You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by sa...@apache.org on 2019/11/06 21:29:04 UTC
[atlas] 08/09: ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt.

This is an automated email from the ASF dual-hosted git repository.

sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git

commit 96e497c48953d6974d9fe7e352a12feddeddf33c
Author: nixonrodrigues <ni...@apache.org>
AuthorDate: Wed Oct 23 19:06:30 2019 +0530

    ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt.
    
    (cherry picked from commit 25044cee5d945985aaadfc68e3da992eb4cc688e)
---
 .../test/resources/users-credentials.properties    |  6 ++--
 .../test/resources/users-credentials.properties    |  4 +--
 .../test/resources/users-credentials.properties    |  4 +--
 .../test/resources/users-credentials.properties    |  4 +--
 .../test/resources/users-credentials.properties    |  4 +--
 .../test/resources/users-credentials.properties    |  4 +--
 .../test/resources/users-credentials.properties    |  4 +--
 distro/src/conf/users-credentials.properties       |  4 +--
 .../test/resources/users-credentials.properties    |  4 +--
 .../atlas/util/CredentialProviderUtility.java      | 40 ++++++++++++++++++++++
 .../java/org/apache/atlas/web/dao/UserDao.java     |  8 +++--
 .../security/AtlasFileAuthenticationProvider.java  | 26 ++++++++++++--
 .../atlas/web/security/FileAuthenticationTest.java | 19 ++++++++--
 .../test/resources/users-credentials.properties    |  4 +--
 14 files changed, 106 insertions(+), 29 deletions(-)

diff --git a/addons/falcon-bridge/src/test/resources/users-credentials.properties b/addons/falcon-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..da69923 100644
--- a/addons/falcon-bridge/src/test/resources/users-credentials.properties
+++ b/addons/falcon-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
-#username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+#username=group::sha256+salt-password
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/hbase-bridge/src/test/resources/users-credentials.properties b/addons/hbase-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/hbase-bridge/src/test/resources/users-credentials.properties
+++ b/addons/hbase-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/hive-bridge/src/test/resources/users-credentials.properties b/addons/hive-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/hive-bridge/src/test/resources/users-credentials.properties
+++ b/addons/hive-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/impala-bridge/src/test/resources/users-credentials.properties b/addons/impala-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/impala-bridge/src/test/resources/users-credentials.properties
+++ b/addons/impala-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/kafka-bridge/src/test/resources/users-credentials.properties b/addons/kafka-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/kafka-bridge/src/test/resources/users-credentials.properties
+++ b/addons/kafka-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/sqoop-bridge/src/test/resources/users-credentials.properties b/addons/sqoop-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/sqoop-bridge/src/test/resources/users-credentials.properties
+++ b/addons/sqoop-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/addons/storm-bridge/src/test/resources/users-credentials.properties b/addons/storm-bridge/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/addons/storm-bridge/src/test/resources/users-credentials.properties
+++ b/addons/storm-bridge/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/distro/src/conf/users-credentials.properties b/distro/src/conf/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/distro/src/conf/users-credentials.properties
+++ b/distro/src/conf/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/intg/src/test/resources/users-credentials.properties b/intg/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/intg/src/test/resources/users-credentials.properties
+++ b/intg/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034
diff --git a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
index e9fd204..7875fb2 100755
--- a/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
+++ b/webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
@@ -16,6 +16,10 @@
  */
 package org.apache.atlas.util;
 
+import org.apache.atlas.web.dao.UserDao;
+import org.apache.commons.cli.BasicParser;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Options;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.alias.CredentialProvider;
@@ -71,6 +75,36 @@ public class CredentialProviderUtility {
     public static TextDevice textDevice = DEFAULT_TEXT_DEVICE;
 
     public static void main(String[] args) throws IOException {
+        Options options = new Options();
+
+        try {
+            createOptions(options);
+
+            CommandLine cmd = new BasicParser().parse(options, args);
+
+            boolean generatePasswordOption = cmd.hasOption("g");
+
+            if (generatePasswordOption) {
+                String userName = cmd.getOptionValue("u");
+                String password = cmd.getOptionValue("p");
+
+                if (userName != null && password != null) {
+                    String encryptedPassword = UserDao.encrypt(password, userName);
+                    textDevice.printf("Your encrypted password is  : " + encryptedPassword, null);
+                    textDevice.printf("\n", null);
+
+                } else {
+                    textDevice.printf("Please provide username and password as input. Usage:" +
+                            " cputil.py -g -u <username> -p <password>", null);
+                }
+                return;
+            }
+
+        } catch (Exception e) {
+            System.out.println("Exception while generatePassword  " + e.getMessage());
+            return;
+        }
+
         // prompt for the provider name
         CredentialProvider provider = getCredentialProvider(textDevice);
 
@@ -100,6 +134,12 @@ public class CredentialProviderUtility {
         }
     }
 
+    private static void createOptions(Options options) {
+        options.addOption("g", "generatePassword", false, "Generate Password");
+        options.addOption("u", "username", true, "UserName");
+        options.addOption("p", "password", true, "Password");
+    }
+
     /**
      * Retrieves a password from the command line.
      * @param textDevice  the system console.
diff --git a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
index b461a6a..7fdce3a 100644
--- a/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
+++ b/webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
@@ -28,6 +28,7 @@ import javax.annotation.PostConstruct;
 import org.apache.atlas.web.security.AtlasAuthenticationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.stereotype.Repository;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.AtlasException;
@@ -50,6 +51,8 @@ public class UserDao {
 
     private Properties userLogins;
 
+    private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
+
     @PostConstruct
     public void init() {
         loadFileLoginsDetails();
@@ -106,14 +109,12 @@ public class UserDao {
 
         return userDetails;
     }
-    
 
     @VisibleForTesting
     public void setUserLogins(Properties userLogins) {
         this.userLogins = userLogins;
     }
 
-
     public static String getSha256Hash(String base) throws AtlasAuthenticationException {
         try {
             MessageDigest digest = MessageDigest.getInstance("SHA-256");
@@ -132,4 +133,7 @@ public class UserDao {
         }
     }
 
+    public static String encrypt(String password, String salt) {
+           return sha256Encoder.encodePassword(password, salt);
+    }
 }
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
index f177fd4..7269d4c 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
@@ -16,7 +16,9 @@
  */
 package org.apache.atlas.web.security;
 
+import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.dao.UserDao;
+import org.apache.commons.configuration.Configuration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -28,6 +30,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.stereotype.Component;
 
+import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import java.util.Collection;
  
@@ -38,12 +41,23 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
     private static Logger logger = LoggerFactory.getLogger(AtlasFileAuthenticationProvider.class);
 
     private final UserDetailsService userDetailsService;
+    private boolean v1ValidationEnabled = true;
 
     @Inject
     public AtlasFileAuthenticationProvider(UserDetailsService userDetailsService) {
         this.userDetailsService = userDetailsService;
     }
 
+    @PostConstruct
+    public void setup() {
+        try {
+            Configuration configuration = ApplicationProperties.get();
+            v1ValidationEnabled = configuration.getBoolean("atlas.authentication.method.file.v1-validation.enabled", true);
+        } catch (Exception e) {
+            logger.error("Exception while setup", e);
+        }
+    }
+
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
         String username = authentication.getName();
@@ -61,9 +75,15 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
         }
 
         UserDetails user = userDetailsService.loadUserByUsername(username);
-        
-        String encodedPassword = UserDao.getSha256Hash(password);
-        
+        String encodedPassword = UserDao.encrypt(password, username);
+
+        boolean isValidPassword = encodedPassword.equals(user.getPassword());
+
+
+        if (!isValidPassword && v1ValidationEnabled) {
+            encodedPassword = UserDao.getSha256Hash(password);
+        }
+
         if (!encodedPassword.equals(user.getPassword())) {
             logger.error("Wrong password " + username);
             throw new BadCredentialsException("Wrong password");
diff --git a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
index fe2060a..6cd5017 100644
--- a/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
+++ b/webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
@@ -88,15 +88,16 @@ public class FileAuthenticationTest {
         TestUtils.writeConfiguration(configuration, persistDir + File.separator
                 + ApplicationProperties.APPLICATION_PROPERTIES);
     }
-    
+
     private void setupUserCredential(String tmpDir) throws Exception {
 
         StringBuilder credentialFileStr = new StringBuilder(1024);
-        credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
+        credentialFileStr.append("admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1\n");
+        credentialFileStr.append("adminv1=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
         credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n");
         credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n");
         credentialFileStr.append("user=  \n");
-        credentialFileStr.append("user12=  ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n");
+        credentialFileStr.append("user12=  ::43d864d8f9b53cd913fc6a665c8470595cefa4a360edeb78cf6c4eac00c0a3a0\n");
         File credentialFile = new File(tmpDir, "users-credentials");
         FileUtils.write(credentialFile, credentialFileStr.toString());
     }
@@ -123,6 +124,18 @@ public class FileAuthenticationTest {
     }
 
     @Test
+    public void testValidUserLoginWithV1password() {
+
+        when(authentication.getName()).thenReturn("adminv1");
+        when(authentication.getCredentials()).thenReturn("admin");
+
+        Authentication auth = authProvider.authenticate(authentication);
+        LOG.debug(" {}", auth);
+
+        assertTrue(auth.isAuthenticated());
+    }
+
+    @Test
     public void testInValidPasswordLogin() {
 
         when(authentication.getName()).thenReturn("admin");
diff --git a/webapp/src/test/resources/users-credentials.properties b/webapp/src/test/resources/users-credentials.properties
index 3fc3bb1..5046dba 100644
--- a/webapp/src/test/resources/users-credentials.properties
+++ b/webapp/src/test/resources/users-credentials.properties
@@ -1,3 +1,3 @@
 #username=group::sha256-password
-admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
-rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
+admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
+rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034