You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/11/19 18:24:01 UTC
incubator-ranger git commit: RANGER-685 : Make Ranger Admin
participate in Knox SSO
Repository: incubator-ranger
Updated Branches:
refs/heads/master e267c0923 -> d5c707ffc
RANGER-685 : Make Ranger Admin participate in Knox SSO
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d5c707ff
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d5c707ff
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d5c707ff
Branch: refs/heads/master
Commit: d5c707ffc5517722d6a5514ded2ed31a0d4ae6e4
Parents: e267c09
Author: Gautam Borad <ga...@apache.org>
Authored: Thu Nov 19 21:43:42 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Thu Nov 19 11:53:08 2015 -0500
----------------------------------------------------------------------
security-admin/pom.xml | 18 +
security-admin/scripts/install.properties | 12 +
security-admin/scripts/setup.sh | 26 ++
.../org/apache/ranger/biz/RangerBizUtil.java | 11 +
.../apache/ranger/common/UserSessionBase.java | 10 +-
.../org/apache/ranger/rest/ServiceREST.java | 9 +
.../handler/RangerAuthenticationProvider.java | 29 ++
.../RangerAuthenticationEntryPoint.java | 6 +-
.../filter/RangerSSOAuthenticationFilter.java | 424 +++++++++++++++++++
.../RangerSecurityContextFormationFilter.java | 13 +-
.../security/web/filter/SSOAuthentication.java | 55 +++
.../web/filter/SSOAuthenticationProperties.java | 62 +++
.../resources/conf.dist/ranger-admin-site.xml | 26 ++
.../conf.dist/security-applicationContext.xml | 95 +----
.../src/main/webapp/scripts/utils/XAUtils.js | 7 +-
.../webapp/scripts/views/common/ErrorView.js | 9 +-
.../webapp/scripts/views/common/ProfileBar.js | 30 +-
17 files changed, 749 insertions(+), 93 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/pom.xml
----------------------------------------------------------------------
diff --git a/security-admin/pom.xml b/security-admin/pom.xml
index 3c26837..1fedbd0 100644
--- a/security-admin/pom.xml
+++ b/security-admin/pom.xml
@@ -407,6 +407,24 @@
<artifactId>spring-test</artifactId>
<version>${springframework.test.version}</version>
</dependency>
+
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>nimbus-jose-jwt</artifactId>
+ <version>3.9</version>
+ <scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>com.google.inject</groupId>
+ <artifactId>guice</artifactId>
+ <version>3.0</version>
+ </dependency>
</dependencies>
<build>
<pluginManagement>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index f3af716..2d52890 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -109,6 +109,18 @@ unix_group=ranger
#
#
+#-------- SSO CONFIG - Start ------------------
+#
+sso_enabled=false
+sso_providerurl=https://localhost:8443/gateway/knoxsso/api/v1/websso
+sso_publickey=
+sso_cookiename=hadoop-jwt
+sso_query_param_originalurl=originalUrl
+#
+#-------- SSO CONFIG - Start ------------------
+#
+
+#
# UNIX authentication service for Policy Manager
#
# PolicyManager can authenticate using UNIX username/password
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 36696a0..8b67f98 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -110,6 +110,11 @@ sqlserver_audit_file=$(get_prop 'sqlserver_audit_file' $PROPFILE)
sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE)
sqlanywhere_audit_file=$(get_prop 'sqlanywhere_audit_file' $PROPFILE)
cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)")
+sso_enabled=$(get_prop 'sso_enabled' $PROPFILE)
+sso_providerurl=$(get_prop 'sso_providerurl' $PROPFILE)
+sso_publickey=$(get_prop 'sso_publickey' $PROPFILE)
+sso_cookiename=$(get_prop 'sso_cookiename' $PROPFILE)
+sso_query_param_originalurl=$(get_prop 'sso_query_param_originalurl' $PROPFILE)
DB_HOST="${db_host}"
@@ -339,6 +344,27 @@ update_properties() {
log "[E] $to_file_default does not exists" ; exit 1;
fi
+ propertyName=ranger.sso.enabled
+ newPropertyValue="${sso_enabled}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.providerurl
+ newPropertyValue="${sso_providerurl}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.publicKey
+ newPropertyValue="${sso_publickey}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.cookiename
+ newPropertyValue="${sso_cookiename}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.query.param.originalurl
+ newPropertyValue="${sso_query_param_originalurl}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+
if [ "${DB_FLAVOR}" == "MYSQL" ]
then
propertyName=ranger.jpa.jdbc.url
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 689e165..e00db2c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1520,5 +1520,16 @@ public class RangerBizUtil {
return true;
}
+
+ public boolean isSSOEnabled() {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ return session.isSSOEnabled() == null ? PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false) : session.isSSOEnabled();
+ } else {
+ throw restErrorUtil.createRESTException(
+ "User session is not created",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 175459c..4473d74 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -39,7 +39,7 @@ public class UserSessionBase implements Serializable {
private List<String> userRoleList = new ArrayList<String>();
private RangerUserPermission rangerUserPermission;
int clientTimeOffsetInMinute = 0;
-
+ private Boolean isSSOEnabled;
public Long getUserId() {
if (xXPortalUser != null) {
return xXPortalUser.getId();
@@ -128,6 +128,14 @@ public class UserSessionBase implements Serializable {
+ public Boolean isSSOEnabled() {
+ return isSSOEnabled;
+ }
+
+ public void setSSOEnabled(Boolean isSSOEnabled) {
+ this.isSSOEnabled = isSSOEnabled;
+ }
+
public static class RangerUserPermission implements Serializable {
private static final long serialVersionUID = 1L;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 9173d6e..d92fd41 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -37,6 +37,7 @@ import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
@@ -1929,4 +1930,12 @@ public class ServiceREST {
return ret;
}
+
+ @GET
+ @Path("/checksso")
+ @Produces(MediaType.TEXT_PLAIN)
+ public String checkSSO() {
+ return String.valueOf(bizUtil.isSSOEnabled());
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index 40b08c4..3920ab3 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -75,6 +75,8 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
private LdapAuthenticator authenticator;
+ private boolean ssoEnabled = false;
+
public RangerAuthenticationProvider() {
}
@@ -82,6 +84,14 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
+ if(isSsoEnabled()){
+ if (authentication != null){
+ authentication = getSSOAuthentication(authentication);
+ if(authentication!=null && authentication.isAuthenticated()){
+ return authentication;
+ }
+ }
+ }else{
String sha256PasswordUpdateDisable=PropertiesUtil.getProperty("ranger.sha256Password.update.disable", "false");
if(rangerAuthenticationMethod==null){
rangerAuthenticationMethod="NONE";
@@ -155,6 +165,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
}
return authentication;
}
+ }
return authentication;
}
@@ -521,4 +532,22 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
}
return authentication;
}
+
+ private Authentication getSSOAuthentication(Authentication authentication) throws AuthenticationException{
+ return authentication;
+ }
+
+ /**
+ * @return the ssoEnabled
+ */
+ public boolean isSsoEnabled() {
+ return ssoEnabled;
+ }
+
+ /**
+ * @param ssoEnabled the ssoEnabled to set
+ */
+ public void setSsoEnabled(boolean ssoEnabled) {
+ this.ssoEnabled = ssoEnabled;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index 52228dd..0b61498 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -35,6 +35,7 @@ import org.apache.ranger.biz.SessionMgr;
import org.apache.ranger.common.JSONUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RangerConfigUtil;
+import org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter;
import org.apache.ranger.view.VXResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.AuthenticationException;
@@ -129,9 +130,12 @@ public class RangerAuthenticationEntryPoint extends
}
response.sendError(ajaxReturnCode, "");
} else if (!(requestURL.startsWith(reqServletPath))) {
+ if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){
+ if (request.getSession() != null)
+ request.getSession().setAttribute("locallogin","true");
+ }
super.commence(request, response, authException);
}
-
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
new file mode 100644
index 0000000..960a25f
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -0,0 +1,424 @@
+package org.apache.ranger.security.web.filter;
+
+import com.google.inject.Inject;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jwt.SignedJWT;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+import javax.servlet.*;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.interfaces.RSAPublicKey;
+import java.text.ParseException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+
+import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.common.UserSessionBase;
+import org.apache.ranger.security.context.RangerContextHolder;
+import org.apache.ranger.security.context.RangerSecurityContext;
+import org.apache.ranger.security.handler.RangerAuthenticationProvider;
+
+import java.io.ByteArrayInputStream;
+import java.io.UnsupportedEncodingException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+public class RangerSSOAuthenticationFilter implements Filter {
+ Logger LOG = LoggerFactory.getLogger(RangerSSOAuthenticationFilter.class);
+
+ public static final String BROWSER_USERAGENT = "ranger.sso.browser.useragent";
+ public static final String JWT_AUTH_PROVIDER_URL = "ranger.sso.providerurl";
+ public static final String JWT_PUBLIC_KEY = "ranger.sso.publicKey";
+ public static final String JWT_COOKIE_NAME = "ranger.sso.cookiename";
+ public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "ranger.sso.query.param.originalurl";
+ public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
+ public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
+ public static final String LOCAL_LOGIN_URL = "locallogin";
+
+ private SSOAuthenticationProperties jwtProperties;
+
+ private String originalUrlQueryParam = "originalUrl";
+ private String authenticationProviderUrl = null;
+ private RSAPublicKey publicKey = null;
+ private String cookieName = "hadoop-jwt";
+ private boolean ssoEnabled = false;
+
+ @Inject
+ public RangerSSOAuthenticationFilter(){
+ jwtProperties = getJwtProperties();
+ loadJwtProperties();
+ }
+
+ public RangerSSOAuthenticationFilter(
+ SSOAuthenticationProperties jwtProperties){
+ this.jwtProperties = jwtProperties;
+ loadJwtProperties();
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ /*
+ * doFilter of RangerSSOAuthenticationFilter is the first in the filter list so in this it check for the request
+ * if the request is from browser, doesn't contain local login and sso is enabled then it process the request against knox sso
+ * else if it's ssoenable and the request is with local login string then it show's the appropriate msg
+ * else if ssoenable is false then it contiunes with further filters as it was before sso
+ */
+ @Override
+ public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException {
+
+ RangerSecurityContext context = RangerContextHolder.getSecurityContext();
+ UserSessionBase session = context != null ? context.getUserSession() : null;
+ ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+
+ String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent");
+ if(((HttpServletRequest) servletRequest).getSession() != null){
+ if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){
+ ssoEnabled = false;
+ servletRequest.setAttribute("ssoEnabled", false);
+ filterChain.doFilter(servletRequest, servletResponse);
+ return;
+ }
+ }
+ //If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
+ if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
+ //if jwt properties are loaded and is current not authenticated then it will go for sso authentication
+ if (jwtProperties != null && !isAuthenticated()) {
+ HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
+ HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+ String serializedJWT = getJWTFromCookie(httpServletRequest);
+ // if we get the hadoop-jwt token from the cookies then will process it further
+ if (serializedJWT != null) {
+ SignedJWT jwtToken = null;
+ try {
+ jwtToken = SignedJWT.parse(serializedJWT);
+ boolean valid = validateToken(jwtToken);
+ //if the public key provide is correct and also token is not expired the process token
+ if (valid) {
+ String userName = jwtToken.getJWTClaimsSet().getSubject();
+ LOG.info("SSO login user : "+userName);
+
+ String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
+ //if we get the userName from the token then log into ranger using the same user
+ if (userName != null && !userName.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ final UserDetails principal = new User(userName, "",grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest);
+ ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
+ RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
+ authenticationProvider.setSsoEnabled(ssoEnabled);
+ final Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ }
+
+ filterChain.doFilter(servletRequest,httpServletResponse);
+ }
+ // if the token is not valid then redirect to knox sso
+ else {
+ String ssourl = constructLoginURL(httpServletRequest);
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO URL = " + ssourl);
+ httpServletResponse.sendRedirect(ssourl);
+ }
+ } catch (ParseException e) {
+ LOG.warn("Unable to parse the JWT token", e);
+ }
+ }
+ // if the jwt token is not available then redirect it to knox sso
+ else {
+ String ssourl = constructLoginURL(httpServletRequest);
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO URL = " + ssourl);
+ httpServletResponse.sendRedirect(ssourl);
+ }
+ }
+ //if property is not loaded or is already authenticated then proceed further with next filter
+ else {
+ filterChain.doFilter(servletRequest, servletResponse);
+ }
+ } else if(ssoEnabled && ((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent) && isAuthenticated()){
+ //If already there's an active session with sso and user want's to switch to local login(i.e without sso) then it won't be navigated to local login
+ // In this scenario the user as to use separate browser
+ String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(LOCAL_LOGIN_URL+"/", "");
+ url = url.replace(LOCAL_LOGIN_URL, "");
+ LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser");
+ ((HttpServletResponse)servletResponse).sendRedirect(url);
+ }
+ //if sso is not enable or the request is not from browser then proceed further with next filter
+ else {
+ filterChain.doFilter(servletRequest, servletResponse);
+ }
+ }
+
+ private boolean isWebUserAgent(String userAgent) {
+ boolean isWeb = false;
+ if (jwtProperties != null) {
+ String userAgentList[] = jwtProperties.getUserAgentList();
+ if(userAgentList != null && userAgentList.length > 0){
+ for(String ua : userAgentList){
+ if(userAgent.toLowerCase().startsWith(ua.toLowerCase())){
+ isWeb = true;
+ break;
+ }
+ }
+ }
+ }
+ return isWeb;
+ }
+
+ /**
+ * @return the ssoEnabled
+ */
+ public boolean isSsoEnabled() {
+ return ssoEnabled;
+ }
+
+ /**
+ * @param ssoEnabled the ssoEnabled to set
+ */
+ public void setSsoEnabled(boolean ssoEnabled) {
+ this.ssoEnabled = ssoEnabled;
+ }
+
+ private void loadJwtProperties() {
+ if (jwtProperties != null) {
+ authenticationProviderUrl = jwtProperties.getAuthenticationProviderUrl();
+ publicKey = jwtProperties.getPublicKey();
+ cookieName = jwtProperties.getCookieName();
+ originalUrlQueryParam = jwtProperties.getOriginalUrlQueryParam();
+ }
+ }
+
+ /**
+ * Do not try to validate JWT if user already authenticated via other
+ * provider
+ *
+ * @return true, if JWT validation required
+ */
+ private boolean isAuthenticated() {
+ Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+ return !(!(existingAuth != null && existingAuth.isAuthenticated()) || existingAuth instanceof SSOAuthentication);
+ }
+
+ /**
+ * Encapsulate the acquisition of the JWT token from HTTP cookies within the
+ * request.
+ *
+ * @param req
+ * servlet request to get the JWT token from
+ * @return serialized JWT token
+ */
+ protected String getJWTFromCookie(HttpServletRequest req) {
+ String serializedJWT = null;
+ Cookie[] cookies = req.getCookies();
+ if (cookies != null) {
+ for (Cookie cookie : cookies) {
+ if (cookieName != null && cookieName.equals(cookie.getName())) {
+ if(LOG.isDebugEnabled())
+ LOG.debug(cookieName + " cookie has been found and is being processed");
+ serializedJWT = cookie.getValue();
+ break;
+ }
+ }
+ }
+ return serializedJWT;
+ }
+
+ /**
+ * Create the URL to be used for authentication of the user in the absence
+ * of a JWT token within the incoming request.
+ *
+ * @param request
+ * for getting the original request URL
+ * @return url to use as login url for redirect
+ */
+ protected String constructLoginURL(HttpServletRequest request) {
+ String delimiter = "?";
+ if (authenticationProviderUrl.contains("?")) {
+ delimiter = "&";
+ }
+ String loginURL = authenticationProviderUrl + delimiter + originalUrlQueryParam + "=" + request.getRequestURL().toString();
+ return loginURL;
+ }
+
+ /**
+ * This method provides a single method for validating the JWT for use in
+ * request processing. It provides for the override of specific aspects of
+ * this implementation through submethods used within but also allows for
+ * the override of the entire token validation algorithm.
+ *
+ * @param jwtToken
+ * the token to validate
+ * @return true if valid
+ */
+ protected boolean validateToken(SignedJWT jwtToken) {
+ boolean sigValid = validateSignature(jwtToken);
+ if (!sigValid) {
+ LOG.warn("Signature of JWT token could not be verified. Please check the public key");
+ }
+ boolean expValid = validateExpiration(jwtToken);
+ if (!expValid) {
+ LOG.warn("Expiration time validation of JWT token failed.");
+ }
+ return sigValid && expValid;
+ }
+
+ /**
+ * Verify the signature of the JWT token in this method. This method depends
+ * on the public key that was established during init based upon the
+ * provisioned public key. Override this method in subclasses in order to
+ * customize the signature verification behavior.
+ *
+ * @param jwtToken
+ * the token that contains the signature to be validated
+ * @return valid true if signature verifies successfully; false otherwise
+ */
+ protected boolean validateSignature(SignedJWT jwtToken) {
+ boolean valid = false;
+ if (JWSObject.State.SIGNED == jwtToken.getState()) {
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token is in a SIGNED state");
+ if (jwtToken.getSignature() != null) {
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token signature is not null");
+ try {
+ JWSVerifier verifier = new RSASSAVerifier(publicKey);
+ if (jwtToken.verify(verifier)) {
+ valid = true;
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token has been successfully verified");
+ } else {
+ LOG.warn("SSO signature verification failed.Please check the public key");
+ }
+ } catch (JOSEException je) {
+ LOG.warn("Error while validating signature", je);
+ }
+ }
+ }
+ return valid;
+ }
+
+ /**
+ * Validate that the expiration time of the JWT token has not been violated.
+ * If it has then throw an AuthenticationException. Override this method in
+ * subclasses in order to customize the expiration validation behavior.
+ *
+ * @param jwtToken
+ * the token that contains the expiration date to validate
+ * @return valid true if the token has not expired; false otherwise
+ */
+ protected boolean validateExpiration(SignedJWT jwtToken) {
+ boolean valid = false;
+ try {
+ Date expires = jwtToken.getJWTClaimsSet().getExpirationTime();
+ if (expires != null && new Date().before(expires)) {
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token expiration date has been " + "successfully validated");
+ valid = true;
+ } else {
+ LOG.warn("SSO expiration date validation failed.");
+ }
+ } catch (ParseException pe) {
+ LOG.warn("SSO expiration date validation failed.", pe);
+ }
+ return valid;
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ public SSOAuthenticationProperties getJwtProperties() {
+ String providerUrl = PropertiesUtil.getProperty(JWT_AUTH_PROVIDER_URL);
+ if (providerUrl != null) {
+ String publicKeyPath = PropertiesUtil.getProperty(JWT_PUBLIC_KEY);
+ if (publicKeyPath == null) {
+ LOG.error("Public key pem not specified for SSO auth provider {}. SSO auth will be disabled.",providerUrl);
+ return null;
+ }
+ try {
+ RSAPublicKey publicKey = parseRSAPublicKey(publicKeyPath);
+ SSOAuthenticationProperties jwtProperties = new SSOAuthenticationProperties();
+ jwtProperties.setAuthenticationProviderUrl(providerUrl);
+ jwtProperties.setPublicKey(publicKey);
+
+ jwtProperties.setCookieName(PropertiesUtil.getProperty(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT));
+ jwtProperties.setOriginalUrlQueryParam(PropertiesUtil.getProperty(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT));
+ String userAgent = PropertiesUtil.getProperty(BROWSER_USERAGENT);
+ if(userAgent != null && !userAgent.isEmpty()){
+ jwtProperties.setUserAgentList(userAgent.split(","));
+ }
+ return jwtProperties;
+
+ } catch (IOException e) {
+ LOG.error("Unable to read public certificate file. JWT auth will be disabled.",e);
+ return null;
+ } catch (CertificateException e) {
+ LOG.error("Unable to parse public certificate file. JWT auth will be disabled.",e);
+ return null;
+ } catch (ServletException e) {
+ LOG.error("ServletException while processing the properties",e);
+ }
+ } else {
+ return null;
+ }
+ return jwtProperties;
+ }
+
+ /*
+ * public static RSAPublicKey getPublicKeyFromFile(String filePath) throws
+ * IOException, CertificateException {
+ * FileUtils.readFileToString(new File(filePath));
+ * getPublicKeyFromString(pemString); }
+ */
+
+ public static RSAPublicKey parseRSAPublicKey(String pem)
+ throws CertificateException, UnsupportedEncodingException,
+ ServletException {
+ String PEM_HEADER = "-----BEGIN CERTIFICATE-----\n";
+ String PEM_FOOTER = "\n-----END CERTIFICATE-----";
+ String fullPem = PEM_HEADER + pem + PEM_FOOTER;
+ PublicKey key = null;
+ try {
+ CertificateFactory fact = CertificateFactory.getInstance("X.509");
+ ByteArrayInputStream is = new ByteArrayInputStream(fullPem.getBytes("UTF8"));
+ X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
+ key = cer.getPublicKey();
+ } catch (CertificateException ce) {
+ String message = null;
+ if (pem.startsWith(PEM_HEADER)) {
+ message = "CertificateException - be sure not to include PEM header " + "and footer in the PEM configuration element.";
+ } else {
+ message = "CertificateException - PEM may be corrupt";
+ }
+ throw new ServletException(message, ce);
+ } catch (UnsupportedEncodingException uee) {
+ throw new ServletException(uee);
+ }
+ return (RSAPublicKey) key;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index d92fcbb..df529b6 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -128,13 +128,18 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
UserSessionBase userSession = sessionMgr.processSuccessLogin(
XXAuthSession.AUTH_TYPE_PASSWORD, userAgent);
- if(userSession!=null && userSession.getClientTimeOffsetInMinute()==0){
- userSession.setClientTimeOffsetInMinute(clientTimeOffset);
+ if (userSession != null) {
+
+ Object ssoEnabledObj = request.getAttribute("ssoEnabled");
+ Boolean ssoEnabled = ssoEnabledObj != null ? new Boolean(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+ userSession.setSSOEnabled(ssoEnabled);
+
+ if (userSession.getClientTimeOffsetInMinute() == 0) {
+ userSession.setClientTimeOffsetInMinute(clientTimeOffset);
+ }
}
context.setUserSession(userSession);
-
-// xUserMgr.checkPermissionRoleByGivenUrls(httpRequest.getRequestURL().toString(),httpMethod);
}
HttpServletResponse res = (HttpServletResponse)response;
res.setHeader("X-Frame-Options", "DENY" );
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
new file mode 100644
index 0000000..b6c39e6
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
@@ -0,0 +1,55 @@
+package org.apache.ranger.security.web.filter;
+
+import com.nimbusds.jwt.SignedJWT;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+
+/**
+ * Internal token which describes JWT authentication
+ */
+public class SSOAuthentication implements Authentication {
+
+ private SignedJWT token;
+ private boolean authenticated = false;
+
+ public SSOAuthentication(SignedJWT token) {
+ this.token = token;
+ }
+
+ @Override
+ public SignedJWT getCredentials() {
+ return token;
+ }
+
+ @Override
+ public Object getDetails() {
+ return null;
+ }
+
+ @Override
+ public boolean isAuthenticated() {
+ return authenticated;
+ }
+
+ @Override
+ public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
+ this.authenticated = authenticated;
+ }
+
+ @Override
+ public String getName() {
+ return null;
+ }
+
+ @Override
+ public Collection<? extends GrantedAuthority> getAuthorities() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return null;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
new file mode 100644
index 0000000..aa29de0
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
@@ -0,0 +1,62 @@
+package org.apache.ranger.security.web.filter;
+
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class SSOAuthenticationProperties {
+
+ private String authenticationProviderUrl = null;
+ private RSAPublicKey publicKey = null;
+ private String cookieName = "hadoop-jwt";
+ private String originalUrlQueryParam = null;
+ private String[] userAgentList = null;
+
+ public String getAuthenticationProviderUrl() {
+ return authenticationProviderUrl;
+ }
+
+ public void setAuthenticationProviderUrl(String authenticationProviderUrl) {
+ this.authenticationProviderUrl = authenticationProviderUrl;
+ }
+
+ public RSAPublicKey getPublicKey() {
+ return publicKey;
+ }
+
+ public void setPublicKey(RSAPublicKey publicKey) {
+ this.publicKey = publicKey;
+ }
+
+ public String getCookieName() {
+ return cookieName;
+ }
+
+ public void setCookieName(String cookieName) {
+ this.cookieName = cookieName;
+ }
+
+ public String getOriginalUrlQueryParam() {
+ return originalUrlQueryParam;
+ }
+
+ public void setOriginalUrlQueryParam(String originalUrlQueryParam) {
+ this.originalUrlQueryParam = originalUrlQueryParam;
+ }
+
+ /**
+ * @return the userAgentList
+ */
+ public String[] getUserAgentList() {
+ return userAgentList;
+ }
+
+ /**
+ * @param userAgentList the userAgentList to set
+ */
+ public void setUserAgentList(String[] userAgentList) {
+ this.userAgentList = userAgentList;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index fe7320c..6ee48f4 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -228,4 +228,30 @@
<value>(sAMAccountName={0})</value>
<description></description>
</property>
+ <!-- SSO Properties Starts-->
+ <property>
+ <name>ranger.sso.providerurl</name>
+ <value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso</value>
+ </property>
+ <property>
+ <name>ranger.sso.publicKey</name>
+ <value>MIICVjCCAb+gAwIBAgIJAPPvOtuTxFeiMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZIYWRvb3AxDTALBgNVBAsTBFRlc3QxIDAeBgNVBAMTF2M2NDAxLmFtYmFyaS5hcGFjaGUub3JnMB4XDTE1MDcxNjE4NDcyM1oXDTE2MDcxNTE4NDcyM1owbTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDEgMB4GA1UEAxMXYzY0MDEuYW1iYXJpLmFwYWNoZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFs/rymbiNvg8lDhsdAqvh5uHP6iMtfv9IYpDleShjkS1C+IqId6bwGIEO8yhIS5BnfUR/fcnHi2ZNrXX7xQUtQe7M9tDIKu48w//InnZ6VpAqjGShWxcSzR6UB/YoGe5ytHS6MrXaormfBg3VWtDoy2MS83W8pweS6p5JnK7S5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEANyVg6EzE2q84gq7wQfLt9t047nYFkxcRfzhNVL3LB8p6IkM4RUrzWq4kLA+z+bpY2OdpkTOewUpEdVKzOQd4V7vRxpdANxtbG/XXrJAAcY/S+eMy1eDK73cmaVPnxPUGWmMnQXUiTLab+w8tBQhNbq6BOQ42aOrLxA8k/M4cV1A=</value>
+ </property>
+ <property>
+ <name>ranger.sso.cookiename</name>
+ <value>hadoop-jwt</value>
+ </property>
+ <property>
+ <name>ranger.sso.enabled</name>
+ <value>false</value>
+ </property>
+ <property>
+ <name>ranger.sso.query.param.originalurl</name>
+ <value>originalUrl</value>
+ </property>
+ <property>
+ <name>ranger.sso.browser.useragent</name>
+ <value>Mozilla,chrome</value>
+ </property>
+ <!-- SSO Properties Ends-->
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 162afc6..329053f 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -30,31 +30,12 @@ http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
- <!-- TEMP ADD START-->
- <security:http pattern="/test/social_login.jsp" security="none" />
- <!-- TEMP ADD END -->
<security:http pattern="/login.jsp" security="none" />
- <security:http pattern="/ms_version.jsp" security="none" />
- <security:http pattern="/userRegistration.jsp" security="none" />
- <security:http pattern="/forgotPassword.jsp" security="none" />
- <security:http pattern="public/failedLogin.jsp" security="none" />
<security:http pattern="/styles/**" security="none" />
<security:http pattern="/fonts/**" security="none" />
<security:http pattern="/scripts/**" security="none" />
- <security:http pattern="/bower_components/**" security="none" />
<security:http pattern="/libs/**" security="none" />
<security:http pattern="/images/**" security="none" />
- <security:http pattern="/service/registration" security="none" />
- <security:http pattern="/service/users/firstnames" security="none" />
- <security:http pattern="/components/globalize/**" security="none" />
- <security:http pattern="/resetPassword.jsp" security="none" />
- <security:http pattern="/captcha/**" security="none" />
- <security:http pattern="/service/registration/**" security="none" />
- <security:http pattern="/public/**" security="none" />
- <security:http pattern="/test/**" security="none" />
- <security:http pattern="/test.html" security="none" />
- <security:http pattern="/loadInit.html" security="none" />
- <security:http pattern="/service/documents/result/**" security="none" />
<security:http pattern="/service/assets/policyList/*" security="none"/>
<security:http pattern="/service/assets/resources/grant" security="none"/>
<security:http pattern="/service/assets/resources/revoke" security="none"/>
@@ -63,34 +44,16 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<security:http pattern="/service/plugins/services/revoke/*" security="none"/>
<security:http pattern="/service/tags/download/*" security="none"/>
- <!--<security:http pattern="/service/users/default" security="none"/>
- <security:http pattern="/service/xusers/groups/**" security="none"/>
- <security:http pattern="/service/xusers/users/*" security="none"/>
- <security:http pattern="/service/xusers/groupusers/*" security="none"/>-->
-
- <security:http auto-config="false" create-session="always" entry-point-ref="authenticationProcessingFilterEntryPoint">
+ <security:http disable-url-rewriting="true" use-expressions="true" create-session="always" entry-point-ref="authenticationProcessingFilterEntryPoint">
<security:session-management session-fixation-protection="newSession" />
- <!-- security:remember-me user-service-ref="userService" key="REMEMBER_ME_PASSWORD"/ -->
-
- <!-- Restricted URLs to admin-->
- <security:intercept-url pattern="/service/crud/**" access="ROLE_SYS_ADMIN" />
- <security:intercept-url pattern="/service/users/activations/**" access="ROLE_SYS_ADMIN" />
-
- <!-- Allow annoymous access -->
- <security:intercept-url pattern="/service/general/feedbacks" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-
- <!-- give read access to lesson api -->
- <security:intercept-url pattern="/service/lesson/**" access="IS_AUTHENTICATED_ANONYMOUSLY" method="GET"/>
-
- <!-- Restricted URLs to only authenticated users-->
- <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED" />
-
+ <intercept-url pattern="/**" access="isAuthenticated()"/>
+ <custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />
+
<security:custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
- <!-- security:custom-filter before="ANONYMOUS_FILTER" ref="rememberMeFilter" / -->
<security:custom-filter position="LAST" ref="userContextFormationFilter"/>
<security:access-denied-handler error-page="/public/failedLogin.jsp?access_denied=1"/>
- <security:logout delete-cookies="JSESSIONID, xa_rmc" logout-url="/logout.html" success-handler-ref="customLogoutSuccessHandler" />
+ <security:logout delete-cookies="JSESSIONID,hadoop-jwt,xa_rmc" logout-url="/logout.html" success-handler-ref="customLogoutSuccessHandler" />
<http-basic entry-point-ref="authenticationProcessingFilterEntryPoint"/>
</security:http>
@@ -108,7 +71,6 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="ajaxAuthSuccessHandler"/>
<beans:property name="authenticationFailureHandler" ref="ajaxAuthFailureHandler"/>
- <!-- beans:property name="rememberMeServices" ref="rememberMeServices"/ -->
</beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint">
@@ -127,6 +89,10 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<beans:bean id="customLogoutSuccessHandler" class="org.apache.ranger.security.web.authentication.CustomLogoutSuccessHandler">
</beans:bean>
+ <beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
+ <beans:property name="ssoEnabled" value="${ranger.sso.enabled}"/>
+ </beans:bean>
+
<beans:bean id="userContextFormationFilter" class="org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter"/>
<security:jdbc-user-service id="userService" data-source-ref="defaultDataSource"
@@ -136,50 +102,13 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
WHERE usr.LOGIN_ID=?
AND usr_role.USER_ID = usr.ID"
/>
- <beans:bean id="customAuthenticationProvider" class="org.apache.ranger.security.handler.RangerAuthenticationProvider" >
- <beans:property name="rangerAuthenticationMethod" value="${ranger.authentication.method}" />
- </beans:bean>
+ <beans:bean id="customAuthenticationProvider" class="org.apache.ranger.security.handler.RangerAuthenticationProvider" >
+ <beans:property name="rangerAuthenticationMethod" value="${ranger.authentication.method}" />
+ </beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthenticationProvider"/>
- <!-- <security:authentication-manager alias="authenticationManager"> -->
- <!-- AD_SEC_SETTINGS_START -->
- <!-- AD_SEC_SETTINGS_END-->
- <!-- LDAP_SEC_SETTINGS_START -->
- <!-- LDAP_SEC_SETTINGS_END -->
- <!-- UNIX_SEC_SETTINGS_START -->
- <!-- UNIX_SEC_SETTINGS_END -->
- <!-- <security:authentication-provider user-service-ref="userService">
- <security:password-encoder hash="md5">
- <security:salt-source user-property="username"/>
- </security:password-encoder>
- </security:authentication-provider> -->
- <!-- security:authentication-provider ref="rememberMeAuthenticationProvider"/ -->
</security:authentication-manager>
-
<security:global-method-security pre-post-annotations="enabled" />
-
- <!-- UNIX_BEAN_SETTINGS_START -->
- <!-- UNIX_BEAN_SETTINGS_END -->
- <!-- AD_BEAN_SETTINGS_START -->
- <!-- AD_BEAN_SETTINGS_END -->
- <!-- LDAP_BEAN_SETTINGS_START -->
- <!-- LDAP_BEAN_SETTINGS_END -->
- <!-- beans:bean id="rememberMeFilter" class="org.apache.ranger.security.web.filter.MyRememberMeFilter">
- <beans:property name="rememberMeServices" ref="rememberMeServices"/>
- <beans:property name="authenticationManager" ref="authenticationManager" />
- </beans:bean>
- <beans:bean id="rememberMeServices" class=
- "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
- <beans:property name="userDetailsService" ref="userService"/>
- <beans:property name="cookieName" value="xa_rmc" />
- <beans:property name="key" value="REMEMBER_ME_PASSWORD"/>
- <beans:property name="alwaysRemember" value="true"/>
- </beans:bean>
-
- <beans:bean id="rememberMeAuthenticationProvider" class=
- "org.springframework.security.authentication.RememberMeAuthenticationProvider">
- <beans:property name="key" value="REMEMBER_ME_PASSWORD"/>
- </beans:bean -->
<beans:bean id="securityEventListener" class ="org.apache.ranger.security.listener.SpringEventListener"/>
</beans:beans>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index 8cb90e3..0f3aa3d 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -1030,10 +1030,15 @@ define(function(require) {
XAUtils.filterAllowedActions = function(controller) {
var SessionMgr = require('mgrs/SessionMgr');
var XAGlobals = require('utils/XAGlobals');
+ var vError = require('views/common/ErrorView');
+ var App = require('App');
var that = this;
var vXPortalUser = SessionMgr.getUserProfile();
if(_.isEmpty(vXPortalUser.attributes)){
- return controller;
+ App.rContent.show(new vError({
+ status : 204
+ }));
+ return;
}
var denyControllerActions = [], denyModulesObj = [];
var userModuleNames = _.pluck(vXPortalUser.get('userPermList'),'moduleName');
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ErrorView.js b/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
index a9d5739..4f8f463 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
@@ -37,7 +37,10 @@ define(function(require){
if(this.status == 401){
msg = 'Access Denied (401)'
moreInfo = "Sorry, you don't have enough privileges to view this page.";
- }else{
+ } else if(this.status == 204){
+ msg = 'No Content (204)'
+ moreInfo = "Sorry, Please sync-up the users with your source directory.";
+ } else {
msg = 'Page not found (404).'
moreInfo = "Sorry, this page isn't here or has moved.";
}
@@ -82,6 +85,10 @@ define(function(require){
onRender: function() {
this.initializePlugins();
$('#r_breadcrumbs').hide();
+ if(this.status == 204){
+ this.ui.goBackBtn.hide();
+ this.ui.home.hide();
+ }
},
goBackClick : function(){
history.back();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
index 0f87270..0bb9648 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -53,7 +53,8 @@ define(function(require){
return events;
},
onLogout : function(){
- var url = 'security-admin-web/logout.html';
+ var url = 'security-admin-web/logout.html',
+ that = this;
$.ajax({
url : url,
type : 'GET',
@@ -61,13 +62,38 @@ define(function(require){
"cache-control" : "no-cache"
},
success : function() {
- window.location.replace('login.jsp');
+ that.checkKnoxSSO()
+// window.location.replace('login.jsp');
},
error : function(jqXHR, textStatus, err ) {
}
});
},
+ checkKnoxSSO : function(){
+ var url = 'service/plugins/checksso';
+ $.ajax({
+ url : url,
+ type : 'GET',
+ headers : {
+ "cache-control" : "no-cache"
+ },
+ success : function(resp) {
+ console.log(resp)
+ if(!_.isUndefined(resp) && resp){
+ window.location.replace('');
+ } else {
+ window.location.replace('login.jsp');
+ }
+ },
+ error : function(jqXHR, textStatus, err ) {
+ if( jqXHR.status == 419 ){
+ window.location.replace('login.jsp');
+ }
+ }
+
+ });
+ },
/**
* intialize a new ProfileBar ItemView
* @constructs