You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by sa...@apache.org on 2019/11/06 21:29:04 UTC
[atlas] 08/09: ATLAS-3488 :- Update Simple
Authentication(file-based) password with ShaPasswordEncoder with Salt.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit 96e497c48953d6974d9fe7e352a12feddeddf33c
Author: nixonrodrigues <ni...@apache.org>
AuthorDate: Wed Oct 23 19:06:30 2019 +0530
ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt.
(cherry picked from commit 25044cee5d945985aaadfc68e3da992eb4cc688e)
---
.../test/resources/users-credentials.properties | 6 ++--
.../test/resources/users-credentials.properties | 4 +--
.../test/resources/users-credentials.properties | 4 +--
.../test/resources/users-credentials.properties | 4 +--
.../test/resources/users-credentials.properties | 4 +--
.../test/resources/users-credentials.properties | 4 +--
.../test/resources/users-credentials.properties | 4 +--
distro/src/conf/users-credentials.properties | 4 +--
.../test/resources/users-credentials.properties | 4 +--
.../atlas/util/CredentialProviderUtility.java | 40 ++++++++++++++++++++++
.../java/org/apache/atlas/web/dao/UserDao.java | 8 +++--
.../security/AtlasFileAuthenticationProvider.java | 26 ++++++++++++--
.../atlas/web/security/FileAuthenticationTest.java | 19 ++++++++--
.../test/resources/users-credentials.properties | 4 +--
14 files changed, 106 insertions(+), 29 deletions(-)
diff --git a/addons/falcon-bridge/src/test/resources/users-credentials.properties b/addons/falcon-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..da69923 100644
--- a/addons/falcon-bridge/src/test/resources/users-credentials.properties
+++ b/addons/falcon-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
-#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+#username=group::sha256+salt-password
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/hbase-bridge/src/test/resources/users-credentials.properties b/addons/hbase-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/hbase-bridge/src/test/resources/users-credentials.properties
+++ b/addons/hbase-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/hive-bridge/src/test/resources/users-credentials.properties b/addons/hive-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/hive-bridge/src/test/resources/users-credentials.properties
+++ b/addons/hive-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/impala-bridge/src/test/resources/users-credentials.properties b/addons/impala-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/impala-bridge/src/test/resources/users-credentials.properties
+++ b/addons/impala-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/kafka-bridge/src/test/resources/users-credentials.properties b/addons/kafka-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/kafka-bridge/src/test/resources/users-credentials.properties
+++ b/addons/kafka-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/sqoop-bridge/src/test/resources/users-credentials.properties b/addons/sqoop-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/sqoop-bridge/src/test/resources/users-credentials.properties
+++ b/addons/sqoop-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/storm-bridge/src/test/resources/users-credentials.properties b/addons/storm-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/storm-bridge/src/test/resources/users-credentials.properties
+++ b/addons/storm-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/distro/src/conf/users-credentials.properties b/distro/src/conf/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/distro/src/conf/users-credentials.properties
+++ b/distro/src/conf/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/intg/src/test/resources/users-credentials.properties b/intg/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/intg/src/test/resources/users-credentials.properties
+++ b/intg/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
index e9fd204..7875fb2 100755
--- a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
+++ b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
@@ -16,6 +16,10 @@
*/
package org.apache.atlas.util;
+import org.apache.atlas.web.dao.UserDao;
+import org.apache.commons.cli.BasicParser;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Options;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
@@ -71,6 +75,36 @@ public class CredentialProviderUtility {
public static TextDevice textDevice = DEFAULT_TEXT_DEVICE;
public static void main(String[] args) throws IOException {
+ Options options = new Options();
+
+ try {
+ createOptions(options);
+
+ CommandLine cmd = new BasicParser().parse(options, args);
+
+ boolean generatePasswordOption = cmd.hasOption("g");
+
+ if (generatePasswordOption) {
+ String userName = cmd.getOptionValue("u");
+ String password = cmd.getOptionValue("p");
+
+ if (userName != null && password != null) {
+ String encryptedPassword = UserDao.encrypt(password, userName);
+ textDevice.printf("Your encrypted password is : " + encryptedPassword, null);
+ textDevice.printf("\n", null);
+
+ } else {
+ textDevice.printf("Please provide username and password as input. Usage:" +
+ " cputil.py -g -u <username> -p <password>", null);
+ }
+ return;
+ }
+
+ } catch (Exception e) {
+ System.out.println("Exception while generatePassword " + e.getMessage());
+ return;
+ }
+
// prompt for the provider name
CredentialProvider provider = getCredentialProvider(textDevice);
@@ -100,6 +134,12 @@ public class CredentialProviderUtility {
}
}
+ private static void createOptions(Options options) {
+ options.addOption("g", "generatePassword", false, "Generate Password");
+ options.addOption("u", "username", true, "UserName");
+ options.addOption("p", "password", true, "Password");
+ }
+
/**
* Retrieves a password from the command line.
* @param textDevice the system console.
diff --git a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
index b461a6a..7fdce3a 100644
--- a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
+++ b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
@@ -28,6 +28,7 @@ import javax.annotation.PostConstruct;
import org.apache.atlas.web.security.AtlasAuthenticationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import org.springframework.stereotype.Repository;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
@@ -50,6 +51,8 @@ public class UserDao {
private Properties userLogins;
+ private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
+
@PostConstruct
public void init() {
loadFileLoginsDetails();
@@ -106,14 +109,12 @@ public class UserDao {
return userDetails;
}
-
@VisibleForTesting
public void setUserLogins(Properties userLogins) {
this.userLogins = userLogins;
}
-
public static String getSha256Hash(String base) throws AtlasAuthenticationException {
try {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
@@ -132,4 +133,7 @@ public class UserDao {
}
}
+ public static String encrypt(String password, String salt) {
+ return sha256Encoder.encodePassword(password, salt);
+ }
}
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
index f177fd4..7269d4c 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
@@ -16,7 +16,9 @@
*/
package org.apache.atlas.web.security;
+import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.web.dao.UserDao;
+import org.apache.commons.configuration.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
@@ -28,6 +30,7 @@ import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
+import javax.annotation.PostConstruct;
import javax.inject.Inject;
import java.util.Collection;
@@ -38,12 +41,23 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
private static Logger logger = LoggerFactory.getLogger(AtlasFileAuthenticationProvider.class);
private final UserDetailsService userDetailsService;
+ private boolean v1ValidationEnabled = true;
@Inject
public AtlasFileAuthenticationProvider(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
+ @PostConstruct
+ public void setup() {
+ try {
+ Configuration configuration = ApplicationProperties.get();
+ v1ValidationEnabled = configuration.getBoolean("atlas.authentication.method.file.v1-validation.enabled", true);
+ } catch (Exception e) {
+ logger.error("Exception while setup", e);
+ }
+ }
+
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
@@ -61,9 +75,15 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
}
UserDetails user = userDetailsService.loadUserByUsername(username);
-
- String encodedPassword = UserDao.getSha256Hash(password);
-
+ String encodedPassword = UserDao.encrypt(password, username);
+
+ boolean isValidPassword = encodedPassword.equals(user.getPassword());
+
+
+ if (!isValidPassword && v1ValidationEnabled) {
+ encodedPassword = UserDao.getSha256Hash(password);
+ }
+
if (!encodedPassword.equals(user.getPassword())) {
logger.error("Wrong password " + username);
throw new BadCredentialsException("Wrong password");
diff --git a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
index fe2060a..6cd5017 100644
--- a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
+++ b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
@@ -88,15 +88,16 @@ public class FileAuthenticationTest {
TestUtils.writeConfiguration(configuration, persistDir + File.separator
+ ApplicationProperties.APPLICATION_PROPERTIES);
}
-
+
private void setupUserCredential(String tmpDir) throws Exception {
StringBuilder credentialFileStr = new StringBuilder(1024);
- credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
+ credentialFileStr.append("admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1\n");
+ credentialFileStr.append("adminv1=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n");
credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n");
credentialFileStr.append("user= \n");
- credentialFileStr.append("user12= ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n");
+ credentialFileStr.append("user12= ::43d864d8f9b53cd913fc6a665c8470595cefa4a360edeb78cf6c4eac00c0a3a0\n");
File credentialFile = new File(tmpDir, "users-credentials");
FileUtils.write(credentialFile, credentialFileStr.toString());
}
@@ -123,6 +124,18 @@ public class FileAuthenticationTest {
}
@Test
+ public void testValidUserLoginWithV1password() {
+
+ when(authentication.getName()).thenReturn("adminv1");
+ when(authentication.getCredentials()).thenReturn("admin");
+
+ Authentication auth = authProvider.authenticate(authentication);
+ LOG.debug(" {}", auth);
+
+ assertTrue(auth.isAuthenticated());
+ }
+
+ @Test
public void testInValidPasswordLogin() {
when(authentication.getName()).thenReturn("admin");
diff --git a/webapp/src/test/resources/users-credentials.properties b/webapp/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/webapp/src/test/resources/users-credentials.properties
+++ b/webapp/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034