You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by Nixon Rodrigues <ni...@freestoneinfotech.com> on 2018/09/07 14:11:49 UTC
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------
(Updated Sept. 7, 2018, 2:11 p.m.)
Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
Changes
-------
This patch includes fix for review comments and a check to validate that incoming request is from trustedProxy server. Atlas validates the below property value with request IP.
Property :atlas.proxyserver.knox.ip
Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824
Repository: atlas
Description
-------
This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
Configs required:-
atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups
Diffs (updated)
-----
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 64c95203c
Diff: https://reviews.apache.org/r/68363/diff/2/
Changes: https://reviews.apache.org/r/68363/diff/1-2/
Testing
-------
Tested
* Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from Knox Proxy with Atlas Login.
* Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
Topology Used:-
<topology>
<gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
</gateway>
<service>
<role>ATLAS</role>
<url>{ATLAS_HOST}:21000/</url>
</service>
<service>
<role>ATLAS-API</role>
<url>{ATLAS_HOST}:21000</url>
</service>
</topology>
Thanks,
Nixon Rodrigues
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210275
-----------------------------------------------------------
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Line 89 (original), 93 (patched)
<https://reviews.apache.org/r/68363/#comment294934>
Is DEFAULT_PROXY_USERS needed any more? Only users explicitly specified via 'atlas.proxyusers.' configurations should be considered as proxy-users.
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 193 (patched)
<https://reviews.apache.org/r/68363/#comment294933>
Move this const definition up, to line #93.
Also, this is duplicated in AtlasProxyUsers class; avoid this duplication.
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 494 (patched)
<https://reviews.apache.org/r/68363/#comment294950>
does this set the current logged in user as 'doAsUser'?
webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java
Lines 46 (patched)
<https://reviews.apache.org/r/68363/#comment294935>
Replace "atlas.proxyuser" with constant defined in line #19.
- Madhan Neethiraj
On Nov. 2, 2018, 2:33 p.m., Nixon Rodrigues wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> -----------------------------------------------------------
>
> (Updated Nov. 2, 2018, 2:33 p.m.)
>
>
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
>
>
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
>
>
> Repository: atlas
>
>
> Description
> -------
>
> This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
>
> Configs required:-
>
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
>
>
> Diffs
> -----
>
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java 9a13cea65
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/68363/diff/4/
>
>
> Testing
> -------
>
> Tested
>
> * Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from Knox Proxy with Atlas Login.
> * Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
>
>
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
>
> Topology Used:-
>
>
> <topology>
> <gateway>
> ????????<provider>
> ????????????<role>federation</role>
> ????????????<name>SSOCookieProvider</name>
> ????????????<enabled>true</enabled>
> ????????????<param>
> ????????????????<name>sso.authentication.provider.url</name>
> ????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
> ????????????</param>
> ????????</provider>
> ????????<provider>
> ????????????<role>identity-assertion</role>
> ????????????<name>Default</name>
> ????????????<enabled>true</enabled>
> ????????</provider>
> </gateway>
> <service>
> <role>ATLAS</role>
> <url>{ATLAS_HOST}:21000/</url>
> </service>
> <service>
> <role>ATLAS-API</role>
> <url>{ATLAS_HOST}:21000</url>
> </service>
> </topology>
>
>
> Thanks,
>
> Nixon Rodrigues
>
>
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210327
-----------------------------------------------------------
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 689 (patched)
<https://reviews.apache.org/r/68363/#comment294989>
shouldn't this be: "configuration == null"
- Madhan Neethiraj
On Nov. 5, 2018, 2:25 p.m., Nixon Rodrigues wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> -----------------------------------------------------------
>
> (Updated Nov. 5, 2018, 2:25 p.m.)
>
>
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
>
>
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
>
>
> Repository: atlas
>
>
> Description
> -------
>
> This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
>
> Configs required:-
>
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
>
>
> Diffs
> -----
>
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasImpersonator.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/68363/diff/5/
>
>
> Testing
> -------
>
> Tested
>
> * Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from Knox Proxy with Atlas Login.
> * Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
>
>
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
>
> Topology Used:-
>
>
> <topology>
> <gateway>
> ????????<provider>
> ????????????<role>federation</role>
> ????????????<name>SSOCookieProvider</name>
> ????????????<enabled>true</enabled>
> ????????????<param>
> ????????????????<name>sso.authentication.provider.url</name>
> ????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
> ????????????</param>
> ????????</provider>
> ????????<provider>
> ????????????<role>identity-assertion</role>
> ????????????<name>Default</name>
> ????????????<enabled>true</enabled>
> ????????</provider>
> </gateway>
> <service>
> <role>ATLAS</role>
> <url>{ATLAS_HOST}:21000/</url>
> </service>
> <service>
> <role>ATLAS-API</role>
> <url>{ATLAS_HOST}:21000</url>
> </service>
> </topology>
>
>
> Thanks,
>
> Nixon Rodrigues
>
>
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210522
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Nov. 13, 2018, 7:51 p.m., Nixon Rodrigues wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> -----------------------------------------------------------
>
> (Updated Nov. 13, 2018, 7:51 p.m.)
>
>
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
>
>
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
>
>
> Repository: atlas
>
>
> Description
> -------
>
> This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
>
> Configs required:-
>
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
>
>
> Diffs
> -----
>
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
> webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java 21d4f8526
> webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java 49d56b20c
>
>
> Diff: https://reviews.apache.org/r/68363/diff/7/
>
>
> Testing
> -------
>
> Tested
>
> * Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from Knox Proxy with Atlas Login.
> * Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
>
>
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
>
> Topology Used:-
>
>
> <topology>
> <gateway>
> ????????<provider>
> ????????????<role>federation</role>
> ????????????<name>SSOCookieProvider</name>
> ????????????<enabled>true</enabled>
> ????????????<param>
> ????????????????<name>sso.authentication.provider.url</name>
> ????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
> ????????????</param>
> ????????</provider>
> ????????<provider>
> ????????????<role>identity-assertion</role>
> ????????????<name>Default</name>
> ????????????<enabled>true</enabled>
> ????????</provider>
> </gateway>
> <service>
> <role>ATLAS</role>
> <url>{ATLAS_HOST}:21000/</url>
> </service>
> <service>
> <role>ATLAS-API</role>
> <url>{ATLAS_HOST}:21000</url>
> </service>
> </topology>
>
>
> Thanks,
>
> Nixon Rodrigues
>
>
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Larry McCay <lm...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210524
-----------------------------------------------------------
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 465 (patched)
<https://reviews.apache.org/r/68363/#comment295231>
Will this not fall through to other filters on failure? Is that what we really want here?
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
Lines 471 (patched)
<https://reviews.apache.org/r/68363/#comment295234>
It is probably due to the hiding of some of the logic in the previous block by leveraging ProxyUsers.authorize but the logic here is hard to follow on the surface. You may want to just add comment/s to make sure that it is understood that the atlasProxyUsers is being checked in both cases.
The &&'d if and else-if checks makes for some mental gymnastics here as well.
- Larry McCay
On Nov. 13, 2018, 7:51 p.m., Nixon Rodrigues wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> -----------------------------------------------------------
>
> (Updated Nov. 13, 2018, 7:51 p.m.)
>
>
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
>
>
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
>
>
> Repository: atlas
>
>
> Description
> -------
>
> This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
>
> Configs required:-
>
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
>
>
> Diffs
> -----
>
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
> webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java 21d4f8526
> webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java 49d56b20c
>
>
> Diff: https://reviews.apache.org/r/68363/diff/7/
>
>
> Testing
> -------
>
> Tested
>
> * Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from Knox Proxy with Atlas Login.
> * Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
>
>
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
>
> Topology Used:-
>
>
> <topology>
> <gateway>
> ????????<provider>
> ????????????<role>federation</role>
> ????????????<name>SSOCookieProvider</name>
> ????????????<enabled>true</enabled>
> ????????????<param>
> ????????????????<name>sso.authentication.provider.url</name>
> ????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
> ????????????</param>
> ????????</provider>
> ????????<provider>
> ????????????<role>identity-assertion</role>
> ????????????<name>Default</name>
> ????????????<enabled>true</enabled>
> ????????</provider>
> </gateway>
> <service>
> <role>ATLAS</role>
> <url>{ATLAS_HOST}:21000/</url>
> </service>
> <service>
> <role>ATLAS-API</role>
> <url>{ATLAS_HOST}:21000</url>
> </service>
> </topology>
>
>
> Thanks,
>
> Nixon Rodrigues
>
>
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Nixon Rodrigues <ni...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------
(Updated Nov. 13, 2018, 7:51 p.m.)
Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
Changes
-------
This patch updates changes in SSLKerberosTest testcases and also added property to turn doAs on/off for trusted proxy.
atlas.authentication.method.trustedproxy=true/false
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/805/console
Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824
Repository: atlas
Description
-------
This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
Configs required:-
atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups
Diffs (updated)
-----
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
webapp/src/test/java/org/apache/atlas/web/security/NegativeSSLAndKerberosTest.java 21d4f8526
webapp/src/test/java/org/apache/atlas/web/security/SSLAndKerberosTest.java 49d56b20c
Diff: https://reviews.apache.org/r/68363/diff/7/
Changes: https://reviews.apache.org/r/68363/diff/6-7/
Testing
-------
Tested
* Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from Knox Proxy with Atlas Login.
* Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
Topology Used:-
<topology>
<gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
</gateway>
<service>
<role>ATLAS</role>
<url>{ATLAS_HOST}:21000/</url>
</service>
<service>
<role>ATLAS-API</role>
<url>{ATLAS_HOST}:21000</url>
</service>
</topology>
Thanks,
Nixon Rodrigues
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210452
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Nov. 9, 2018, 12:59 p.m., Nixon Rodrigues wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> -----------------------------------------------------------
>
> (Updated Nov. 9, 2018, 12:59 p.m.)
>
>
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
>
>
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
>
>
> Repository: atlas
>
>
> Description
> -------
>
> This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
>
> Configs required:-
>
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
>
>
> Diffs
> -----
>
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
>
>
> Diff: https://reviews.apache.org/r/68363/diff/6/
>
>
> Testing
> -------
>
> Tested
>
> * Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from Knox Proxy with Atlas Login.
> * Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
>
>
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
>
> Topology Used:-
>
>
> <topology>
> <gateway>
> ????????<provider>
> ????????????<role>federation</role>
> ????????????<name>SSOCookieProvider</name>
> ????????????<enabled>true</enabled>
> ????????????<param>
> ????????????????<name>sso.authentication.provider.url</name>
> ????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
> ????????????</param>
> ????????</provider>
> ????????<provider>
> ????????????<role>identity-assertion</role>
> ????????????<name>Default</name>
> ????????????<enabled>true</enabled>
> ????????</provider>
> </gateway>
> <service>
> <role>ATLAS</role>
> <url>{ATLAS_HOST}:21000/</url>
> </service>
> <service>
> <role>ATLAS-API</role>
> <url>{ATLAS_HOST}:21000</url>
> </service>
> </topology>
>
>
> Thanks,
>
> Nixon Rodrigues
>
>
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Nixon Rodrigues <ni...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------
(Updated Nov. 9, 2018, 12:59 p.m.)
Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
Changes
-------
Updated patch to reuse hadoop's ProxyUser class and code refactoring.
Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824
Repository: atlas
Description
-------
This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
Configs required:-
atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups
Diffs (updated)
-----
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
Diff: https://reviews.apache.org/r/68363/diff/6/
Changes: https://reviews.apache.org/r/68363/diff/5-6/
Testing
-------
Tested
* Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from Knox Proxy with Atlas Login.
* Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
Topology Used:-
<topology>
<gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
</gateway>
<service>
<role>ATLAS</role>
<url>{ATLAS_HOST}:21000/</url>
</service>
<service>
<role>ATLAS-API</role>
<url>{ATLAS_HOST}:21000</url>
</service>
</topology>
Thanks,
Nixon Rodrigues
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Nixon Rodrigues <ni...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------
(Updated Nov. 5, 2018, 2:25 p.m.)
Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
Changes
-------
Updated patch with some refactoring and code to create session for doAs user
Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824
Repository: atlas
Description
-------
This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
Configs required:-
atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups
Diffs (updated)
-----
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java e5c40d061
webapp/src/main/java/org/apache/atlas/web/filters/AtlasImpersonator.java PRE-CREATION
Diff: https://reviews.apache.org/r/68363/diff/5/
Changes: https://reviews.apache.org/r/68363/diff/4-5/
Testing
-------
Tested
* Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from Knox Proxy with Atlas Login.
* Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
Topology Used:-
<topology>
<gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
</gateway>
<service>
<role>ATLAS</role>
<url>{ATLAS_HOST}:21000/</url>
</service>
<service>
<role>ATLAS-API</role>
<url>{ATLAS_HOST}:21000</url>
</service>
</topology>
Thanks,
Nixon Rodrigues
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Nixon Rodrigues <ni...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------
(Updated Nov. 2, 2018, 2:33 p.m.)
Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
Changes
-------
This patch implements hadoop proxyuser implementation for proxy with doAs
Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824
Repository: atlas
Description
-------
This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
Configs required:-
atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups
Diffs (updated)
-----
webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java 9a13cea65
webapp/src/main/java/org/apache/atlas/web/filters/AtlasProxyUsers.java PRE-CREATION
Diff: https://reviews.apache.org/r/68363/diff/4/
Changes: https://reviews.apache.org/r/68363/diff/3-4/
Testing
-------
Tested
* Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from Knox Proxy with Atlas Login.
* Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
Topology Used:-
<topology>
<gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
</gateway>
<service>
<role>ATLAS</role>
<url>{ATLAS_HOST}:21000/</url>
</service>
<service>
<role>ATLAS-API</role>
<url>{ATLAS_HOST}:21000</url>
</service>
</topology>
Thanks,
Nixon Rodrigues
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Ashutosh Mestry <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/#review210140
-----------------------------------------------------------
webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
Lines 84 (patched)
<https://reviews.apache.org/r/68363/#comment294777>
Consider inverted if.
webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
Lines 119 (patched)
<https://reviews.apache.org/r/68363/#comment294775>
Consider separate method.
webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java
Lines 125 (patched)
<https://reviews.apache.org/r/68363/#comment294776>
Consider inverted if.
webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
Lines 52 (patched)
<https://reviews.apache.org/r/68363/#comment294772>
Properties.getProperty can potentially return NULL. In which case, this will case NPE.
webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
Lines 69 (patched)
<https://reviews.apache.org/r/68363/#comment294773>
Consider inverted if.
webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java
Lines 109 (patched)
<https://reviews.apache.org/r/68363/#comment294774>
Since if is returning, else is not needed.
- Ashutosh Mestry
On Oct. 29, 2018, 1:07 p.m., Nixon Rodrigues wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68363/
> -----------------------------------------------------------
>
> (Updated Oct. 29, 2018, 1:07 p.m.)
>
>
> Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
>
>
> Bugs: ATLAS-2824
> https://issues.apache.org/jira/browse/ATLAS-2824
>
>
> Repository: atlas
>
>
> Description
> -------
>
> This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
>
> Configs required:-
>
> atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
> atlas.proxyuser.knox.hosts :- property to add trusted hosts
> atlas.proxyuser.knox.users :- property to add trusted users
> atlas.proxyuser.knox.groups :- property to add trusted groups
>
>
> Diffs
> -----
>
> webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java PRE-CREATION
> webapp/src/main/java/org/apache/atlas/web/filters/TrustedProxyAuthenticator.java PRE-CREATION
> webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java PRE-CREATION
> webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 24be5de20
>
>
> Diff: https://reviews.apache.org/r/68363/diff/3/
>
>
> Testing
> -------
>
> Tested
>
> * Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
> * Atlas UI from Knox Proxy with Atlas Login.
> * Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
> * Atlas UI with Atlas Login.
> * Atlas api from curl with BASIS & Kerberos headers
>
>
> https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
>
> Topology Used:-
>
>
> <topology>
> <gateway>
> ????????<provider>
> ????????????<role>federation</role>
> ????????????<name>SSOCookieProvider</name>
> ????????????<enabled>true</enabled>
> ????????????<param>
> ????????????????<name>sso.authentication.provider.url</name>
> ????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
> ????????????</param>
> ????????</provider>
> ????????<provider>
> ????????????<role>identity-assertion</role>
> ????????????<name>Default</name>
> ????????????<enabled>true</enabled>
> ????????</provider>
> </gateway>
> <service>
> <role>ATLAS</role>
> <url>{ATLAS_HOST}:21000/</url>
> </service>
> <service>
> <role>ATLAS-API</role>
> <url>{ATLAS_HOST}:21000</url>
> </service>
> </topology>
>
>
> Thanks,
>
> Nixon Rodrigues
>
>
Re: Review Request 68363: ATLAS-2824 :- Atlas to support Trusted Knox
Proxy
Posted by Nixon Rodrigues <ni...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68363/
-----------------------------------------------------------
(Updated Oct. 29, 2018, 1:07 p.m.)
Review request for atlas, Apoorv Naik, Ashutosh Mestry, Larry McCay, Madhan Neethiraj, and Sarath Subramanian.
Changes
-------
This patch is revised by implementing with TrustedProxyAuthenticator which handles the authentication, and also handles review comments.
Property changed to "atlas.authentication.method.trustedproxy" to enable trusted support
Bugs: ATLAS-2824
https://issues.apache.org/jira/browse/ATLAS-2824
Repository: atlas
Description
-------
This patch includes code to support request from knox proxy, where the proxy is already known and trusted to Atlas via configuration. Atlas intercepts the incoming requests and if it from knox proxy. Atlas allow the knox's doAs user to create session in Atlas.
Configs required:-
atlas.authentication.allow.trustedproxy :- property allow trusted proxy support
atlas.proxyuser.knox.hosts :- property to add trusted hosts
atlas.proxyuser.knox.users :- property to add trusted users
atlas.proxyuser.knox.groups :- property to add trusted groups
Diffs (updated)
-----
webapp/src/main/java/org/apache/atlas/web/filters/AtlasTrustedProxyFilter.java PRE-CREATION
webapp/src/main/java/org/apache/atlas/web/filters/TrustedProxyAuthenticator.java PRE-CREATION
webapp/src/main/java/org/apache/atlas/web/security/AtlasProxyAuthenticator.java PRE-CREATION
webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java 24be5de20
Diff: https://reviews.apache.org/r/68363/diff/3/
Changes: https://reviews.apache.org/r/68363/diff/2-3/
Testing
-------
Tested
* Atlas UI from Trusted Knox Proxy with Knox SSO loginpage.
* Atlas UI from Knox Proxy with Atlas Login.
* Atlas UI from Knox Proxy with SSO Filter enabled at Atlas.
* Atlas UI with Atlas Login.
* Atlas api from curl with BASIS & Kerberos headers
https://builds.apache.org/job/PreCommit-ATLAS-Build-Test/573/console
Topology Used:-
<topology>
<gateway>
????????<provider>
????????????<role>federation</role>
????????????<name>SSOCookieProvider</name>
????????????<enabled>true</enabled>
????????????<param>
????????????????<name>sso.authentication.provider.url</name>
????????????????<value>{KNOXHOST}/gateway/knoxsso/knoxauth/login.html</value>
????????????</param>
????????</provider>
????????<provider>
????????????<role>identity-assertion</role>
????????????<name>Default</name>
????????????<enabled>true</enabled>
????????</provider>
</gateway>
<service>
<role>ATLAS</role>
<url>{ATLAS_HOST}:21000/</url>
</service>
<service>
<role>ATLAS-API</role>
<url>{ATLAS_HOST}:21000</url>
</service>
</topology>
Thanks,
Nixon Rodrigues