You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by jo...@apache.org on 2015/11/09 22:56:21 UTC
[1/2] ambari git commit: Revert "AMBARI-13342. Allow access to
callers with valid Knox authorization cookie. (mpapirkovskyy)"
Repository: ambari
Updated Branches:
refs/heads/trunk 845704114 -> de5093a5c
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java
deleted file mode 100644
index ae47694..0000000
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.ambari.server.security.authorization.jwt;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.crypto.RSASSASigner;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.SignedJWT;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.User;
-import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import org.easymock.EasyMock;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.AuthenticationEntryPoint;
-
-import javax.servlet.FilterChain;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
-import java.util.Calendar;
-import java.util.Collections;
-import java.util.Date;
-
-import static org.easymock.EasyMock.anyObject;
-import static org.easymock.EasyMock.createMockBuilder;
-import static org.easymock.EasyMock.createNiceMock;
-import static org.easymock.EasyMock.eq;
-import static org.easymock.EasyMock.expect;
-import static org.easymock.EasyMock.expectLastCall;
-import static org.easymock.EasyMock.replay;
-import static org.easymock.EasyMock.verify;
-import static org.junit.Assert.*;
-
-public class JwtAuthenticationFilterTest {
- private static RSAPublicKey publicKey;
- private static RSAPrivateKey privateKey;
- private static RSAPrivateKey invalidPrivateKey;
-
-
- @BeforeClass
- public static void generateKeyPair() throws NoSuchAlgorithmException {
- KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
- keyPairGenerator.initialize(512);
- KeyPair keyPair = keyPairGenerator.generateKeyPair();
- publicKey = (RSAPublicKey) keyPair.getPublic();
- privateKey = (RSAPrivateKey) keyPair.getPrivate();
-
- keyPair = keyPairGenerator.generateKeyPair();
- invalidPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
- }
-
- private JwtAuthenticationProperties createTestProperties() {
- JwtAuthenticationProperties properties = new JwtAuthenticationProperties();
- properties.setCookieName("non-default");
- properties.setPublicKey(publicKey);
- properties.setAudiences(Collections.singletonList("test-audience"));
-
- return properties;
- }
-
- private SignedJWT getSignedToken() throws JOSEException {
- RSASSASigner signer = new RSASSASigner(privateKey);
-
- Calendar calendar = Calendar.getInstance();
- calendar.setTimeInMillis(System.currentTimeMillis());
-
- JWTClaimsSet claimsSet = new JWTClaimsSet();
- claimsSet.setSubject("test-user");
- claimsSet.setIssuer("unit-test");
- claimsSet.setIssueTime(calendar.getTime());
-
- calendar.add(Calendar.DATE, 1); //add one day
- claimsSet.setExpirationTime(calendar.getTime());
-
- claimsSet.setAudience("test-audience");
-
- SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
- signedJWT.sign(signer);
-
- return signedJWT;
- }
-
- private SignedJWT getInvalidToken() throws JOSEException {
- RSASSASigner signer = new RSASSASigner(invalidPrivateKey);
-
- Calendar calendar = Calendar.getInstance();
- calendar.setTimeInMillis(System.currentTimeMillis());
- calendar.add(Calendar.DATE, -2);
-
- JWTClaimsSet claimsSet = new JWTClaimsSet();
- claimsSet.setSubject("test-user");
- claimsSet.setIssuer("unit-test");
- claimsSet.setIssueTime(calendar.getTime());
-
- calendar.add(Calendar.DATE, 1); //add one day
- claimsSet.setExpirationTime(calendar.getTime());
-
- claimsSet.setAudience("test-audience-invalid");
-
- SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
- signedJWT.sign(signer);
-
- return signedJWT;
- }
-
-
- @Test
- public void testDoFilter() throws Exception {
- Users users = createNiceMock(Users.class);
- AuthenticationEntryPoint entryPoint = createNiceMock(AuthenticationEntryPoint.class);
- HttpServletRequest request = createNiceMock(HttpServletRequest.class);
- HttpServletResponse response = createNiceMock(HttpServletResponse.class);
- FilterChain chain = createNiceMock(FilterChain.class);
- AmbariGrantedAuthority authority = createNiceMock(AmbariGrantedAuthority.class);
- User user = createNiceMock(User.class);
-
- SignedJWT signedJWT = getSignedToken();
-
- JwtAuthenticationProperties properties = createTestProperties();
- JwtAuthenticationFilter filter = createMockBuilder(JwtAuthenticationFilter.class).
- addMockedMethod("getJWTFromCookie").
- withConstructor(properties, entryPoint, users).createNiceMock();
-
- expect(filter.getJWTFromCookie(anyObject(HttpServletRequest.class))).andReturn(signedJWT.serialize());
- expect(users.getUser(eq("test-user"), eq(UserType.JWT))).andReturn(null).once();
- expect(users.getUser(eq("test-user"), eq(UserType.JWT))).andReturn(user).anyTimes();
-
- users.createUser(eq("test-user"), anyObject(String.class), eq(UserType.JWT), eq(true), eq(false));
- expectLastCall();
-
- expect(users.getUserAuthorities(eq("test-user"), eq(UserType.JWT))).andReturn(Collections.singletonList(authority));
-
- expect(user.getUserName()).andReturn("test-user");
- expect(user.getUserType()).andReturn(UserType.JWT);
-
- replay(users, request, response, chain, filter, entryPoint, user, authority);
-
- filter.doFilter(request, response, chain);
-
- verify(users, request, response, chain, filter, entryPoint, user, authority);
-
- Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-
- assertEquals(true, authentication.isAuthenticated());
-
- }
-
- @Test
- public void testGetJWTFromCookie() throws Exception {
- HttpServletRequest request = createNiceMock(HttpServletRequest.class);
- Cookie cookie = createNiceMock(Cookie.class);
-
- expect(cookie.getName()).andReturn("non-default");
- expect(cookie.getValue()).andReturn("stubtokenstring");
-
- expect(request.getCookies()).andReturn(new Cookie[]{cookie});
-
- JwtAuthenticationProperties properties = createTestProperties();
- JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null);
-
- replay(request, cookie);
-
- String jwtFromCookie = filter.getJWTFromCookie(request);
-
- verify(request, cookie);
-
- assertEquals("stubtokenstring", jwtFromCookie);
- }
-
- @Test
- public void testValidateSignature() throws Exception {
- JwtAuthenticationProperties properties = createTestProperties();
- JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null);
-
- boolean isValid = filter.validateSignature(getSignedToken());
-
- assertEquals(true, isValid);
-
- isValid = filter.validateSignature(getInvalidToken());
-
- assertEquals(false, isValid);
-
- }
-
- @Test
- public void testValidateAudiences() throws Exception {
- JwtAuthenticationProperties properties = createTestProperties();
- JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null);
-
- boolean isValid = filter.validateAudiences(getSignedToken());
-
- assertEquals(true, isValid);
-
- isValid = filter.validateAudiences(getInvalidToken());
-
- assertEquals(false, isValid);
- }
-
- @Test
- public void testValidateExpiration() throws Exception {
- JwtAuthenticationProperties properties = createTestProperties();
- JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null);
-
- boolean isValid = filter.validateExpiration(getSignedToken());
-
- assertEquals(true, isValid);
-
- isValid = filter.validateExpiration(getInvalidToken());
-
- assertEquals(false, isValid);
-
- }
-}
\ No newline at end of file
[2/2] ambari git commit: Revert "AMBARI-13342. Allow access to
callers with valid Knox authorization cookie. (mpapirkovskyy)"
Posted by jo...@apache.org.
Revert "AMBARI-13342. Allow access to callers with valid Knox authorization cookie. (mpapirkovskyy)"
This reverts commit 8997ce0d50d91c4cb008d303a07dfd7a949d1788.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/de5093a5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/de5093a5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/de5093a5
Branch: refs/heads/trunk
Commit: de5093a5c8e56959d050e309f7bd5f52ecad36bc
Parents: 8457041
Author: Jonathan Hurley <jh...@hortonworks.com>
Authored: Mon Nov 9 16:55:14 2015 -0500
Committer: Jonathan Hurley <jh...@hortonworks.com>
Committed: Mon Nov 9 16:55:37 2015 -0500
----------------------------------------------------------------------
ambari-server/pom.xml | 12 -
.../ambari/server/api/AmbariErrorHandler.java | 13 +-
.../server/configuration/Configuration.java | 53 ---
.../AmbariManagementControllerImpl.java | 6 +-
.../ambari/server/controller/AmbariServer.java | 3 -
.../ambari/server/controller/UserResponse.java | 24 +-
.../internal/UserPrivilegeResourceProvider.java | 4 -
.../internal/UserResourceProvider.java | 4 -
.../apache/ambari/server/orm/dao/UserDAO.java | 14 -
.../ambari/server/orm/entities/UserEntity.java | 31 +-
.../AmbariAuthorizationFilter.java | 8 +-
.../server/security/authorization/User.java | 11 +-
.../server/security/authorization/UserType.java | 24 --
.../server/security/authorization/Users.java | 82 +----
.../authorization/jwt/JwtAuthentication.java | 78 -----
.../jwt/JwtAuthenticationFilter.java | 329 -------------------
.../jwt/JwtAuthenticationProperties.java | 85 -----
.../security/encryption/CertificateUtils.java | 51 ---
.../server/upgrade/UpgradeCatalog220.java | 12 -
ambari-server/src/main/python/ambari-server.py | 8 +-
.../main/python/ambari_server/setupActions.py | 3 +-
.../src/main/python/ambari_server/setupSso.py | 121 -------
.../main/resources/Ambari-DDL-MySQL-CREATE.sql | 3 +-
.../main/resources/Ambari-DDL-Oracle-CREATE.sql | 3 +-
.../resources/Ambari-DDL-Postgres-CREATE.sql | 5 +-
.../Ambari-DDL-Postgres-EMBEDDED-CREATE.sql | 5 +-
.../resources/Ambari-DDL-SQLAnywhere-CREATE.sql | 3 +-
.../resources/Ambari-DDL-SQLServer-CREATE.sql | 9 +-
.../src/main/resources/properties.json | 1 -
.../webapp/WEB-INF/spring-security.xml | 5 +-
.../server/api/AmbariErrorHandlerTest.java | 4 +-
.../jwt/JwtAuthenticationFilterTest.java | 244 --------------
32 files changed, 44 insertions(+), 1214 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/pom.xml
----------------------------------------------------------------------
diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml
index ebe5cc2..5a7ddc4 100644
--- a/ambari-server/pom.xml
+++ b/ambari-server/pom.xml
@@ -2011,18 +2011,6 @@
<artifactId>ehcache</artifactId>
<version>2.10.0</version>
</dependency>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- <version>3.9</version>
- <scope>compile</scope>
- <exclusions>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15on</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
</dependencies>
<pluginRepositories>
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java
index d526ac7..ee4e56f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java
@@ -21,8 +21,6 @@ package org.apache.ambari.server.api;
import com.google.gson.Gson;
import com.google.inject.Inject;
import com.google.inject.name.Named;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.jwt.JwtAuthenticationProperties;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.server.AbstractHttpConnection;
@@ -37,12 +35,10 @@ import java.util.Map;
public class AmbariErrorHandler extends ErrorHandler {
private final Gson gson;
- private Configuration configuration;
@Inject
- public AmbariErrorHandler(@Named("prettyGson") Gson prettyGson, Configuration configuration) {
+ public AmbariErrorHandler(@Named("prettyGson") Gson prettyGson) {
this.gson = prettyGson;
- this.configuration = configuration;
}
@Override
@@ -61,13 +57,6 @@ public class AmbariErrorHandler extends ErrorHandler {
}
errorMap.put("message", message);
- if (code == HttpServletResponse.SC_FORBIDDEN) {
- JwtAuthenticationProperties jwtProperties = configuration.getJwtProperties();
- if (jwtProperties != null) {
- errorMap.put("jwtProviderUrl", jwtProperties.getAuthenticationProviderUrl());
- }
- }
-
gson.toJson(errorMap, response.getWriter());
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 0549c6e..e5e2c90 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -32,10 +32,8 @@ import org.apache.ambari.server.orm.PersistenceType;
import org.apache.ambari.server.orm.entities.StageEntity;
import org.apache.ambari.server.security.ClientSecurityType;
import org.apache.ambari.server.security.authorization.LdapServerProperties;
-import org.apache.ambari.server.security.authorization.jwt.JwtAuthenticationProperties;
import org.apache.ambari.server.security.encryption.CredentialProvider;
import org.apache.ambari.server.state.stack.OsFamily;
-import org.apache.ambari.server.security.encryption.CertificateUtils;
import org.apache.ambari.server.utils.Parallel;
import org.apache.ambari.server.utils.ShellCommandUtil;
import org.apache.commons.io.FileUtils;
@@ -57,9 +55,6 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.Properties;
-import java.security.cert.CertificateException;
-import java.security.interfaces.RSAPublicKey;
-
/**
* Ambari configuration.
@@ -195,14 +190,6 @@ public class Configuration {
public static final String ROLLING_UPGRADE_MIN_STACK_DEFAULT = "HDP-2.2";
public static final String ROLLING_UPGRADE_MAX_STACK_DEFAULT = "";
public static final String ROLLING_UPGRADE_SKIP_PACKAGES_PREFIXES_DEFAULT = "";
- public static final String JWT_AUTH_ENBABLED = "authentication.jwt.enabled";
- public static final String JWT_AUTH_PROVIDER_URL = "authentication.jwt.providerUrl";
- public static final String JWT_PUBLIC_KEY = "authentication.jwt.publicKey";
- public static final String JWT_AUDIENCES = "authentication.jwt.audiences";
- public static final String JWT_COOKIE_NAME = "authentication.jwt.cookieName";
- public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "authentication.jwt.originalUrlParamName";
- public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
- public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
public static final String SERVER_JDBC_CONNECTION_POOL = "server.jdbc.connection-pool";
public static final String SERVER_JDBC_CONNECTION_POOL_MIN_SIZE = "server.jdbc.connection-pool.min-size";
@@ -2315,46 +2302,6 @@ public class Configuration {
.getProperty(TIMELINE_METRICS_CACHE_USE_CUSTOM_SIZING_ENGINE, "true"));
}
- public JwtAuthenticationProperties getJwtProperties() {
- boolean enableJwt = Boolean.valueOf(properties.getProperty(JWT_AUTH_ENBABLED, "false"));
-
- if (enableJwt) {
- String providerUrl = properties.getProperty(JWT_AUTH_PROVIDER_URL);
- if (providerUrl == null) {
- LOG.error("JWT authentication provider URL not specified. JWT auth will be disabled.", providerUrl);
- return null;
- }
- String publicKeyPath = properties.getProperty(JWT_PUBLIC_KEY);
- if (publicKeyPath == null) {
- LOG.error("Public key pem not specified for JWT auth provider {}. JWT auth will be disabled.", providerUrl);
- return null;
- }
- try {
- RSAPublicKey publicKey = CertificateUtils.getPublicKeyFromFile(publicKeyPath);
- JwtAuthenticationProperties jwtProperties = new JwtAuthenticationProperties();
- jwtProperties.setAuthenticationProviderUrl(providerUrl);
- jwtProperties.setPublicKey(publicKey);
-
- jwtProperties.setCookieName(properties.getProperty(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT));
- jwtProperties.setAudiencesString(properties.getProperty(JWT_AUDIENCES));
- jwtProperties.setOriginalUrlQueryParam(
- properties.getProperty(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT));
-
- return jwtProperties;
-
- } catch (IOException e) {
- LOG.error("Unable to read public certificate file. JWT auth will be disabled.", e);
- return null;
- } catch (CertificateException e) {
- LOG.error("Unable to parse public certificate file. JWT auth will be disabled.", e);
- return null;
- }
- } else {
- return null;
- }
-
- }
-
/**
* Gets whether to use experiemental concurrent processing to convert
* {@link StageEntity} instances into {@link Stage} instances. The default is
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
index 8dd7a04..49a8d8b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
@@ -3202,8 +3202,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
// get them all
if (null == r.getUsername()) {
for (User u : users.getAllUsers()) {
- UserResponse resp = new UserResponse(u.getUserName(), u.getUserType(), u.isLdapUser(), u.isActive(), u
- .isAdmin());
+ UserResponse resp = new UserResponse(u.getUserName(), u.isLdapUser(), u.isActive(), u.isAdmin());
resp.setGroups(new HashSet<String>(u.getGroups()));
responses.add(resp);
}
@@ -3218,8 +3217,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle
+ r.getUsername() + "'");
}
} else {
- UserResponse resp = new UserResponse(u.getUserName(), u.getUserType(), u.isLdapUser(), u.isActive(), u
- .isAdmin());
+ UserResponse resp = new UserResponse(u.getUserName(), u.isLdapUser(), u.isActive(), u.isAdmin());
resp.setGroups(new HashSet<String>(u.getGroups()));
responses.add(resp);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 114ecbc..15cfb90 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -89,7 +89,6 @@ import org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationP
import org.apache.ambari.server.security.authorization.AmbariLocalUserDetailsService;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.authorization.internal.AmbariInternalAuthenticationProvider;
-import org.apache.ambari.server.security.authorization.jwt.JwtAuthenticationFilter;
import org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator;
import org.apache.ambari.server.security.unsecured.rest.CertificateDownload;
import org.apache.ambari.server.security.unsecured.rest.CertificateSign;
@@ -276,8 +275,6 @@ public class AmbariServer {
injector.getInstance(AmbariAuthorizationFilter.class));
factory.registerSingleton("ambariInternalAuthenticationProvider",
injector.getInstance(AmbariInternalAuthenticationProvider.class));
- factory.registerSingleton("ambariJwtAuthenticationFilter",
- injector.getInstance(JwtAuthenticationFilter.class));
//Spring Security xml config depends on this Bean
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/controller/UserResponse.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/UserResponse.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/UserResponse.java
index d481327..868635c 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/UserResponse.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/UserResponse.java
@@ -17,8 +17,6 @@
*/
package org.apache.ambari.server.controller;
-import org.apache.ambari.server.security.authorization.UserType;
-
import java.util.Collections;
import java.util.Set;
@@ -28,26 +26,16 @@ import java.util.Set;
public class UserResponse {
private final String userName;
- private final UserType userType;
private final boolean isLdapUser;
private final boolean isActive;
private final boolean isAdmin;
private Set<String> groups = Collections.emptySet();
- public UserResponse(String userName, UserType userType, boolean isLdapUser, boolean isActive, boolean isAdmin) {
- this.userName = userName;
- this.userType = userType;
- this.isLdapUser = isLdapUser;
- this.isActive = isActive;
- this.isAdmin = isAdmin;
- }
-
public UserResponse(String name, boolean isLdapUser, boolean isActive, boolean isAdmin) {
this.userName = name;
this.isLdapUser = isLdapUser;
this.isActive = isActive;
this.isAdmin = isAdmin;
- this.userType = UserType.LOCAL;
}
public String getUsername() {
@@ -69,15 +57,17 @@ public class UserResponse {
UserResponse that = (UserResponse) o;
- if (userName != null ? !userName.equals(that.userName) : that.userName != null) return false;
- return userType == that.userType;
+ if (userName != null ?
+ !userName.equals(that.userName) : that.userName != null) {
+ return false;
+ }
+ return true;
}
@Override
public int hashCode() {
int result = userName != null ? userName.hashCode() : 0;
- result = 31 * result + (userType != null ? userType.hashCode() : 0);
return result;
}
@@ -95,8 +85,4 @@ public class UserResponse {
public boolean isAdmin() {
return isAdmin;
}
-
- public UserType getUserType() {
- return userType;
- }
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
index 0621286..cdc8c8a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java
@@ -42,7 +42,6 @@ import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.orm.entities.ViewEntity;
import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
-import org.apache.ambari.server.security.authorization.UserType;
/**
* Resource provider for user privilege resources.
@@ -160,9 +159,6 @@ public class UserPrivilegeResourceProvider extends ReadOnlyResourceProvider {
userEntity = userDAO.findLdapUserByName(userName);
}
if (userEntity == null) {
- userEntity = userDAO.findUserByNameAndType(userName, UserType.JWT);
- }
- if (userEntity == null) {
throw new SystemException("User " + userName + " was not found");
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
index b993450..35f9db5 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
@@ -41,7 +41,6 @@ class UserResourceProvider extends AbstractControllerResourceProvider {
protected static final String USER_PASSWORD_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "password");
protected static final String USER_OLD_PASSWORD_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "old_password");
protected static final String USER_LDAP_USER_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "ldap_user");
- protected static final String USER_TYPE_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "user_type");
protected static final String USER_ACTIVE_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "active");
protected static final String USER_GROUPS_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "groups");
protected static final String USER_ADMIN_PROPERTY_ID = PropertyHelper.getPropertyId("Users", "admin");
@@ -120,9 +119,6 @@ class UserResourceProvider extends AbstractControllerResourceProvider {
setResourceProperty(resource, USER_LDAP_USER_PROPERTY_ID,
userResponse.isLdapUser(), requestedIds);
- setResourceProperty(resource, USER_TYPE_PROPERTY_ID,
- userResponse.getUserType(), requestedIds);
-
setResourceProperty(resource, USER_ACTIVE_PROPERTY_ID,
userResponse.isActive(), requestedIds);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java
index 1bd83f8..12f975e 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/dao/UserDAO.java
@@ -35,7 +35,6 @@ import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import com.google.inject.persist.Transactional;
-import org.apache.ambari.server.security.authorization.UserType;
@Singleton
public class UserDAO {
@@ -68,19 +67,6 @@ public class UserDAO {
}
@RequiresSession
- public UserEntity findUserByNameAndType(String userName, UserType userType) {
- TypedQuery<UserEntity> query = entityManagerProvider.get().createQuery("SELECT user FROM UserEntity user WHERE " +
- "user.userType=:type AND user.userName=:name", UserEntity.class);
- query.setParameter("type", userType);
- query.setParameter("name", userName);
- try {
- return query.getSingleResult();
- } catch (NoResultException e) {
- return null;
- }
- }
-
- @RequiresSession
public UserEntity findLocalUserByName(String userName) {
TypedQuery<UserEntity> query = entityManagerProvider.get().createNamedQuery("localUserByName", UserEntity.class);
query.setParameter("username", userName.toLowerCase());
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java
index 5b8360a..32dbbf5 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/UserEntity.java
@@ -17,25 +17,18 @@
*/
package org.apache.ambari.server.orm.entities;
-import org.apache.ambari.server.security.authorization.UserType;
-
import javax.persistence.*;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
-@Table(name = "users", uniqueConstraints = {@UniqueConstraint(columnNames = {"user_name", "user_type"})})
+@Table(name = "users", uniqueConstraints = {@UniqueConstraint(columnNames = {"user_name", "ldap_user"})})
@Entity
@NamedQueries({
- @NamedQuery(name = "userByName", query = "SELECT user_entity from UserEntity user_entity " +
- "where lower(user_entity.userName)=:username"),
- @NamedQuery(name = "localUserByName", query = "SELECT user_entity FROM UserEntity user_entity " +
- "where lower(user_entity.userName)=:username AND " +
- "user_entity.userType=org.apache.ambari.server.security.authorization.UserType.LOCAL"),
- @NamedQuery(name = "ldapUserByName", query = "SELECT user_entity FROM UserEntity user_entity " +
- "where lower(user_entity.userName)=:username AND " +
- "user_entity.userType=org.apache.ambari.server.security.authorization.UserType.LDAP")
+ @NamedQuery(name = "userByName", query = "SELECT user_entity from UserEntity user_entity where lower(user_entity.userName)=:username"),
+ @NamedQuery(name = "localUserByName", query = "SELECT user_entity FROM UserEntity user_entity where lower(user_entity.userName)=:username AND user_entity.ldapUser=false"),
+ @NamedQuery(name = "ldapUserByName", query = "SELECT user_entity FROM UserEntity user_entity where lower(user_entity.userName)=:username AND user_entity.ldapUser=true")
})
@TableGenerator(name = "user_id_generator",
table = "ambari_sequences", pkColumnName = "sequence_name", valueColumnName = "sequence_value"
@@ -56,11 +49,6 @@ public class UserEntity {
@Column(name = "ldap_user")
private Integer ldapUser = 0;
- @Column(name = "user_type")
- @Enumerated(EnumType.STRING)
- @Basic
- private UserType userType = UserType.LOCAL;
-
@Column(name = "user_password")
@Basic
private String userPassword;
@@ -111,18 +99,9 @@ public class UserEntity {
this.ldapUser = null;
} else {
this.ldapUser = ldapUser ? 1 : 0;
- this.userType = ldapUser ? UserType.LDAP : UserType.LOCAL;
}
}
- public UserType getUserType() {
- return userType;
- }
-
- public void setUserType(UserType userType) {
- this.userType = userType;
- }
-
public String getUserPassword() {
return userPassword;
}
@@ -197,7 +176,6 @@ public class UserEntity {
if (userId != null ? !userId.equals(that.userId) : that.userId != null) return false;
if (createTime != null ? !createTime.equals(that.createTime) : that.createTime != null) return false;
if (ldapUser != null ? !ldapUser.equals(that.ldapUser) : that.ldapUser != null) return false;
- if (userType != null ? !userType.equals(that.userType) : that.userType != null) return false;
if (userName != null ? !userName.equals(that.userName) : that.userName != null) return false;
if (userPassword != null ? !userPassword.equals(that.userPassword) : that.userPassword != null) return false;
if (active != null ? !active.equals(that.active) : that.active != null) return false;
@@ -211,7 +189,6 @@ public class UserEntity {
result = 31 * result + (userName != null ? userName.hashCode() : 0);
result = 31 * result + (userPassword != null ? userPassword.hashCode() : 0);
result = 31 * result + (ldapUser != null ? ldapUser.hashCode() : 0);
- result = 31 * result + (userType != null ? userType.hashCode() : 0);
result = 31 * result + (createTime != null ? createTime.hashCode() : 0);
result = 31 * result + (active != null ? active.hashCode() : 0);
return result;
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 46b751d..0abbf45 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -95,15 +95,13 @@ public class AmbariAuthorizationFilter implements Filter {
context.setAuthentication(new InternalAuthenticationToken(token));
} else {
// for view access, we should redirect to the Ambari login
- if (requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)) {
- String queryString = httpRequest.getQueryString();
+ if(requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)) {
+ String queryString = httpRequest.getQueryString();
String requestedURL = queryString == null ? requestURI : (requestURI + '?' + queryString);
- String redirectURL = httpResponse.encodeRedirectURL(LOGIN_REDIRECT_BASE + requestedURL);
+ String redirectURL = httpResponse.encodeRedirectURL(LOGIN_REDIRECT_BASE + requestedURL);
httpResponse.sendRedirect(redirectURL);
return;
- } else {
- httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Authentication required");
}
}
} else {
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/User.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/User.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/User.java
index ab48ddd..e72d958 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/User.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/User.java
@@ -20,13 +20,11 @@ package org.apache.ambari.server.security.authorization;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
-import java.util.List;
import org.apache.ambari.server.orm.entities.MemberEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
-import org.springframework.security.core.GrantedAuthority;
/**
* Describes user of web-services
@@ -35,18 +33,15 @@ public class User {
final int userId;
final String userName;
final boolean ldapUser;
- final UserType userType;
final Date createTime;
final boolean active;
final Collection<String> groups = new ArrayList<String>();
boolean admin = false;
- final List<GrantedAuthority> authorities = new ArrayList<>();
public User(UserEntity userEntity) {
userId = userEntity.getUserId();
userName = userEntity.getUserName();
createTime = userEntity.getCreateTime();
- userType = userEntity.getUserType();
ldapUser = userEntity.getLdapUser();
active = userEntity.getActive();
for (MemberEntity memberEntity : userEntity.getMemberEntities()) {
@@ -72,10 +67,6 @@ public class User {
return ldapUser;
}
- public UserType getUserType() {
- return userType;
- }
-
public Date getCreateTime() {
return createTime;
}
@@ -94,6 +85,6 @@ public class User {
@Override
public String toString() {
- return "[" + getUserType() + "]" + userName;
+ return (ldapUser ? "[LDAP]" : "[LOCAL]") + userName;
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java
deleted file mode 100644
index aa9f3e0..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization;
-
-public enum UserType {
- LOCAL,
- LDAP,
- JWT
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index 29b9ec3..867cd11 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -17,7 +17,13 @@
*/
package org.apache.ambari.server.security.authorization;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
import javax.persistence.EntityManager;
import org.apache.ambari.server.AmbariException;
@@ -44,7 +50,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder;
@@ -103,11 +108,6 @@ public class Users {
return (null == userEntity) ? null : new User(userEntity);
}
- public User getUser(String userName, UserType userType) {
- UserEntity userEntity = userDAO.findUserByNameAndType(userName, userType);
- return (null == userEntity) ? null : new User(userEntity);
- }
-
/**
* Modifies password of local user
* @throws AmbariException
@@ -238,6 +238,7 @@ public class Users {
* @param ldapUser is user LDAP
* @throws AmbariException if user already exists
*/
+ @Transactional
public synchronized void createUser(String userName, String password, Boolean active, Boolean admin, Boolean ldapUser) throws AmbariException {
if (getAnyUser(userName) != null) {
@@ -274,44 +275,7 @@ public class Users {
}
}
- public synchronized void createUser(String userName, String password, UserType userType, Boolean active, Boolean
- admin) throws AmbariException {
- if (getUser(userName, userType) != null) {
- throw new AmbariException("User " + userName + " already exists");
- }
-
- PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findById(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
- if (principalTypeEntity == null) {
- principalTypeEntity = new PrincipalTypeEntity();
- principalTypeEntity.setId(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
- principalTypeEntity.setName(PrincipalTypeEntity.USER_PRINCIPAL_TYPE_NAME);
- principalTypeDAO.create(principalTypeEntity);
- }
- PrincipalEntity principalEntity = new PrincipalEntity();
- principalEntity.setPrincipalType(principalTypeEntity);
- principalDAO.create(principalEntity);
-
- UserEntity userEntity = new UserEntity();
- userEntity.setUserName(userName);
- if (userType == null || userType == UserType.LOCAL) {
- //passwords should be stored for local users only
- userEntity.setUserPassword(passwordEncoder.encode(password));
- }
- userEntity.setPrincipal(principalEntity);
- if (active != null) {
- userEntity.setActive(active);
- }
- if (userType != null) {
- userEntity.setUserType(userType);
- }
-
- userDAO.create(userEntity);
-
- if (admin != null && admin) {
- grantAdminPrivilege(userEntity.getUserId());
- }
- }
-
+ @Transactional
public synchronized void removeUser(User user) throws AmbariException {
UserEntity userEntity = userDAO.findByPK(user.getUserId());
if (userEntity != null) {
@@ -690,32 +654,4 @@ public class Users {
entityManagerProvider.get().getEntityManagerFactory().getCache().evictAll();
}
- public Collection<AmbariGrantedAuthority> getUserAuthorities(String userName, UserType userType) {
- UserEntity userEntity = userDAO.findUserByNameAndType(userName, userType);
- if (userEntity == null) {
- return Collections.emptyList();
- }
-
- // get all of the privileges for the user
- List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
-
- principalEntities.add(userEntity.getPrincipal());
-
- List<MemberEntity> memberEntities = memberDAO.findAllMembersByUser(userEntity);
-
- for (MemberEntity memberEntity : memberEntities) {
- principalEntities.add(memberEntity.getGroup().getPrincipal());
- }
-
- List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
-
- Set<AmbariGrantedAuthority> authorities = new HashSet<>(privilegeEntities.size());
-
- for (PrivilegeEntity privilegeEntity : privilegeEntities) {
- authorities.add(new AmbariGrantedAuthority(privilegeEntity));
- }
-
- return authorities;
- }
-
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthentication.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthentication.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthentication.java
deleted file mode 100644
index 53826c0..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthentication.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization.jwt;
-
-import com.nimbusds.jwt.SignedJWT;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.User;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-
-import java.util.Collection;
-
-/**
- * Internal token which describes JWT authentication
- */
-public class JwtAuthentication implements Authentication {
-
- private SignedJWT token;
- private User user;
- private Collection<AmbariGrantedAuthority> userAuthorities;
- private boolean authenticated = false;
-
- public JwtAuthentication(SignedJWT token, User user, Collection<AmbariGrantedAuthority> userAuthorities) {
- this.token = token;
- this.user = user;
- this.userAuthorities = userAuthorities;
- }
-
- @Override
- public Collection<? extends AmbariGrantedAuthority> getAuthorities() {
- return userAuthorities;
- }
-
- @Override
- public SignedJWT getCredentials() {
- return token;
- }
-
- @Override
- public Object getDetails() {
- return null;
- }
-
- @Override
- public User getPrincipal() {
- return user;
- }
-
- @Override
- public boolean isAuthenticated() {
- return authenticated;
- }
-
- @Override
- public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
- this.authenticated = authenticated;
- }
-
- @Override
- public String getName() {
- return user.getUserName();
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
deleted file mode 100644
index d061c69..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilter.java
+++ /dev/null
@@ -1,329 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization.jwt;
-
-import com.google.inject.Inject;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSObject;
-import com.nimbusds.jose.JWSVerifier;
-import com.nimbusds.jose.crypto.RSASSAVerifier;
-import com.nimbusds.jwt.SignedJWT;
-import org.apache.ambari.server.configuration.Configuration;
-import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority;
-import org.apache.ambari.server.security.authorization.User;
-import org.apache.ambari.server.security.authorization.UserType;
-import org.apache.ambari.server.security.authorization.Users;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.AuthenticationEntryPoint;
-
-import javax.servlet.*;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.security.interfaces.RSAPublicKey;
-import java.text.ParseException;
-import java.util.Collection;
-import java.util.Date;
-import java.util.List;
-
-/**
- * Filter is used to validate JWT token and authenticate user.
- * It is also responsive for creating user in local Ambari database for further management
- */
-public class JwtAuthenticationFilter implements Filter {
- Logger LOG = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
-
- private final JwtAuthenticationProperties jwtProperties;
-
- private String originalUrlQueryParam = "originalUrl";
- private String authenticationProviderUrl = null;
- private RSAPublicKey publicKey = null;
- private List<String> audiences = null;
- private String cookieName = "hadoop-jwt";
-
- private boolean ignoreFailure = true;
- private AuthenticationEntryPoint entryPoint;
- private Users users;
-
- @Inject
- public JwtAuthenticationFilter(Configuration configuration, AuthenticationEntryPoint entryPoint, Users users) {
- this.entryPoint = entryPoint;
- this.users = users;
- jwtProperties = configuration.getJwtProperties();
- loadJwtProperties();
- }
-
- public JwtAuthenticationFilter(JwtAuthenticationProperties jwtProperties, AuthenticationEntryPoint entryPoint,
- Users users) {
- this.jwtProperties = jwtProperties;
- this.entryPoint = entryPoint;
- this.users = users;
- loadJwtProperties();
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
-
- }
-
- @Override
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-
- if (jwtProperties != null && isAuthenticationRequired()) {
- HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
- HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
-
- String serializedJWT = getJWTFromCookie(httpServletRequest);
- if (serializedJWT != null) {
- SignedJWT jwtToken = null;
- try {
- jwtToken = SignedJWT.parse(serializedJWT);
- boolean valid = validateToken(jwtToken);
-
- if (valid) {
- String userName = jwtToken.getJWTClaimsSet().getSubject();
- User user = users.getUser(userName, UserType.JWT);
- if (user == null) {
- // create user in local database on first login, usually we cannot fetch all users
- // from external authentication provider (as we do during ldap-sync process)
- users.createUser(userName, null, UserType.JWT, true, false);
- user = users.getUser(userName, UserType.JWT);
- }
-
- Collection<AmbariGrantedAuthority> userAuthorities =
- users.getUserAuthorities(user.getUserName(), user.getUserType());
-
- JwtAuthentication token = new JwtAuthentication(jwtToken, user, userAuthorities);
- token.setAuthenticated(true);
-
- SecurityContextHolder.getContext().setAuthentication(token);
-
-
- } else {
- LOG.warn("JWT authentication failed");
- if (ignoreFailure) {
- filterChain.doFilter(servletRequest, servletResponse);
- } else {
- //used to indicate authentication failure, not used here as we have more than one filter
- entryPoint.commence(httpServletRequest, httpServletResponse, new BadCredentialsException("Invalid JWT " +
- "token"));
- }
- }
-
-
-
- } catch (ParseException e) {
- LOG.warn("Unable to parse the JWT token", e);
- }
- }
- }
-
- filterChain.doFilter(servletRequest, servletResponse);
- }
-
- private void loadJwtProperties() {
- if (jwtProperties != null) {
- authenticationProviderUrl = jwtProperties.getAuthenticationProviderUrl();
- publicKey = jwtProperties.getPublicKey();
- audiences = jwtProperties.getAudiences();
- cookieName = jwtProperties.getCookieName();
- originalUrlQueryParam = jwtProperties.getOriginalUrlQueryParam();
- }
- }
-
- /**
- * Do not try to validate JWT if user already authenticated via other provider
- * @return true, if JWT validation required
- */
- private boolean isAuthenticationRequired() {
- Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
- return !(existingAuth != null && existingAuth.isAuthenticated()) || existingAuth instanceof JwtAuthentication;
- }
-
- /**
- * Encapsulate the acquisition of the JWT token from HTTP cookies within the
- * request.
- *
- * @param req servlet request to get the JWT token from
- * @return serialized JWT token
- */
- protected String getJWTFromCookie(HttpServletRequest req) {
- String serializedJWT = null;
- Cookie[] cookies = req.getCookies();
- String userName = null;
- if (cookies != null) {
- for (Cookie cookie : cookies) {
- if (cookieName.equals(cookie.getName())) {
- LOG.info(cookieName
- + " cookie has been found and is being processed");
- serializedJWT = cookie.getValue();
- break;
- }
- }
- }
- return serializedJWT;
- }
- /**
- * Create the URL to be used for authentication of the user in the absence of
- * a JWT token within the incoming request.
- *
- * @param request for getting the original request URL
- * @return url to use as login url for redirect
- */
- protected String constructLoginURL(HttpServletRequest request) {
- String delimiter = "?";
- if (authenticationProviderUrl.contains("?")) {
- delimiter = "&";
- }
- String loginURL = authenticationProviderUrl + delimiter
- + originalUrlQueryParam + "="
- + request.getRequestURL().toString();
- return loginURL;
- }
-
- /**
- * This method provides a single method for validating the JWT for use in
- * request processing. It provides for the override of specific aspects of
- * this implementation through submethods used within but also allows for the
- * override of the entire token validation algorithm.
- *
- * @param jwtToken the token to validate
- * @return true if valid
- */
- protected boolean validateToken(SignedJWT jwtToken) {
- boolean sigValid = validateSignature(jwtToken);
- if (!sigValid) {
- LOG.warn("Signature could not be verified");
- }
- boolean audValid = validateAudiences(jwtToken);
- if (!audValid) {
- LOG.warn("Audience validation failed.");
- }
- boolean expValid = validateExpiration(jwtToken);
- if (!expValid) {
- LOG.info("Expiration validation failed.");
- }
-
- return sigValid && audValid && expValid;
- }
-
- /**
- * Verify the signature of the JWT token in this method. This method depends
- * on the public key that was established during init based upon the
- * provisioned public key. Override this method in subclasses in order to
- * customize the signature verification behavior.
- *
- * @param jwtToken the token that contains the signature to be validated
- * @return valid true if signature verifies successfully; false otherwise
- */
- protected boolean validateSignature(SignedJWT jwtToken) {
- boolean valid = false;
- if (JWSObject.State.SIGNED == jwtToken.getState()) {
- LOG.debug("JWT token is in a SIGNED state");
- if (jwtToken.getSignature() != null) {
- LOG.debug("JWT token signature is not null");
- try {
- JWSVerifier verifier = new RSASSAVerifier(publicKey);
- if (jwtToken.verify(verifier)) {
- valid = true;
- LOG.debug("JWT token has been successfully verified");
- } else {
- LOG.warn("JWT signature verification failed.");
- }
- } catch (JOSEException je) {
- LOG.warn("Error while validating signature", je);
- }
- }
- }
- return valid;
- }
-
- /**
- * Validate whether any of the accepted audience claims is present in the
- * issued token claims list for audience. Override this method in subclasses
- * in order to customize the audience validation behavior.
- *
- * @param jwtToken
- * the JWT token where the allowed audiences will be found
- * @return true if an expected audience is present, otherwise false
- */
- protected boolean validateAudiences(SignedJWT jwtToken) {
- boolean valid = false;
- try {
- List<String> tokenAudienceList = jwtToken.getJWTClaimsSet()
- .getAudience();
- // if there were no expected audiences configured then just
- // consider any audience acceptable
- if (audiences == null) {
- valid = true;
- } else {
- // if any of the configured audiences is found then consider it
- // acceptable
- boolean found = false;
- for (String aud : tokenAudienceList) {
- if (audiences.contains(aud)) {
- LOG.debug("JWT token audience has been successfully validated");
- valid = true;
- break;
- }
- }
- if (!valid) {
- LOG.warn("JWT audience validation failed.");
- }
- }
- } catch (ParseException pe) {
- LOG.warn("Unable to parse the JWT token.", pe);
- }
- return valid;
- }
-
- /**
- * Validate that the expiration time of the JWT token has not been violated.
- * If it has then throw an AuthenticationException. Override this method in
- * subclasses in order to customize the expiration validation behavior.
- *
- * @param jwtToken the token that contains the expiration date to validate
- * @return valid true if the token has not expired; false otherwise
- */
- protected boolean validateExpiration(SignedJWT jwtToken) {
- boolean valid = false;
- try {
- Date expires = jwtToken.getJWTClaimsSet().getExpirationTime();
- if (expires != null && new Date().before(expires)) {
- LOG.debug("JWT token expiration date has been "
- + "successfully validated");
- valid = true;
- } else {
- LOG.warn("JWT expiration date validation failed.");
- }
- } catch (ParseException pe) {
- LOG.warn("JWT expiration date validation failed.", pe);
- }
- return valid;
- }
-
- @Override
- public void destroy() {
-
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationProperties.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationProperties.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationProperties.java
deleted file mode 100644
index d237a95..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationProperties.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.authorization.jwt;
-
-import java.security.interfaces.RSAPublicKey;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * Class describes parameters of external JWT authentication provider
- */
-public class JwtAuthenticationProperties {
- private String authenticationProviderUrl = null;
- private RSAPublicKey publicKey = null;
- private List<String> audiences = null;
- private String cookieName = "hadoop-jwt";
- private String originalUrlQueryParam = null;
-
- public String getAuthenticationProviderUrl() {
- return authenticationProviderUrl;
- }
-
- public void setAuthenticationProviderUrl(String authenticationProviderUrl) {
- this.authenticationProviderUrl = authenticationProviderUrl;
- }
-
- public RSAPublicKey getPublicKey() {
- return publicKey;
- }
-
- public void setPublicKey(RSAPublicKey publicKey) {
- this.publicKey = publicKey;
- }
-
- public List<String> getAudiences() {
- return audiences;
- }
-
- public void setAudiences(List<String> audiences) {
- this.audiences = audiences;
- }
-
- public void setAudiencesString(String audiencesString) {
- if (audiencesString != null) {
- // parse into the list
- String[] audArray = audiencesString.split(",");
- audiences = new ArrayList<String>();
- Collections.addAll(audiences, audArray);
- } else {
- audiences = null;
- }
- }
-
- public String getCookieName() {
- return cookieName;
- }
-
- public void setCookieName(String cookieName) {
- this.cookieName = cookieName;
- }
-
- public String getOriginalUrlQueryParam() {
- return originalUrlQueryParam;
- }
-
- public void setOriginalUrlQueryParam(String originalUrlQueryParam) {
- this.originalUrlQueryParam = originalUrlQueryParam;
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CertificateUtils.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CertificateUtils.java b/ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CertificateUtils.java
deleted file mode 100644
index 16911fa..0000000
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/encryption/CertificateUtils.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ambari.server.security.encryption;
-
-import org.apache.commons.io.FileUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPublicKey;
-
-public class CertificateUtils {
- private static final Logger LOG = LoggerFactory.getLogger(CertificateUtils.class);
-
- public static RSAPublicKey getPublicKeyFromFile(String filePath) throws IOException, CertificateException {
- String pemString = FileUtils.readFileToString(new File(filePath));
- return getPublicKeyFromString(pemString);
- }
-
- public static RSAPublicKey getPublicKeyFromString(String certificateString)
- throws CertificateException, UnsupportedEncodingException {
-
- CertificateFactory fact = CertificateFactory.getInstance("X.509");
- ByteArrayInputStream is = new ByteArrayInputStream(
- certificateString.getBytes("UTF8"));
-
- X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
- return (RSAPublicKey)cer.getPublicKey();
- }
-}
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
index 8e0aebb..804d97b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog220.java
@@ -20,7 +20,6 @@ package org.apache.ambari.server.upgrade;
import java.sql.SQLException;
-import com.google.inject.Provider;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo;
import org.apache.ambari.server.orm.dao.DaoUtils;
@@ -30,18 +29,13 @@ import org.slf4j.LoggerFactory;
import com.google.inject.Inject;
import com.google.inject.Injector;
-import javax.persistence.EntityManager;
-
/**
* Upgrade catalog for version 2.2.0.
*/
public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
private static final String HOST_ROLE_COMMAND_TABLE = "host_role_command";
- private static final String USERS_TABLE = "users";
-
private static final String HOST_ID_COL = "host_id";
- private static final String USER_TYPE_COL = "user_type";
@Inject
DaoUtils daoUtils;
@@ -91,12 +85,6 @@ public class UpgradeCatalog220 extends AbstractUpgradeCatalog {
protected void executeDDLUpdates() throws AmbariException, SQLException {
dbAccessor.alterColumn(HOST_ROLE_COMMAND_TABLE, new DBColumnInfo(HOST_ID_COL, Long.class, null, null, true));
- dbAccessor.addColumn(USERS_TABLE, new DBColumnInfo(USER_TYPE_COL, String.class, null, "LOCAL", true));
-
- dbAccessor.executeQuery("UPDATE users SET user_type='LDAP' WHERE ldap_user=1");
-
- dbAccessor.addUniqueConstraint(USERS_TABLE, "UNQ_users_0", "user_name", "user_type");
-
}
@Override
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/python/ambari-server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py
index a0f12e0..3ea608c 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -36,14 +36,12 @@ from ambari_server.serverUtils import is_server_runing, refresh_stack_hash
from ambari_server.serverSetup import reset, setup, setup_jce_policy
from ambari_server.serverUpgrade import upgrade, upgrade_stack, set_current
from ambari_server.setupHttps import setup_https, setup_truststore
-from ambari_server.setupSso import setup_sso
from ambari_server.hostUpdate import update_host_names
from ambari_server.enableStack import enable_stack_version
from ambari_server.setupActions import BACKUP_ACTION, LDAP_SETUP_ACTION, LDAP_SYNC_ACTION, PSTART_ACTION, \
REFRESH_STACK_HASH_ACTION, RESET_ACTION, RESTORE_ACTION, UPDATE_HOST_NAMES_ACTION, SETUP_ACTION, SETUP_SECURITY_ACTION, \
- START_ACTION, STATUS_ACTION, STOP_ACTION, UPGRADE_ACTION, UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, \
- SET_CURRENT_ACTION, ENABLE_STACK_ACTION, SETUP_SSO_ACTION
+ START_ACTION, STATUS_ACTION, STOP_ACTION, UPGRADE_ACTION, UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, ENABLE_STACK_ACTION
from ambari_server.setupSecurity import setup_ldap, sync_ldap, setup_master_key, setup_ambari_krb5_jaas
from ambari_server.userInput import get_validated_string_input
@@ -509,7 +507,6 @@ def create_user_action_map(args, options):
LDAP_SETUP_ACTION: UserAction(setup_ldap),
SETUP_SECURITY_ACTION: UserActionRestart(setup_security, options),
REFRESH_STACK_HASH_ACTION: UserAction(refresh_stack_hash_action),
- SETUP_SSO_ACTION: UserActionRestart(setup_sso, options)
}
return action_map
@@ -532,8 +529,7 @@ def create_user_action_map(args, options):
BACKUP_ACTION: UserActionPossibleArgs(backup, [1, 2], args),
RESTORE_ACTION: UserActionPossibleArgs(restore, [1, 2], args),
UPDATE_HOST_NAMES_ACTION: UserActionPossibleArgs(update_host_names, [2], args, options),
- ENABLE_STACK_ACTION: UserAction(enable_stack, options, args),
- SETUP_SSO_ACTION: UserActionRestart(setup_sso, options)
+ ENABLE_STACK_ACTION: UserAction(enable_stack, options, args)
}
return action_map
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/python/ambari_server/setupActions.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/setupActions.py b/ambari-server/src/main/python/ambari_server/setupActions.py
index 5989020..ec2d788 100644
--- a/ambari-server/src/main/python/ambari_server/setupActions.py
+++ b/ambari-server/src/main/python/ambari_server/setupActions.py
@@ -30,7 +30,6 @@ REFRESH_STACK_HASH_ACTION = "refresh-stack-hash"
STATUS_ACTION = "status"
SETUP_HTTPS_ACTION = "setup-https"
LDAP_SETUP_ACTION = "setup-ldap"
-SETUP_SSO_ACTION = "setup-sso"
LDAP_SYNC_ACTION = "sync-ldap"
SET_CURRENT_ACTION = "set-current"
SETUP_GANGLIA_HTTPS_ACTION = "setup-ganglia-https"
@@ -40,4 +39,4 @@ UPDATE_HOST_NAMES_ACTION = "update-host-names"
BACKUP_ACTION = "backup"
RESTORE_ACTION = "restore"
SETUP_JCE_ACTION = "setup-jce"
-ENABLE_STACK_ACTION = "enable-stack"
\ No newline at end of file
+ENABLE_STACK_ACTION = "enable-stack"
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/python/ambari_server/setupSso.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/setupSso.py b/ambari-server/src/main/python/ambari_server/setupSso.py
deleted file mode 100644
index a7c9108..0000000
--- a/ambari-server/src/main/python/ambari_server/setupSso.py
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/usr/bin/env python
-
-'''
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements. See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership. The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-'''
-
-from ambari_commons.os_utils import is_root, run_os_command, copy_file, set_file_permissions, remove_file
-from ambari_commons.exceptions import FatalException, NonFatalException
-from ambari_commons.logging_utils import get_silent, print_warning_msg, print_error_msg
-from ambari_server.userInput import get_validated_string_input, get_prompt_default, read_password, get_YN_input
-
-from ambari_server.serverConfiguration import get_ambari_properties, get_value_from_properties, update_properties, \
- store_password_file
-
-JWT_AUTH_ENBABLED = "authentication.jwt.enabled"
-JWT_AUTH_PROVIDER_URL = "authentication.jwt.providerUrl"
-JWT_PUBLIC_KEY = "authentication.jwt.publicKey"
-JWT_AUDIENCES = "authentication.jwt.audiences"
-JWT_COOKIE_NAME = "authentication.jwt.cookieName"
-JWT_ORIGINAL_URL_QUERY_PARAM = "authentication.jwt.originalUrlParamName"
-
-JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt"
-JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl"
-
-REGEX_ANYTHING = ".*"
-
-JWT_PUBLIC_KEY_FILENAME = "jwt-cert.crt"
-JWT_PUBLIC_KEY_HEADER = "-----BEGIN CERTIFICATE-----\n"
-JWT_PUBLIC_KEY_FOOTER = "\n-----END CERTIFICATE-----"
-
-
-
-def setup_sso(args):
- if not is_root():
- err = 'ambari-server setup-sso should be run with ' \
- 'root-level privileges'
- raise FatalException(4, err)
- if not get_silent():
- properties = get_ambari_properties()
-
- must_setup_params = False
-
- sso_enabled = properties.get_property(JWT_AUTH_ENBABLED).lower() in ['true']
-
- if sso_enabled:
- if get_YN_input("Do you want to disable SSO authentication [y/n] (n)?", False):
- properties.process_pair(JWT_AUTH_ENBABLED, "false")
- else:
- if get_YN_input("Do you want to configure SSO authentication [y/n] (y)?", True):
- must_setup_params = True
- else:
- return False
-
- if must_setup_params:
- provider_url = properties.get_property(JWT_AUTH_PROVIDER_URL)
- provider_url = get_validated_string_input("Provider URL [URL] ({}):".format(provider_url),
- provider_url,
- REGEX_ANYTHING,
- "Invalid provider URL",
- False)
- properties.process_pair(JWT_AUTH_PROVIDER_URL, provider_url)
-
- cert_string = properties.get_property(JWT_PUBLIC_KEY)
- cert_string = get_validated_string_input("Public Certificate [BASE64] ({}):".format('stored' if cert_string else 'empty'),
- cert_string,
- REGEX_ANYTHING,
- "Invalid public certificae string",
- False)
-
- if get_YN_input("Do you want to configure advanced properties [y/n] (n) ?", False):
- cookie_name = get_value_from_properties(properties, JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT)
- cookie_name = get_validated_string_input("JWT Cookie name ({}):".format(cookie_name),
- cookie_name,
- REGEX_ANYTHING,
- "Invalid cookie name",
- False)
- properties.process_pair(JWT_COOKIE_NAME, cookie_name)
-
- audiences = properties.get_property(JWT_AUDIENCES)
- audiences = get_validated_string_input("JWT audiences list (comma-separated), empty for any ({}):".format(audiences),
- audiences,
- REGEX_ANYTHING,
- "Invalid value",
- False)
- properties.process_pair(JWT_AUDIENCES, audiences)
-
- # TODO not required for now as we support Knox only
- # orig_query_param = get_value_from_properties(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT)
- # orig_query_param = get_validated_string_input("Original URL query parameter name ({}):".format(orig_query_param),
- # orig_query_param,
- # REGEX_ANYTHING,
- # "Invalid value",
- # False)
- # properties.process_pair(JWT_ORIGINAL_URL_QUERY_PARAM, orig_query_param)
-
- full_cert = JWT_PUBLIC_KEY_HEADER + cert_string + JWT_PUBLIC_KEY_FOOTER
- cert_path = store_password_file(full_cert, JWT_PUBLIC_KEY_FILENAME)
- properties.process_pair(JWT_PUBLIC_KEY, cert_path)
-
- update_properties(properties)
-
- pass
- else:
- warning = "setup-sso is not enabled in silent mode."
- raise NonFatalException(warning)
-
- pass
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
index df1d52a..62d8054 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql
@@ -196,7 +196,6 @@ CREATE TABLE users (
principal_id BIGINT NOT NULL,
create_time TIMESTAMP DEFAULT NOW(),
ldap_user INTEGER NOT NULL DEFAULT 0,
- user_type VARCHAR(255) NOT NULL DEFAULT 'LOCAL',
user_name VARCHAR(255) NOT NULL,
user_password VARCHAR(255),
active INTEGER NOT NULL DEFAULT 1,
@@ -649,7 +648,7 @@ CREATE TABLE topology_logical_task (
);
-- altering tables by creating unique constraints----------
-ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, user_type);
+ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, ldap_user);
ALTER TABLE groups ADD CONSTRAINT UNQ_groups_0 UNIQUE (group_name, ldap_group);
ALTER TABLE members ADD CONSTRAINT UNQ_members_0 UNIQUE (group_id, user_id);
ALTER TABLE clusterconfig ADD CONSTRAINT UQ_config_type_tag UNIQUE (cluster_id, type_name, version_tag);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
index 45da04c..fe024ce 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql
@@ -187,7 +187,6 @@ CREATE TABLE users (
create_time TIMESTAMP NULL,
ldap_user NUMBER(10) DEFAULT 0,
user_name VARCHAR2(255) NULL,
- user_type VARCHAR(255) DEFAULT 'LOCAL',
user_password VARCHAR2(255) NULL,
active INTEGER DEFAULT 1 NOT NULL,
active_widget_layouts VARCHAR2(1024) DEFAULT NULL,
@@ -638,7 +637,7 @@ CREATE TABLE topology_logical_task (
);
--------altering tables by creating unique constraints----------
-ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, user_type);
+ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, ldap_user);
ALTER TABLE groups ADD CONSTRAINT UNQ_groups_0 UNIQUE (group_name, ldap_group);
ALTER TABLE members ADD CONSTRAINT UNQ_members_0 UNIQUE (group_id, user_id);
ALTER TABLE clusterconfig ADD CONSTRAINT UQ_config_type_tag UNIQUE (cluster_id, type_name, version_tag);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
index 2ecbe3c..3ae65ee 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql
@@ -195,12 +195,12 @@ CREATE TABLE users (
principal_id BIGINT NOT NULL,
ldap_user INTEGER NOT NULL DEFAULT 0,
user_name VARCHAR(255) NOT NULL,
- user_type VARCHAR(255) NOT NULL DEFAULT 'LOCAL',
create_time TIMESTAMP DEFAULT NOW(),
user_password VARCHAR(255),
active INTEGER NOT NULL DEFAULT 1,
active_widget_layouts VARCHAR(1024) DEFAULT NULL,
- PRIMARY KEY (user_id));
+ PRIMARY KEY (user_id),
+ UNIQUE (ldap_user, user_name));
CREATE TABLE groups (
group_id INTEGER,
@@ -642,7 +642,6 @@ CREATE TABLE topology_logical_task (
);
--------altering tables by creating unique constraints----------
-ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, user_type);
ALTER TABLE clusterconfig ADD CONSTRAINT UQ_config_type_tag UNIQUE (cluster_id, type_name, version_tag);
ALTER TABLE clusterconfig ADD CONSTRAINT UQ_config_type_version UNIQUE (cluster_id, type_name, version);
ALTER TABLE hosts ADD CONSTRAINT UQ_hosts_host_name UNIQUE (host_name);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
index 0e6cd6f..c014443 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-Postgres-EMBEDDED-CREATE.sql
@@ -222,12 +222,12 @@ CREATE TABLE ambari.users (
principal_id BIGINT NOT NULL,
ldap_user INTEGER NOT NULL DEFAULT 0,
user_name VARCHAR(255) NOT NULL,
- user_type VARCHAR(255) NOT NULL DEFAULT 'LOCAL',
create_time TIMESTAMP DEFAULT NOW(),
user_password VARCHAR(255),
active INTEGER NOT NULL DEFAULT 1,
active_widget_layouts VARCHAR(1024) DEFAULT NULL,
- PRIMARY KEY (user_id));
+ PRIMARY KEY (user_id),
+ UNIQUE (ldap_user, user_name));
GRANT ALL PRIVILEGES ON TABLE ambari.users TO :username;
CREATE TABLE ambari.groups (
@@ -721,7 +721,6 @@ CREATE TABLE ambari.topology_logical_task (
GRANT ALL PRIVILEGES ON TABLE ambari.topology_logical_task TO :username;
--------altering tables by creating unique constraints----------
-ALTER TABLE ambari.users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, user_type);
ALTER TABLE ambari.clusterconfig ADD CONSTRAINT UQ_config_type_tag UNIQUE (cluster_id, type_name, version_tag);
ALTER TABLE ambari.clusterconfig ADD CONSTRAINT UQ_config_type_version UNIQUE (cluster_id, type_name, version);
ALTER TABLE ambari.hosts ADD CONSTRAINT UQ_hosts_host_name UNIQUE (host_name);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
index e53c510..bba17a5 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql
@@ -186,7 +186,6 @@ CREATE TABLE users (
create_time TIMESTAMP DEFAULT NOW(),
ldap_user INTEGER NOT NULL DEFAULT 0,
user_name VARCHAR(255) NOT NULL,
- user_type VARCHAR(255) NOT NULL DEFAULT 'LOCAL',
user_password VARCHAR(255),
active INTEGER NOT NULL DEFAULT 1,
active_widget_layouts VARCHAR(1024) DEFAULT NULL,
@@ -639,7 +638,7 @@ CREATE TABLE topology_logical_task (
);
-- altering tables by creating unique constraints----------
-ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, user_type);
+ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, ldap_user);
ALTER TABLE groups ADD CONSTRAINT UNQ_groups_0 UNIQUE (group_name, ldap_group);
ALTER TABLE members ADD CONSTRAINT UNQ_members_0 UNIQUE (group_id, user_id);
ALTER TABLE clusterconfig ADD CONSTRAINT UQ_config_type_tag UNIQUE (cluster_id, type_name, version_tag);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
index 1839298..60938c3 100644
--- a/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
+++ b/ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql
@@ -207,12 +207,15 @@ CREATE TABLE users (
principal_id BIGINT NOT NULL,
ldap_user INTEGER NOT NULL DEFAULT 0,
user_name VARCHAR(255) NOT NULL,
- user_type VARCHAR(255) NOT NULL DEFAULT 'LOCAL',
create_time DATETIME DEFAULT GETDATE(),
user_password VARCHAR(255),
active INTEGER NOT NULL DEFAULT 1,
active_widget_layouts VARCHAR(1024) DEFAULT NULL,
- PRIMARY KEY CLUSTERED (user_id)
+ PRIMARY KEY CLUSTERED (user_id),
+ UNIQUE (
+ ldap_user,
+ user_name
+ )
);
CREATE TABLE groups (
@@ -751,7 +754,7 @@ CREATE TABLE topology_logical_task (
-- altering tables by creating unique constraints----------
--------altering tables to add constraints----------
-ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, user_type);
+ALTER TABLE users ADD CONSTRAINT UNQ_users_0 UNIQUE (user_name, ldap_user);
ALTER TABLE groups ADD CONSTRAINT UNQ_groups_0 UNIQUE (group_name, ldap_group);
ALTER TABLE members ADD CONSTRAINT UNQ_members_0 UNIQUE (group_id, user_id);
ALTER TABLE clusterconfig ADD CONSTRAINT UQ_config_type_tag UNIQUE (cluster_id, type_name, version_tag);
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/properties.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/properties.json b/ambari-server/src/main/resources/properties.json
index 4052ad2..727bdc7 100644
--- a/ambari-server/src/main/resources/properties.json
+++ b/ambari-server/src/main/resources/properties.json
@@ -165,7 +165,6 @@
"Users/password",
"Users/old_password",
"Users/ldap_user",
- "Users/user_type",
"Users/active",
"Users/groups",
"Users/admin",
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml b/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
index 8b5bd97..097e233 100644
--- a/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
+++ b/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml
@@ -24,10 +24,9 @@
<http use-expressions="true"
disable-url-rewriting="true" entry-point-ref="ambariEntryPoint">
- <http-basic/>
+ <http-basic entry-point-ref="ambariEntryPoint"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
- <custom-filter ref="ambariJwtAuthenticationFilter" after="BASIC_AUTH_FILTER" />
- <custom-filter ref="ambariAuthorizationFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
+ <custom-filter ref="ambariAuthorizationFilter" after="BASIC_AUTH_FILTER"/>
</http>
<!--<ldap-server id="ldapServer" root="dc=ambari,dc=apache,dc=org"/>-->
http://git-wip-us.apache.org/repos/asf/ambari/blob/de5093a5/ambari-server/src/test/java/org/apache/ambari/server/api/AmbariErrorHandlerTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/api/AmbariErrorHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/api/AmbariErrorHandlerTest.java
index 8b4f99c..fb41f6e 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/api/AmbariErrorHandlerTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/api/AmbariErrorHandlerTest.java
@@ -21,7 +21,6 @@ package org.apache.ambari.server.api;
import com.google.gson.Gson;
import com.google.gson.JsonSyntaxException;
import com.sun.jersey.api.client.*;
-import org.apache.ambari.server.configuration.Configuration;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.servlet.DefaultServlet;
import org.eclipse.jetty.servlet.ServletContextHandler;
@@ -52,14 +51,13 @@ public class AmbariErrorHandlerTest {
@Test
public void testErrorWithJetty() throws Exception {
Server server = new Server(0);
- Configuration configuration = new Configuration();
ServletContextHandler root = new ServletContextHandler(server, "/",
ServletContextHandler.SECURITY | ServletContextHandler.SESSIONS);
root.addServlet(HelloServlet.class, "/hello");
root.addServlet(DefaultServlet.class, "/");
- root.setErrorHandler(new AmbariErrorHandler(gson, configuration));
+ root.setErrorHandler(new AmbariErrorHandler(gson));
server.start();