You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by ni...@apache.org on 2019/09/09 09:05:44 UTC
[atlas] branch branch-2.0 updated: ATLAS-3387-Consider
X-FORWARDED-FOR header for getting end user IP address when connected with
proxy.
This is an automated email from the ASF dual-hosted git repository.
nixon pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new cc3566b ATLAS-3387-Consider X-FORWARDED-FOR header for getting end user IP address when connected with proxy.
cc3566b is described below
commit cc3566b0b075305c9818478df63754dfa35748f0
Author: nikhilbonte <ni...@freestoneinfotech.com>
AuthorDate: Tue Aug 27 12:39:46 2019 +0530
ATLAS-3387-Consider X-FORWARDED-FOR header for getting end user IP address when connected with proxy.
Signed-off-by: nixonrodrigues <ni...@apache.org>
(cherry picked from commit 331fb430e86d27e30f8640f54e9774f6600761c9)
---
.../apache/atlas/authorize/AtlasAccessRequest.java | 35 ++++++++++++++++++++--
.../atlas/authorize/AtlasAdminAccessRequest.java | 3 +-
.../atlas/authorize/AtlasAuthorizationUtils.java | 22 ++++++++++++++
.../atlas/authorize/AtlasEntityAccessRequest.java | 5 ++--
.../authorize/AtlasRelationshipAccessRequest.java | 3 +-
.../authorize/AtlasSearchResultScrubRequest.java | 3 +-
.../atlas/authorize/AtlasTypeAccessRequest.java | 3 +-
.../main/java/org/apache/atlas/RequestContext.java | 26 ++++++++++++----
.../org/apache/atlas/web/filters/AuditFilter.java | 1 +
9 files changed, 87 insertions(+), 14 deletions(-)
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
index b031f4c..c76a871 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAccessRequest.java
@@ -30,6 +30,7 @@ import org.slf4j.LoggerFactory;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -43,6 +44,8 @@ public class AtlasAccessRequest {
private String user = null;
private Set<String> userGroups = null;
private String clientIPAddress = null;
+ private List<String> forwardedAddresses;
+ private String remoteIPAddress;
protected AtlasAccessRequest(AtlasPrivilege action) {
@@ -50,7 +53,14 @@ public class AtlasAccessRequest {
}
protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups) {
- this(action, user, userGroups, new Date(), null);
+ this(action, user, userGroups, new Date(), null, null, null);
+ }
+
+ protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups, Date accessTime,
+ String clientIPAddress, List<String> forwardedAddresses, String remoteIPAddress) {
+ this(action, user, userGroups, accessTime, clientIPAddress);
+ this.forwardedAddresses = forwardedAddresses;
+ this.remoteIPAddress = remoteIPAddress;
}
protected AtlasAccessRequest(AtlasPrivilege action, String user, Set<String> userGroups, Date accessTime, String clientIPAddress) {
@@ -82,10 +92,26 @@ public class AtlasAccessRequest {
this.userGroups = userGroups;
}
+ public List<String> getForwardedAddresses() {
+ return forwardedAddresses;
+ }
+
+ public String getRemoteIPAddress() {
+ return remoteIPAddress;
+ }
+
public String getClientIPAddress() {
return clientIPAddress;
}
+ public void setForwardedAddresses(List<String> forwardedAddresses) {
+ this.forwardedAddresses = forwardedAddresses;
+ }
+
+ public void setRemoteIPAddress(String remoteIPAddress) {
+ this.remoteIPAddress = remoteIPAddress;
+ }
+
public void setClientIPAddress(String clientIPAddress) {
this.clientIPAddress = clientIPAddress;
}
@@ -168,7 +194,10 @@ public class AtlasAccessRequest {
@Override
public String toString() {
- return "AtlasAccessRequest[action=" + action + ", accessTime=" + accessTime + ", user=" + user +
- ", userGroups=" + userGroups + ", clientIPAddress=" + clientIPAddress + "]";
+ return "AtlasAccessRequest[" + "action=" + action + ", accessTime=" + accessTime +", user='" + user + '\'' +
+ ", userGroups=" + userGroups + ", clientIPAddress='" + clientIPAddress + '\'' +
+ ", forwardedAddresses=" + forwardedAddresses + ", remoteIPAddress='" + remoteIPAddress + '\'' +
+ ']';
+
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
index 1782b32..5f571fb 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAdminAccessRequest.java
@@ -33,6 +33,7 @@ public class AtlasAdminAccessRequest extends AtlasAccessRequest {
@Override
public String toString() {
return "AtlasAdminAccessRequest[action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
index ac2f525..460b454 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasAuthorizationUtils.java
@@ -35,6 +35,8 @@ import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashSet;
import java.util.Set;
+import java.util.List;
+import java.util.Arrays;
public class AtlasAuthorizationUtils {
private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationUtils.class);
@@ -79,6 +81,8 @@ public class AtlasAuthorizationUtils {
request.setUser(userName, getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+ request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+ request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
authorizer.scrubSearchResults(request);
} catch (AtlasAuthorizationException e) {
@@ -99,6 +103,8 @@ public class AtlasAuthorizationUtils {
request.setUser(userName, getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+ request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+ request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -124,6 +130,8 @@ public class AtlasAuthorizationUtils {
request.setUser(getCurrentUserName(), getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+ request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+ request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -149,6 +157,8 @@ public class AtlasAuthorizationUtils {
request.setUser(getCurrentUserName(), getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+ request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+ request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -174,6 +184,8 @@ public class AtlasAuthorizationUtils {
request.setUser(getCurrentUserName(), getCurrentUserGroups());
request.setClientIPAddress(RequestContext.get().getClientIPAddress());
+ request.setForwardedAddresses(RequestContext.get().getForwardedAddresses());
+ request.setRemoteIPAddress(RequestContext.get().getClientIPAddress());
ret = authorizer.isAccessAllowed(request);
} catch (AtlasAuthorizationException e) {
LOG.error("Unable to obtain AtlasAuthorizer", e);
@@ -187,6 +199,16 @@ public class AtlasAuthorizationUtils {
return ret;
}
+ public static List<String> getForwardedAddressesFromRequest(HttpServletRequest httpServletRequest){
+ String ipAddress = httpServletRequest.getHeader("X-FORWARDED-FOR");
+ String[] forwardedAddresses = null ;
+
+ if(!StringUtils.isEmpty(ipAddress)){
+ forwardedAddresses = ipAddress.split(",");
+ }
+ return forwardedAddresses != null ? Arrays.asList(forwardedAddresses) : null;
+ }
+
public static String getRequestIpAddress(HttpServletRequest httpServletRequest) {
String ret = "";
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
index 07ff678..951e5c9 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasEntityAccessRequest.java
@@ -107,8 +107,9 @@ public class AtlasEntityAccessRequest extends AtlasAccessRequest {
@Override
public String toString() {
return "AtlasEntityAccessRequest[entity=" + entity + ", classification=" + classification + ", attributeName=" + attributeName +
- ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
index d2da03c..b530c01 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasRelationshipAccessRequest.java
@@ -88,6 +88,7 @@ public class AtlasRelationshipAccessRequest extends AtlasAccessRequest {
public String toString() {
return "AtlasRelationshipAccessRequest[relationshipType=" + relationshipType + ", end1Entity=" + end1Entity + ", end2Entity=" + end2Entity +
", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
index c908b28..63468a7 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasSearchResultScrubRequest.java
@@ -47,7 +47,8 @@ public class AtlasSearchResultScrubRequest extends AtlasAccessRequest {
@Override
public String toString() {
return "AtlasSearchResultScrubRequest[searchResult=" + searchResult + ", action=" + getAction() + ", accessTime=" + getAccessTime() + ", user=" + getUser() +
- ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
index af38425..510be35 100644
--- a/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
+++ b/authorization/src/main/java/org/apache/atlas/authorize/AtlasTypeAccessRequest.java
@@ -44,6 +44,7 @@ public class AtlasTypeAccessRequest extends AtlasAccessRequest {
@Override
public String toString() {
return "AtlasEntityAccessRequest[typeDef=" + typeDef + ", action=" + getAction() + ", accessTime=" + getAccessTime() +
- ", user=" + getUser() + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() + "]";
+ ", user=" + getUser() + ", userGroups=" + getUserGroups() + ", clientIPAddress=" + getClientIPAddress() +
+ ", forwardedAddresses=" + getForwardedAddresses() + ", remoteIPAddress=" + getRemoteIPAddress() + "]";
}
}
diff --git a/server-api/src/main/java/org/apache/atlas/RequestContext.java b/server-api/src/main/java/org/apache/atlas/RequestContext.java
index 0c3ba08..79eea1c 100644
--- a/server-api/src/main/java/org/apache/atlas/RequestContext.java
+++ b/server-api/src/main/java/org/apache/atlas/RequestContext.java
@@ -29,7 +29,14 @@ import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.util.*;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+import java.util.Map;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.HashMap;
+
public class RequestContext {
private static final Logger METRICS = LoggerFactory.getLogger("METRICS");
@@ -48,10 +55,11 @@ public class RequestContext {
private final AtlasPerfMetrics metrics = isMetricsEnabled ? new AtlasPerfMetrics() : null;
private List<EntityGuidPair> entityGuidInRequest = null;
- private String user;
- private Set<String> userGroups;
- private String clientIPAddress;
- private DeleteType deleteType = DeleteType.DEFAULT;
+ private String user;
+ private Set<String> userGroups;
+ private String clientIPAddress;
+ private List<String> forwardedAddresses;
+ private DeleteType deleteType = DeleteType.DEFAULT;
private int maxAttempts = 1;
private int attemptCount = 1;
private boolean isImportInProgress = false;
@@ -354,4 +362,12 @@ public class RequestContext {
entity.setGuid(guid);
}
}
+
+ public List<String> getForwardedAddresses() {
+ return forwardedAddresses;
+ }
+
+ public void setForwardedAddresses(List<String> forwardedAddresses) {
+ this.forwardedAddresses = forwardedAddresses;
+ }
}
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
index e9c44b3..c663b00 100755
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AuditFilter.java
@@ -91,6 +91,7 @@ public class AuditFilter implements Filter {
requestContext.setUser(user, userGroups);
requestContext.setClientIPAddress(AtlasAuthorizationUtils.getRequestIpAddress(httpRequest));
requestContext.setCreateShellEntityForNonExistingReference(createShellEntityForNonExistingReference);
+ requestContext.setForwardedAddresses(AtlasAuthorizationUtils.getForwardedAddressesFromRequest(httpRequest));
if (StringUtils.isNotEmpty(deleteType)) {
if (deleteTypeOverrideEnabled) {