You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/12/21 23:19:52 UTC
ambari git commit: AMBARI-14450. Declaring a user for anonymous
request does not work (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 5c6c719c1 -> ea195cb28
AMBARI-14450. Declaring a user for anonymous request does not work (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ea195cb2
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ea195cb2
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ea195cb2
Branch: refs/heads/trunk
Commit: ea195cb28d2ca35ac18e5a21eb7a7dec1670e0e2
Parents: 5c6c719
Author: Robert Levas <rl...@hortonworks.com>
Authored: Mon Dec 21 17:19:46 2015 -0500
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Dec 21 17:19:46 2015 -0500
----------------------------------------------------------------------
.../AmbariAuthorizationFilter.java | 4 +-
.../security/TestAuthenticationFactory.java | 6 +
.../AmbariAuthorizationFilterTest.java | 132 +++++++++++--------
3 files changed, 82 insertions(+), 60 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/ea195cb2/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 20ce7fa..82c03e4 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -117,7 +117,7 @@ public class AmbariAuthorizationFilter implements Filter {
if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
Authentication defaultAuthentication = getDefaultAuthentication();
if (defaultAuthentication != null) {
- context.setAuthentication(authentication);
+ context.setAuthentication(defaultAuthentication);
authentication = defaultAuthentication;
}
}
@@ -221,7 +221,7 @@ public class AmbariAuthorizationFilter implements Filter {
String username = configuration.getDefaultApiAuthenticatedUser();
if (!StringUtils.isEmpty(username)) {
- final User user = users.getAnyUser(username);
+ final User user = users.getUser(username, UserType.LOCAL);
if (user != null) {
Principal principal = new Principal() {
http://git-wip-us.apache.org/repos/asf/ambari/blob/ea195cb2/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
index 3e164e0..2b2c276 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
@@ -152,6 +152,7 @@ public class TestAuthenticationFactory {
private static PermissionEntity createAdministratorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setId(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION);
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.allOf(RoleAuthorization.class)));
return permissionEntity;
@@ -159,6 +160,7 @@ public class TestAuthenticationFactory {
private static PermissionEntity createClusterAdministratorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setId(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION);
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
RoleAuthorization.CLUSTER_MANAGE_CREDENTIALS,
@@ -199,6 +201,7 @@ public class TestAuthenticationFactory {
private static PermissionEntity createServiceAdministratorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setId(5);
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
RoleAuthorization.CLUSTER_VIEW_ALERTS,
@@ -229,6 +232,7 @@ public class TestAuthenticationFactory {
private static PermissionEntity createServiceOperatorPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setId(6);
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
RoleAuthorization.SERVICE_VIEW_CONFIGS,
@@ -253,6 +257,7 @@ public class TestAuthenticationFactory {
private static PermissionEntity createClusterUserPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setId(PermissionEntity.CLUSTER_USER_PERMISSION);
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
RoleAuthorization.SERVICE_VIEW_CONFIGS,
@@ -273,6 +278,7 @@ public class TestAuthenticationFactory {
private static PermissionEntity createViewUserPermission() {
PermissionEntity permissionEntity = new PermissionEntity();
+ permissionEntity.setId(PermissionEntity.VIEW_USER_PERMISSION);
permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER));
permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of(
RoleAuthorization.VIEW_USE
http://git-wip-us.apache.org/repos/asf/ambari/blob/ea195cb2/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index 4cab770..b30bff3 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -26,11 +26,9 @@ import static org.easymock.EasyMock.getCurrentArguments;
import static org.easymock.EasyMock.replay;
import static org.easymock.EasyMock.verify;
-import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
-import java.util.List;
-
+import javax.persistence.EntityManager;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
@@ -38,16 +36,22 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
import junit.framework.Assert;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.DBAccessor;
+import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrivilegeEntity;
-import org.apache.ambari.server.orm.entities.ViewInstanceEntity.ViewInstanceVersionDTO;
-import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
+import org.apache.ambari.server.security.TestAuthenticationFactory;
+import org.apache.ambari.server.state.stack.OsFamily;
import org.apache.ambari.server.view.ViewRegistry;
import org.easymock.EasyMock;
import org.easymock.IAnswer;
-import org.junit.BeforeClass;
+import org.junit.After;
import org.junit.Test;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
@@ -58,14 +62,12 @@ import com.google.common.collect.HashBasedTable;
import com.google.common.collect.Table;
import com.google.common.collect.Table.Cell;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
public class AmbariAuthorizationFilterTest {
- @BeforeClass
- public static void setupAuthentication() {
- // Set authenticated user so that authorization checks will pass
- InternalAuthenticationToken authenticationToken = new InternalAuthenticationToken("admin");
- authenticationToken.setAuthenticated(true);
- SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+ @After
+ public void clearAuthentication() {
+ SecurityContextHolder.getContext().setAuthentication(null);
}
@Test
@@ -193,7 +195,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", true);
- performGeneralDoFilterTest("admin", new int[]{PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createAdministrator(), urlTests, false);
}
@Test
@@ -226,7 +228,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
- performGeneralDoFilterTest("user1", new int[]{PermissionEntity.CLUSTER_USER_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createClusterUser(), urlTests, false);
}
@Test
@@ -259,7 +261,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
- performGeneralDoFilterTest("user1", new int[] {PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createClusterAdministrator(), urlTests, false);
}
@Test
@@ -292,7 +294,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
- performGeneralDoFilterTest("user1", new int[] {PermissionEntity.VIEW_USER_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createViewUser(99L), urlTests, false);
}
@Test
@@ -323,7 +325,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/any/other/URL", "GET", true);
urlTests.put("/any/other/URL", "POST", false);
- performGeneralDoFilterTest("user2", new int[0], urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createViewUser(null), urlTests, false);
}
@Test
@@ -332,7 +334,7 @@ public class AmbariAuthorizationFilterTest {
urlTests.put("/views/SomeView/SomeVersion/SomeInstance", "GET", false);
urlTests.put("/views/SomeView/SomeVersion/SomeInstance?foo=bar", "GET", false);
- performGeneralDoFilterTest(null, new int[0], urlTests, true);
+ performGeneralDoFilterTest(null, urlTests, true);
}
@Test
@@ -340,67 +342,81 @@ public class AmbariAuthorizationFilterTest {
final Table<String, String, Boolean> urlTests = HashBasedTable.create();
urlTests.put("/api/v1/stacks/HDP/versions/2.3/validations", "POST", true);
urlTests.put("/api/v1/stacks/HDP/versions/2.3/recommendations", "POST", true);
- performGeneralDoFilterTest("user1", new int[] { PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION}, urlTests, false);
- performGeneralDoFilterTest("user2", new int[] { PermissionEntity.CLUSTER_USER_PERMISSION}, urlTests, false);
- performGeneralDoFilterTest("admin", new int[] { PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION}, urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createClusterAdministrator(), urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createClusterUser(), urlTests, false);
+ performGeneralDoFilterTest(TestAuthenticationFactory.createAdministrator(), urlTests, false);
+ }
+
+ @Test
+ public void testDoFilter_NotLoggedIn_UseDefaultUser() throws Exception {
+ final FilterChain chain = EasyMock.createStrictMock(FilterChain.class);
+ final HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+
+ final HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ expect(request.getRequestURI()).andReturn("/uri").anyTimes();
+ expect(request.getQueryString()).andReturn(null).anyTimes();
+ expect(request.getMethod()).andReturn("GET").anyTimes();
+
+ chain.doFilter(EasyMock.<ServletRequest>anyObject(), EasyMock.<ServletResponse>anyObject());
+ EasyMock.expectLastCall().once();
+
+ final Configuration configuration = EasyMock.createMock(Configuration.class);
+ expect(configuration.getDefaultApiAuthenticatedUser()).andReturn("user1").once();
+
+ User user = EasyMock.createMock(User.class);
+ expect(user.getUserName()).andReturn("user1").anyTimes();
+ expect(user.getUserType()).andReturn(UserType.LOCAL).anyTimes();
+
+ final Users users = EasyMock.createMock(Users.class);
+ expect(users.getUser("user1", UserType.LOCAL)).andReturn(user).once();
+ expect(users.getUserAuthorities("user1", UserType.LOCAL)).andReturn(Collections.<AmbariGrantedAuthority>emptyList()).once();
+
+ replay(request, response, chain, configuration, users, user);
+
+ Injector injector = Guice.createInjector(new AbstractModule() {
+ @Override
+ protected void configure() {
+ bind(Configuration.class).toInstance(configuration);
+ bind(Users.class).toInstance(users);
+ bind(EntityManager.class).toInstance(EasyMock.createMock(EntityManager.class));
+ bind(UserDAO.class).toInstance(EasyMock.createMock(UserDAO.class));
+ bind(DBAccessor.class).toInstance(EasyMock.createMock(DBAccessor.class));
+ bind(PasswordEncoder.class).toInstance(EasyMock.createMock(PasswordEncoder.class));
+ bind(OsFamily.class).toInstance(EasyMock.createMock(OsFamily.class));
+ }
+ });
+
+ AmbariAuthorizationFilter filter = new AmbariAuthorizationFilter();
+ injector.injectMembers(filter);
+
+ filter.doFilter(request, response, chain);
+
+ Assert.assertEquals("user1", SecurityContextHolder.getContext().getAuthentication().getName());
}
/**
* Creates mocks with given permissions and performs all given url tests.
*
- * @param username user name
- * @param permissionsGranted array of user permissions
+ * @param authentication the authentication to use
* @param urlTests map of triples: url - http method - is allowed
* @param expectRedirect true if the requests should redirect to login
* @throws Exception
*/
- private void performGeneralDoFilterTest(String username, final int[] permissionsGranted, Table<String, String, Boolean> urlTests, boolean expectRedirect) throws Exception {
+ private void performGeneralDoFilterTest(Authentication authentication, Table<String, String, Boolean> urlTests, boolean expectRedirect) throws Exception {
final SecurityContext securityContext = createNiceMock(SecurityContext.class);
- final Authentication authentication = createNiceMock(Authentication.class);
final FilterConfig filterConfig = createNiceMock(FilterConfig.class);
final AmbariAuthorizationFilter filter = createMockBuilder(AmbariAuthorizationFilter.class)
.addMockedMethod("getSecurityContext").addMockedMethod("getViewRegistry").withConstructor().createMock();
- final List<AmbariGrantedAuthority> authorities = new ArrayList<AmbariGrantedAuthority>();
final ViewRegistry viewRegistry = createNiceMock(ViewRegistry.class);
- for (int permissionGranted: permissionsGranted) {
- final AmbariGrantedAuthority authority = createNiceMock(AmbariGrantedAuthority.class);
- final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class);
- final PermissionEntity permission = createNiceMock(PermissionEntity.class);
-
- expect(authority.getPrivilegeEntity()).andReturn(privilegeEntity).anyTimes();
- expect(privilegeEntity.getPermission()).andReturn(permission).anyTimes();
- expect(permission.getId()).andReturn(permissionGranted).anyTimes();
-
- replay(authority, privilegeEntity, permission);
- authorities.add(authority);
- }
-
- EasyMock.<Collection<? extends GrantedAuthority>>expect(authentication.getAuthorities()).andReturn(authorities).anyTimes();
expect(filterConfig.getInitParameter("realm")).andReturn("AuthFilter").anyTimes();
- if (username == null) {
- expect(authentication.isAuthenticated()).andReturn(false).anyTimes();
- } else {
- expect(authentication.isAuthenticated()).andReturn(true).anyTimes();
- expect(authentication.getName()).andReturn(username).anyTimes();
- }
+
expect(filter.getSecurityContext()).andReturn(securityContext).anyTimes();
expect(filter.getViewRegistry()).andReturn(viewRegistry).anyTimes();
expect(securityContext.getAuthentication()).andReturn(authentication).anyTimes();
- expect(viewRegistry.checkPermission(EasyMock.eq("AllowedView"), EasyMock.<String>anyObject(), EasyMock.<String>anyObject(), EasyMock.anyBoolean())).andAnswer(new IAnswer<Boolean>() {
- @Override
- public Boolean answer() throws Throwable {
- for (int permissionGranted: permissionsGranted) {
- if (permissionGranted == PermissionEntity.VIEW_USER_PERMISSION) {
- return true;
- }
- }
- return false;
- }
- }).anyTimes();
expect(viewRegistry.checkPermission(EasyMock.eq("DeniedView"), EasyMock.<String>anyObject(), EasyMock.<String>anyObject(), EasyMock.anyBoolean())).andReturn(false).anyTimes();
- replay(authentication, filterConfig, filter, securityContext, viewRegistry);
+ replay(filterConfig, filter, securityContext, viewRegistry);
for (final Cell<String, String, Boolean> urlTest: urlTests.cellSet()) {
final FilterChain chain = EasyMock.createStrictMock(FilterChain.class);