You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by sa...@apache.org on 2019/07/05 22:23:40 UTC
[atlas] branch branch-2.0 updated (c354c7a -> e3aba09)
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a change to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git.
from c354c7a ATLAS-3307 :- UT fix to add Tag propagation property which is not configured for all tags #59
new 567dc62 ATLAS-3311: changes Download link text from Source Downloads => All Releases for master
new 9442a4f ATLAS-3314: Update relationshipCategory between spark_table and spark_storagedesc type
new fd25449 ATLAS-3153 :- Add Keycloak authentication method to Atlas.
new 88ea258 ATLAS-3153 : Testcase fix due to Keycloak authentication method commit.
new ae306dd ATLAS-3316 getResolvedEntityVertex returns null if AtlasRelatedObjectId is referenced with AtlasObjectId
new e3aba09 ATLAS-3318: Throw exception when getGraphInstance() is unable to open janusgraph instance
The 6 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
addons/models/1000-Hadoop/1100-spark_model.json | 6 +-
docs/src/site/site.xml | 29 +---
docs/src/site/twiki/Atlas-Authentication.twiki | 28 ++++
.../graphdb/janus/AtlasJanusGraphDatabase.java | 3 +
pom.xml | 4 +
.../store/graph/EntityGraphDiscoveryContext.java | 4 +
webapp/pom.xml | 8 +
.../web/security/AtlasAuthenticationProvider.java | 32 +++-
.../AtlasKeycloakAuthenticationProvider.java | 76 ++++++++++
.../atlas/web/security/AtlasSecurityConfig.java | 165 +++++++++++++++++++--
webapp/src/test/resources/test-spring-security.xml | 2 +
11 files changed, 311 insertions(+), 46 deletions(-)
create mode 100644 webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java
[atlas] 01/06: ATLAS-3311: changes Download link text from Source
Downloads => All Releases for master
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit 567dc625849881ecc29ad6f6da88bfb40b6b1bb8
Author: kevalbhatt <kb...@apache.org>
AuthorDate: Fri Jun 28 16:30:09 2019 +0530
ATLAS-3311: changes Download link text from Source Downloads => All Releases for master
(cherry picked from commit 2a2c4a5e3e83bf0eaae1d82e1746fc5c8b0b78b3)
---
docs/src/site/site.xml | 29 ++---------------------------
1 file changed, 2 insertions(+), 27 deletions(-)
diff --git a/docs/src/site/site.xml b/docs/src/site/site.xml
index cded8d6..6cce48e 100755
--- a/docs/src/site/site.xml
+++ b/docs/src/site/site.xml
@@ -78,33 +78,8 @@
<item name="Source Repository" href="source-repository.html" />
</menu>
- <menu name="Downloads">
- <item name="2.0.0"
- href="Downloads.html"/>
- <item name="1.2.0"
- href="Downloads.html"/>
- <item name="1.1.0"
- href="Downloads.html"/>
- <item name="1.0.0"
- href="Downloads.html"/>
- <item name="0.8.4"
- href="Downloads.html"/>
- <item name="0.8.3"
- href="Downloads.html"/>
- <item name="0.8.2"
- href="Downloads.html"/>
- <item name="0.8.1"
- href="Downloads.html"/>
- <item name="0.8-incubating"
- href="Downloads.html"/>
- <item name="0.7.1-incubating"
- href="Downloads.html"/>
- <item name="0.7-incubating"
- href="Downloads.html"/>
- <item name="0.6-incubating"
- href="Downloads.html"/>
- <item name="0.5-incubating"
- href="Downloads.html"/>
+ <menu name="Download">
+ <item name="All Releases" target="_blank" href="Downloads.html"/>
</menu>
<menu name="Documentation">
[atlas] 04/06: ATLAS-3153 : Testcase fix due to Keycloak
authentication method commit.
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit 88ea258638d5dcb5911c6da406d3b136dab27ebc
Author: nixonrodrigues <ni...@apache.org>
AuthorDate: Fri Jul 5 14:58:41 2019 +0530
ATLAS-3153 : Testcase fix due to Keycloak authentication method commit.
(cherry picked from commit e7071476aaba064d0967531cda6d9221f918db4e)
---
webapp/src/test/resources/test-spring-security.xml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/webapp/src/test/resources/test-spring-security.xml b/webapp/src/test/resources/test-spring-security.xml
index 22cb410..f77c20b 100644
--- a/webapp/src/test/resources/test-spring-security.xml
+++ b/webapp/src/test/resources/test-spring-security.xml
@@ -62,11 +62,13 @@
</beans:bean>
<beans:bean id="atlasADProvider" class="org.apache.atlas.web.security.AtlasADAuthenticationProvider"/>
<beans:bean id="atlasPamProvider" class="org.apache.atlas.web.security.AtlasPamAuthenticationProvider"/>
+ <beans:bean id="atlasKeycloakProvider" class="org.apache.atlas.web.security.AtlasKeycloakAuthenticationProvider"/>
<beans:bean id="atlasAuthenticationProvider" class="org.apache.atlas.web.security.AtlasAuthenticationProvider">
<beans:constructor-arg index="0" ref="atlasLDAPProvider"/>
<beans:constructor-arg index="1" ref="atlasFileProvider"/>
<beans:constructor-arg index="2" ref="atlasADProvider"/>
<beans:constructor-arg index="3" ref="atlasPamProvider"/>
+ <beans:constructor-arg index="4" ref="atlasKeycloakProvider" />
</beans:bean>
<beans:bean id="krbAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasAuthenticationFilter">
[atlas] 03/06: ATLAS-3153 :- Add Keycloak authentication method to
Atlas.
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit fd2544978658fbb8c1ee1164b286727af28770e5
Author: Bolke de Bruin <bo...@xs4all.nl>
AuthorDate: Mon May 13 08:05:20 2019 +0200
ATLAS-3153 :- Add Keycloak authentication method to Atlas.
Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.
This enabled Atlas to use OpenID Connect (OAUTH2) and allows integration with more services.
Signed-off-by: nixonrodrigues <ni...@apache.org>
(cherry picked from commit 645bc94e59969d08b81e7af7a5a2db78207ab3fe)
---
docs/src/site/twiki/Atlas-Authentication.twiki | 28 ++++
pom.xml | 4 +
webapp/pom.xml | 8 +
.../web/security/AtlasAuthenticationProvider.java | 32 +++-
.../AtlasKeycloakAuthenticationProvider.java | 76 ++++++++++
.../atlas/web/security/AtlasSecurityConfig.java | 165 +++++++++++++++++++--
6 files changed, 298 insertions(+), 15 deletions(-)
diff --git a/docs/src/site/twiki/Atlas-Authentication.twiki b/docs/src/site/twiki/Atlas-Authentication.twiki
index ddaa7fe..75626ea 100644
--- a/docs/src/site/twiki/Atlas-Authentication.twiki
+++ b/docs/src/site/twiki/Atlas-Authentication.twiki
@@ -7,6 +7,7 @@ Atlas supports following authentication methods
* *File*
* *Kerberos*
* *LDAP*
+ * *Keycloak (OpenID Connect / OAUTH2)*
Following properties should be set true to enable the authentication of that type in =atlas-application.properties= file.
@@ -16,6 +17,7 @@ Following properties should be set true to enable the authentication of that typ
atlas.authentication.method.kerberos=true|false
atlas.authentication.method.ldap=true|false
atlas.authentication.method.file=true|false
+atlas.authentication.method.keycloak=true|false
</verbatim>
If two or more authentication methods are set to true, then the authentication falls back to the latter method if the earlier one fails.
@@ -111,3 +113,29 @@ atlas.authentication.method.ldap.user.searchfilter=(uid={0})
atlas.authentication.method.ldap.default.role=ROLE_USER
</verbatim>
+---++++ Keycloak Method.
+
+To enable Keycloak authentication mode in Atlas, set the property =atlas.authentication.method.keycloak= to true and also set the property =atlas.authentication.method.keycloak.file= to the localtion of your =keycloak.json= in =atlas-application.properties=.
+Also set =atlas.authentication.method.keycloak.ugi-groups= to false if you want to pickup groups from Keycloak. By default the groups will be picked up from the *roles* defined in Keycloak. In case you want to use the groups
+you need to create a mapping in keycloak and define =atlas.authentication.method.keycloak.groups_claim= equal to the token claim name. Make sure *not* to use the full group path and add the information to the access token.
+
+<verbatim>
+atlas.authentication.method.keycloak=true
+atlas.authentication.method.keycloak.file=/opt/atlas/conf/keycloak.json
+atlas.authentication.method.keycloak.ugi-groups=false
+</verbatim>
+
+Setup you keycloak.json per instructions from Keycloak. Make sure to include ="principal-attribute": "preferred_username"= to ensure readable user names and ="autodetect-bearer-only": true=.
+
+<verbatim>
+{
+ "realm": "auth",
+ "auth-server-url": "http://keycloak-server/auth",
+ "ssl-required": "external",
+ "resource": "atlas",
+ "public-client": true,
+ "confidential-port": 0,
+ "principal-attribute": "preferred_username",
+ "autodetect-bearer-only": true
+}
+</verbatim>
diff --git a/pom.xml b/pom.xml
index ccbdb13..46b5e6b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -719,6 +719,10 @@
<hppc.version>0.8.1</hppc.version>
<!-- Storm dependencies -->
+ <!-- keycloak dependencies -->
+ <keycloak.version>6.0.1</keycloak.version>
+ <!-- keycloak dependencies -->
+
<PermGen>64m</PermGen>
<MaxPermGen>512m</MaxPermGen>
diff --git a/webapp/pom.xml b/webapp/pom.xml
index 4dffbd8..529d2c7 100755
--- a/webapp/pom.xml
+++ b/webapp/pom.xml
@@ -468,6 +468,14 @@
<artifactId>hadoop-aws</artifactId>
<version>${hadoop.version}</version>
</dependency>
+
+ <!-- Keycloak -->
+ <dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-spring-security-adapter</artifactId>
+ <version>${keycloak.version}</version>
+ </dependency>
+
</dependencies>
<build>
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
index fb21d75..dff3d8d 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAuthenticationProvider.java
@@ -37,11 +37,14 @@ public class AtlasAuthenticationProvider extends AtlasAbstractAuthenticationProv
private boolean fileAuthenticationMethodEnabled = true;
private boolean pamAuthenticationEnabled = false;
+ private boolean keycloakAuthenticationEnabled = false;
+
private String ldapType = "NONE";
public static final String FILE_AUTH_METHOD = "atlas.authentication.method.file";
public static final String LDAP_AUTH_METHOD = "atlas.authentication.method.ldap";
public static final String LDAP_TYPE = "atlas.authentication.method.ldap.type";
public static final String PAM_AUTH_METHOD = "atlas.authentication.method.pam";
+ public static final String KEYCLOAK_AUTH_METHOD = "atlas.authentication.method.keycloak";
@@ -55,15 +58,19 @@ public class AtlasAuthenticationProvider extends AtlasAbstractAuthenticationProv
final AtlasPamAuthenticationProvider pamAuthenticationProvider;
+ final AtlasKeycloakAuthenticationProvider atlasKeycloakAuthenticationProvider;
+
@Inject
public AtlasAuthenticationProvider(AtlasLdapAuthenticationProvider ldapAuthenticationProvider,
AtlasFileAuthenticationProvider fileAuthenticationProvider,
AtlasADAuthenticationProvider adAuthenticationProvider,
- AtlasPamAuthenticationProvider pamAuthenticationProvider) {
+ AtlasPamAuthenticationProvider pamAuthenticationProvider,
+ AtlasKeycloakAuthenticationProvider atlasKeycloakAuthenticationProvider) {
this.ldapAuthenticationProvider = ldapAuthenticationProvider;
this.fileAuthenticationProvider = fileAuthenticationProvider;
this.adAuthenticationProvider = adAuthenticationProvider;
this.pamAuthenticationProvider = pamAuthenticationProvider;
+ this.atlasKeycloakAuthenticationProvider = atlasKeycloakAuthenticationProvider;
}
@PostConstruct
@@ -75,6 +82,8 @@ public class AtlasAuthenticationProvider extends AtlasAbstractAuthenticationProv
this.pamAuthenticationEnabled = configuration.getBoolean(PAM_AUTH_METHOD, false);
+ this.keycloakAuthenticationEnabled = configuration.getBoolean(KEYCLOAK_AUTH_METHOD, false);
+
boolean ldapAuthenticationEnabled = configuration.getBoolean(LDAP_AUTH_METHOD, false);
if (ldapAuthenticationEnabled) {
@@ -118,6 +127,12 @@ public class AtlasAuthenticationProvider extends AtlasAbstractAuthenticationProv
} catch (Exception ex) {
LOG.error("Error while PAM authentication", ex);
}
+ } else if (keycloakAuthenticationEnabled) {
+ try {
+ authentication = atlasKeycloakAuthenticationProvider.authenticate(authentication);
+ } catch (Exception ex) {
+ LOG.error("Error while Keycloak authentication", ex);
+ }
}
}
@@ -137,6 +152,21 @@ public class AtlasAuthenticationProvider extends AtlasAbstractAuthenticationProv
throw new AtlasAuthenticationException("Authentication failed.");
}
+ @Override
+ public boolean supports(Class<?> authentication) {
+ if (pamAuthenticationEnabled) {
+ return pamAuthenticationProvider.supports(authentication);
+ } else if (ldapType.equalsIgnoreCase("LDAP")) {
+ return ldapAuthenticationProvider.supports(authentication);
+ } else if (ldapType.equalsIgnoreCase("AD")) {
+ return adAuthenticationProvider.supports(authentication);
+ } else if (keycloakAuthenticationEnabled) {
+ return atlasKeycloakAuthenticationProvider.supports(authentication);
+ } else {
+ return super.supports(authentication);
+ }
+ }
+
public boolean isSsoEnabled() {
return ssoEnabled;
}
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java
new file mode 100644
index 0000000..367839b
--- /dev/null
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.web.security;
+
+import org.apache.atlas.ApplicationProperties;
+import org.apache.commons.configuration.Configuration;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.stereotype.Component;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class AtlasKeycloakAuthenticationProvider extends AtlasAbstractAuthenticationProvider {
+ private final boolean groupsFromUGI;
+ private final String groupsClaim;
+
+ private final KeycloakAuthenticationProvider keycloakAuthenticationProvider;
+
+ public AtlasKeycloakAuthenticationProvider() throws Exception {
+ this.keycloakAuthenticationProvider = new KeycloakAuthenticationProvider();
+
+ Configuration configuration = ApplicationProperties.get();
+ this.groupsFromUGI = configuration.getBoolean("atlas.authentication.method.keycloak.ugi-groups", true);
+ this.groupsClaim = configuration.getString("atlas.authentication.method.keycloak.groups_claim");
+ }
+
+ @Override
+ public Authentication authenticate(Authentication authentication) {
+ authentication = keycloakAuthenticationProvider.authenticate(authentication);
+
+ if (groupsFromUGI) {
+ List<GrantedAuthority> groups = getAuthoritiesFromUGI(authentication.getName());
+ KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
+
+ authentication = new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), groups);
+ } else if (groupsClaim != null) {
+ KeycloakAuthenticationToken token = (KeycloakAuthenticationToken)authentication;
+ Map<String, Object> claims = token.getAccount().getKeycloakSecurityContext().getToken().getOtherClaims();
+ if (claims.containsKey(groupsClaim)) {
+ List<String> membership = (List<String>)claims.get(groupsClaim);
+ List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
+ for (String group : membership) {
+ grantedAuthorities.add(new SimpleGrantedAuthority(group));
+ }
+ authentication = new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), grantedAuthorities);
+ }
+ }
+
+ return authentication;
+ }
+
+ @Override
+ public boolean supports(Class<?> aClass) {
+ return keycloakAuthenticationProvider.supports(aClass);
+ }
+}
\ No newline at end of file
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
index bf6b85b..fc2855d 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
@@ -25,8 +25,31 @@ import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
+import org.keycloak.adapters.AdapterDeploymentContext;
+import org.keycloak.adapters.KeycloakConfigResolver;
+import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.KeycloakDeploymentBuilder;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean;
+import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
+import org.keycloak.adapters.springsecurity.config.KeycloakSpringConfigResolverWrapper;
+import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
+import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
+import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
+import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
+import org.keycloak.adapters.springsecurity.filter.QueryParamPresenceRequestMatcher;
+import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
+import org.keycloak.representations.adapters.config.AdapterConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.core.io.Resource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -34,22 +57,34 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import javax.inject.Inject;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
import static org.apache.atlas.AtlasConstants.ATLAS_MIGRATION_MODE_FILENAME;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
+@KeycloakConfiguration
public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger LOG = LoggerFactory.getLogger(AtlasSecurityConfig.class);
@@ -66,6 +101,15 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
private final StaleTransactionCleanupFilter staleTransactionCleanupFilter;
private final ActiveServerFilter activeServerFilter;
+ public static final RequestMatcher KEYCLOAK_REQUEST_MATCHER = new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher("/login.jsp"), new RequestHeaderRequestMatcher("Authorization"), new QueryParamPresenceRequestMatcher("access_token")});
+
+ @Value("${keycloak.configurationFile:WEB-INF/keycloak.json}")
+ private Resource keycloakConfigFileResource;
+ @Autowired(required = false)
+ private KeycloakConfigResolver keycloakConfigResolver;
+
+ private final boolean keycloakEnabled;
+
@Inject
public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter,
AtlasCSRFPreventionFilter atlasCSRFPreventionFilter,
@@ -87,15 +131,27 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
this.configuration = configuration;
this.staleTransactionCleanupFilter = staleTransactionCleanupFilter;
this.activeServerFilter = activeServerFilter;
+
+ this.keycloakEnabled = configuration.getBoolean(AtlasAuthenticationProvider.KEYCLOAK_AUTH_METHOD, false);
}
- public BasicAuthenticationEntryPoint getAuthenticationEntryPoint() {
- BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
- basicAuthenticationEntryPoint.setRealmName("atlas.com");
- return basicAuthenticationEntryPoint;
+ public AuthenticationEntryPoint getAuthenticationEntryPoint() throws Exception {
+ AuthenticationEntryPoint authenticationEntryPoint;
+
+ if (keycloakEnabled) {
+ KeycloakAuthenticationEntryPoint keycloakAuthenticationEntryPoint = new KeycloakAuthenticationEntryPoint(adapterDeploymentContext());
+ keycloakAuthenticationEntryPoint.setRealm("atlas.com");
+ keycloakAuthenticationEntryPoint.setLoginUri("/login.jsp");
+ authenticationEntryPoint = keycloakAuthenticationEntryPoint;
+ } else {
+ BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
+ basicAuthenticationEntryPoint.setRealmName("atlas.com");
+ authenticationEntryPoint = basicAuthenticationEntryPoint;
+ }
+ return authenticationEntryPoint;
}
- public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() {
+ public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() throws Exception {
LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPointMap = new LinkedHashMap<>();
entryPointMap.put(new RequestHeaderRequestMatcher("User-Agent", "Mozilla"), atlasAuthenticationEntryPoint);
DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPointMap);
@@ -110,19 +166,24 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
+ List<String> matchers = new ArrayList<>(
+ Arrays.asList("/css/**",
+ "/img/**",
+ "/libs/**",
+ "/js/**",
+ "/ieerror.html",
+ "/api/atlas/admin/status",
+ "/api/atlas/admin/metrics"));
+
+ if (!keycloakEnabled) {
+ matchers.add("/login.jsp");
+ }
+
web.ignoring()
- .antMatchers("/login.jsp",
- "/css/**",
- "/img/**",
- "/libs/**",
- "/js/**",
- "/ieerror.html",
- "/api/atlas/admin/status",
- "/api/atlas/admin/metrics");
+ .antMatchers(matchers.toArray(new String[matchers.size()]));
}
protected void configure(HttpSecurity httpSecurity) throws Exception {
-
//@formatter:off
httpSecurity
.authorizeRequests().anyRequest().authenticated()
@@ -173,5 +234,81 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
.addFilterBefore(ssoAuthenticationFilter, BasicAuthenticationFilter.class)
.addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class)
.addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class);
+
+ if (keycloakEnabled) {
+ httpSecurity
+ .logout().addLogoutHandler(keycloakLogoutHandler()).and()
+ .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
+ .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
+ .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
+ .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class);
+ }
+ }
+
+
+ @Bean
+ protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+ return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
+ }
+
+ @Bean
+ protected AdapterDeploymentContext adapterDeploymentContext() throws Exception {
+ AdapterDeploymentContextFactoryBean factoryBean;
+ String fileName = configuration.getString("atlas.authentication.method.keycloak.file");
+ if (fileName != null && !fileName.isEmpty()) {
+ keycloakConfigFileResource = new FileSystemResource(fileName);
+ factoryBean = new AdapterDeploymentContextFactoryBean(keycloakConfigFileResource);
+ } else {
+ Configuration conf = configuration.subset("atlas.authentication.method.keycloak");
+ AdapterConfig cfg = new AdapterConfig();
+ cfg.setRealm(conf.getString("realm", "atlas.com"));
+ cfg.setAuthServerUrl(conf.getString("auth-server-url", "https://localhost/auth"));
+ cfg.setResource(conf.getString("resource", "none"));
+
+ Map<String,Object> credentials = new HashMap<>();
+ credentials.put("secret", conf.getString("credentials-secret", "nosecret"));
+ cfg.setCredentials(credentials);
+ KeycloakDeployment dep = KeycloakDeploymentBuilder.build(cfg);
+ factoryBean = new AdapterDeploymentContextFactoryBean(new KeycloakConfigResolver() {
+ @Override
+ public KeycloakDeployment resolve(HttpFacade.Request request) {
+ return dep;
+ }
+ });
+ }
+
+ factoryBean.afterPropertiesSet();
+ return factoryBean.getObject();
+ }
+
+ @Bean
+ protected KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter() {
+ return new KeycloakPreAuthActionsFilter(httpSessionManager());
+ }
+
+ @Bean
+ protected HttpSessionManager httpSessionManager() {
+ return new HttpSessionManager();
+ }
+
+ protected KeycloakLogoutHandler keycloakLogoutHandler() throws Exception {
+ return new KeycloakLogoutHandler(adapterDeploymentContext());
+ }
+
+ @Bean
+ protected KeycloakSecurityContextRequestFilter keycloakSecurityContextRequestFilter() {
+ return new KeycloakSecurityContextRequestFilter();
+ }
+
+ @Bean
+ protected KeycloakAuthenticatedActionsFilter keycloakAuthenticatedActionsRequestFilter() {
+ return new KeycloakAuthenticatedActionsFilter();
+ }
+
+ @Bean
+ protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
+ KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), KEYCLOAK_REQUEST_MATCHER);
+ filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
+ return filter;
}
}
[atlas] 02/06: ATLAS-3314: Update relationshipCategory between
spark_table and spark_storagedesc type
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit 9442a4fbe9f8818f5ab81cde7f50770b737d4593
Author: Jungtaek Lim (HeartSaVioR) <ka...@gmail.com>
AuthorDate: Wed Jul 3 08:42:51 2019 +0900
ATLAS-3314: Update relationshipCategory between spark_table and spark_storagedesc type
Signed-off-by: Sarath Subramanian <sa...@apache.org>
(cherry picked from commit 2c375b08a52ac8d1039abb4b612a41cb9d89b420)
---
addons/models/1000-Hadoop/1100-spark_model.json | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/addons/models/1000-Hadoop/1100-spark_model.json b/addons/models/1000-Hadoop/1100-spark_model.json
index 125fbf5..28f24d0 100644
--- a/addons/models/1000-Hadoop/1100-spark_model.json
+++ b/addons/models/1000-Hadoop/1100-spark_model.json
@@ -420,17 +420,15 @@
"name": "spark_table_storagedesc",
"serviceType": "spark",
"typeVersion": "1.0",
- "relationshipCategory": "COMPOSITION",
+ "relationshipCategory": "ASSOCIATION",
"endDef1": {
"type": "spark_table",
"name": "sd",
- "isContainer": true,
"cardinality": "SINGLE"
},
"endDef2": {
"type": "spark_storagedesc",
"name": "table",
- "isContainer": false,
"cardinality": "SINGLE"
},
"propagateTags": "NONE"
@@ -474,4 +472,4 @@
"propagateTags": "NONE"
}
]
-}
\ No newline at end of file
+}
[atlas] 05/06: ATLAS-3316 getResolvedEntityVertex returns null if
AtlasRelatedObjectId is referenced with AtlasObjectId
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit ae306ddfec258361ac46b6b2e8dabdd780f9426d
Author: Mandar Ambawane <ma...@freestoneinfotech.com>
AuthorDate: Fri Jul 5 12:04:45 2019 +0530
ATLAS-3316 getResolvedEntityVertex returns null if AtlasRelatedObjectId is referenced with AtlasObjectId
Signed-off-by: nixonrodrigues <ni...@apache.org>
(cherry picked from commit eb513c315607946825831f2f80542b02b9476213)
---
.../atlas/repository/store/graph/EntityGraphDiscoveryContext.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/EntityGraphDiscoveryContext.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/EntityGraphDiscoveryContext.java
index bd05c98..2221ac4 100644
--- a/repository/src/main/java/org/apache/atlas/repository/store/graph/EntityGraphDiscoveryContext.java
+++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/EntityGraphDiscoveryContext.java
@@ -19,6 +19,7 @@ package org.apache.atlas.repository.store.graph;
import org.apache.atlas.exception.AtlasBaseException;
import org.apache.atlas.model.instance.AtlasObjectId;
+import org.apache.atlas.model.instance.AtlasRelatedObjectId;
import org.apache.atlas.repository.graphdb.AtlasVertex;
import org.apache.atlas.repository.store.graph.v2.EntityStream;
import org.apache.atlas.type.AtlasEntityType;
@@ -95,6 +96,9 @@ public final class EntityGraphDiscoveryContext {
}
public AtlasVertex getResolvedEntityVertex(AtlasObjectId objId) {
+ if (objId instanceof AtlasRelatedObjectId) {
+ objId = new AtlasObjectId(objId.getGuid(), objId.getTypeName(), objId.getUniqueAttributes());
+ }
AtlasVertex vertex = resolvedIdsByUniqAttribs.get(objId);
// check also for sub-types; ref={typeName=Asset; guid=abcd} should match {typeName=hive_table; guid=abcd}
[atlas] 06/06: ATLAS-3318: Throw exception when getGraphInstance()
is unable to open janusgraph instance
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sarath pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git
commit e3aba09dbe1170f1229daf1dc1ed5d9da6b4d201
Author: ashutoshm <am...@hortonworks.com>
AuthorDate: Fri Jul 5 15:11:19 2019 -0700
ATLAS-3318: Throw exception when getGraphInstance() is unable to open janusgraph instance
Signed-off-by: Sarath Subramanian <sa...@apache.org>
(cherry picked from commit ce5b6d7fea167b880b279076b2498c0786a5b4fd)
---
.../apache/atlas/repository/graphdb/janus/AtlasJanusGraphDatabase.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/graphdb/janus/src/main/java/org/apache/atlas/repository/graphdb/janus/AtlasJanusGraphDatabase.java b/graphdb/janus/src/main/java/org/apache/atlas/repository/graphdb/janus/AtlasJanusGraphDatabase.java
index a8945c0..c8c6a52 100644
--- a/graphdb/janus/src/main/java/org/apache/atlas/repository/graphdb/janus/AtlasJanusGraphDatabase.java
+++ b/graphdb/janus/src/main/java/org/apache/atlas/repository/graphdb/janus/AtlasJanusGraphDatabase.java
@@ -174,6 +174,9 @@ public class AtlasJanusGraphDatabase implements GraphDatabase<AtlasJanusVertex,
config.addProperty("graph.allow-upgrade", true);
graphInstance = JanusGraphFactory.open(config);
}
+ else {
+ throw new RuntimeException(e);
+ }
}
atlasGraphInstance = new AtlasJanusGraph();
validateIndexBackend(config);