You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by simonellistonball <gi...@git.apache.org> on 2018/07/19 12:11:41 UTC

[GitHub] metron pull request #1112: METRON-1668 Remove login services and screens fro...

GitHub user simonellistonball opened a pull request:

    https://github.com/apache/metron/pull/1112

    METRON-1668 Remove login services and screens from UIs

    ## Contributor Comments
    
    Removing the login screens and modules from the UIs since they are superfluous in the the SSO context, and no-longer have an authentication engine to back them. 
    
    This can be tested by authentication with basic auth against the new hosts in METRON-1665 and then ensuring the UIs still function, and by ensuring the UIs do not redirect to a login. 
    
    The authentication will be handled by the hosts that allow loading of the UIs redirecting the browser to a KnoxSSO endpoint, handled in METRON-1665.
    
    Note, handling jwt cookie expiry is not included here, but will be left as a follow on task with separate ticketing.
    
    
    ## Pull Request Checklist
    
    Thank you for submitting a contribution to Apache Metron.  
    Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions.  
    Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides.  
    
    
    In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
    
    ### For all changes:
    - [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
    - [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
    - [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
    
    
    ### For code changes:
    - [x] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
    - [x] Have you included steps or a guide to how the change may be verified and tested manually?
    - [x] Have you ensured that the full suite of tests and checks have been executed in the root metron folder via:
      ```
      mvn -q clean integration-test install && dev-utilities/build-utils/verify_licenses.sh 
      ```
    
    - [x] Have you written or updated unit tests and or integration tests to verify your changes?
    - [x] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
    - [x] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?
    
    ### For documentation related changes:
    - [ ] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`:
    
      ```
      cd site-book
      mvn site
      ```
    
    #### Note:
    Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
    It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/simonellistonball/metron METRON-1668

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/metron/pull/1112.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1112
    
----
commit 45b8059ae32e8892a281a60ed802f9be973992d6
Author: Simon Elliston Ball <si...@...>
Date:   2018-07-19T10:26:57Z

    Removed login screen from alerts UI

commit 2c7909a3dd7a1c0eea588c0b58638f46d41a6f76
Author: Simon Elliston Ball <si...@...>
Date:   2018-07-19T10:36:18Z

    Removed login screen from config UI

----


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    Patience, patience :) https://issues.apache.org/jira/browse/METRON-1664 will set all this up in ambari to work on full-dev with an embedded ldap (instead of the current embedded h2) and Knox doing the SSO.


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    It would also support ldap authentication, via basic auth.


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by ottobackwards <gi...@git.apache.org>.
Github user ottobackwards commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    I don't understand, how are you going to do the auth without the login screen?


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by ottobackwards <gi...@git.apache.org>.
Github user ottobackwards commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    It seems strange to me to ONLY support SSO.  Most things support a local configuration and SSO or 'other' on demand. 


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    In the case of non-SSO ldap auth, there is a login form, it's just embedded in the spring bits instead of the angular bits. It's not as pretty, but we could add a login.jsp to make it exactly the same experience (but with a lower angular maintenance surface).
    
    In the SSO scenario, Knox provides a login form, so we don't need or want one in the angular app.
    
    In the direct api access scenario, you could provide a bearer token for SSO with a jwt, or for non-SSO you would just provide basic auth creds and that would auth against LDAP.
    
    So, you can still provide creds, through either a token, or a browser based form in all scenarios. 



---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by merrimanr <gi...@git.apache.org>.
Github user merrimanr commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    I noticed that I can no longer start the Alerts UI locally for development purposes.  Since the spring boot hosting application handles SSO with knox there is no way to authenticate running outside of that with something like `ng serve`.   We will need to come up with a strategy for this case.


---

[GitHub] metron pull request #1112: METRON-1668 Remove login services and screens fro...

Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball closed the pull request at:

    https://github.com/apache/metron/pull/1112


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by ottobackwards <gi...@git.apache.org>.
Github user ottobackwards commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    or, maybe we are just missing each other here, and you can explain how the user will sign on.  SSO doesn't mean no sign on.  How will I now provide my user name and password in the app?


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by mmiklavc <gi...@git.apache.org>.
Github user mmiklavc commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    To @merrimanr 's point, can we provide a config flag to disable auth altogether, if desired? Maybe an Ambari config dropdown?, e.g. "NONE, KNOX SSO." Not sure what your plan is with the Ambari config in 1664, but I think that making SSO enabled/disabled as configurable like we do with Kerberos would be desirable. I realize there's very likely config and properties to deal with as supplied by Knox when setting it up in Ambari. I just don't know off the top of my head how much is automated (again, like Kerberos across the entire cluster) vs what's ad-hoc and per-component/service. Thoughts?


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by ottobackwards <gi...@git.apache.org>.
Github user ottobackwards commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    "The authentication will be handled by the hosts that allow loading of the UIs redirecting the browser to a KnoxSSO endpoint, handled in METRON-1665"
    
    How is this going to work in vagrant?
    What will be the new minimum required setup for security to use Metron's UI's now?


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    @mmiklavc the knoxsso is enabled with a toggle in the mpack, to follow the pattern for NiFi, Ranger and Atlas etc. There is a kind of failover of auth methods: knoxsso, ldap, nothing in our case. Many of the API calls require auth because they use username to load settings in the rest backend. As such I’m not sure no-auth makes sense, but maybe a default to anon would allow @rmerriman’s use case of dev runs, I’d still say that was a case for a mock backend though, in angular rather than rest.


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    And infact through form based auth if sso is off (see the backend issue METRON-1665). This PR just removes the need to process a spring login form in the Angular app to lighten the load a bit and avoid having multiple front-end login implementations to keep in sync (config and alerts have their own at present). This is more about moving the same functionality out of the angular layer and into a different page.


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by ottobackwards <gi...@git.apache.org>.
Github user ottobackwards commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    @simonellistonball, thank you.  I didn't get that from the PR description.  Sorry for the noise.


---

[GitHub] metron issue #1112: METRON-1668 Remove login services and screens from UIs

Posted by ottobackwards <gi...@git.apache.org>.
Github user ottobackwards commented on the issue:

    https://github.com/apache/metron/pull/1112
  
    this might be worth a discuss thread @simonellistonball 


---