString().equals("locallogin")){ + ssoEnabled = false; + httpRequest.getSession().setAttribute("locallogin","true"); + httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId()); + } + } + RangerSecurityContext context = RangerContextHolder.getSecurityContext(); UserSessionBase session = context != null ? context.getUserSession() : null; ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); - String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent"); - if(((HttpServletRequest) servletRequest).getSession() != null){ - if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){ + String userAgent = httpRequest.getHeader("User-Agent"); + if(httpRequest.getSession() != null){ + if(httpRequest.getSession().getAttribute("locallogin") != null){ ssoEnabled = false; servletRequest.setAttribute("ssoEnabled", false); filterChain.doFilter(servletRequest, servletResponse); return; } - } + } + //If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication - if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) { + if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) { //if jwt properties are loaded and is current not authenticated then it will go for sso authentication + //Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script if (jwtProperties != null && !isAuthenticated()) { - HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; - String serializedJWT = getJWTFromCookie(httpServletRequest); + String serializedJWT = getJWTFromCookie(httpRequest); // if we get the hadoop-jwt token from the cookies then will process it further if (serializedJWT != null) { SignedJWT jwtToken = null; @@ -144,9 +155,11 @@ if (userName != null && !userName.trim().isEmpty()) { final List<GrantedAuthority> grantedAuths = new ArrayList<>(); grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN")); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN")); final UserDetails principal = new User(userName, "",grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths); - WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest); + WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest); ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails); RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider(); authenticationProvider.setSsoEnabled(ssoEnabled); @@ -158,7 +171,7 @@ } // if the token is not valid then redirect to knox sso else { - String ssourl = constructLoginURL(httpServletRequest); + String ssourl = constructLoginURL(httpRequest); if(LOG.isDebugEnabled()) LOG.debug("SSO URL = " + ssourl); httpServletResponse.sendRedirect(ssourl); @@ -169,7 +182,7 @@ } // if the jwt token is not available then redirect it to knox sso else { - String ssourl = constructLoginURL(httpServletRequest); + String ssourl = constructLoginURL(httpRequest); if(LOG.isDebugEnabled()) LOG.debug("SSO URL = " + ssourl); httpServletResponse.sendRedirect(ssourl);
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js index 0bb9648..c6301c3 100644 --- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js +++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -49,10 +49,10 @@ events: function() { var events = {}; //events['change ' + this.ui.input] = 'onInputChange'; - events['click ' + this.ui.logout] = 'onLogout'; + events['click ' + this.ui.logout] = 'checkKnoxSSO'; return events; }, - onLogout : function(){ + onLogout : function(checksso){ var url = 'security-admin-web/logout.html', that = this; $.ajax({ @@ -62,8 +62,15 @@ "cache-control" : "no-cache" }, success : function() { - that.checkKnoxSSO() -// window.location.replace('login.jsp'); + if(!_.isUndefined(checksso) && checksso){ + if(checksso == 'false'){ + window.location.replace('locallogin'); + }else{ + window.location.replace(''); + } + } else { + window.location.replace('login.jsp'); + } }, error : function(jqXHR, textStatus, err ) { } @@ -71,7 +78,7 @@ }); }, checkKnoxSSO : function(){ - var url = 'service/plugins/checksso'; + var that =this, url = 'service/plugins/checksso'; $.ajax({ url : url, type : 'GET', @@ -79,19 +86,13 @@ "cache-control" : "no-cache" }, success : function(resp) { - console.log(resp) - if(!_.isUndefined(resp) && resp){ - window.location.replace(''); - } else { - window.location.replace('login.jsp'); - } + that.onLogout(resp); }, error : function(jqXHR, textStatus, err ) { if( jqXHR.status == 419 ){ window.location.replace('login.jsp'); } } - }); }, /**