You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/05/18 06:53:01 UTC
[03/16] incubator-ranger git commit: RANGER-483: user credential will
be stored in SHA256 hashed value instead of MD5
RANGER-483: user credential will be stored in SHA256 hashed value instead of MD5
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/64582f02
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/64582f02
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/64582f02
Branch: refs/heads/tag-policy
Commit: 64582f029e4eedc38e636aac0144134b1146abd7
Parents: cdf6df9
Author: sneethiraj <sn...@apache.org>
Authored: Sun May 17 13:33:14 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Sun May 17 13:33:14 2015 -0400
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/UserMgr.java | 24 +++-
.../handler/RangerAuthenticationProvider.java | 110 ++++++++++++++++++-
.../RangerAuthFailureHandler.java | 5 +-
.../conf.dist/security-applicationContext.xml | 4 +-
4 files changed, 135 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 188682c..145c331 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -64,13 +64,14 @@ import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
@Component
public class UserMgr {
static final Logger logger = Logger.getLogger(UserMgr.class);
private static final Md5PasswordEncoder md5Encoder = new Md5PasswordEncoder();
-
+ private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
@Autowired
RangerDaoManager daoManager;
@@ -1108,7 +1109,7 @@ public class UserMgr {
}
public String encrypt(String loginId, String password) {
- String saltEncodedpasswd = md5Encoder.encodePassword(password, loginId);
+ String saltEncodedpasswd = sha256Encoder.encodePassword(password, loginId);
return saltEncodedpasswd;
}
@@ -1248,4 +1249,23 @@ public class UserMgr {
}
return xXPortalUser;
}
+ @Transactional(readOnly = false, propagation = Propagation.REQUIRED)
+ public XXPortalUser updatePasswordInSHA256(String userName,String userPassword) {
+ if (userName == null || userPassword == null
+ || userName.trim().isEmpty() || userPassword.trim().isEmpty()){
+ return null;
+ }
+
+ XXPortalUser xXPortalUser = this.findByLoginId(userName);
+
+ if (xXPortalUser == null) {
+ return null;
+ }
+
+ String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(),userPassword);
+ xXPortalUser.setPassword(encryptedNewPwd);
+ xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser);
+
+ return xXPortalUser;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index f74e5d9..a84736b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -28,11 +28,14 @@ import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.Configuration;
+
import org.apache.log4j.Logger;
import org.apache.ranger.authentication.unix.jaas.RoleUserAuthorityGranter;
import org.apache.ranger.common.PropertiesUtil;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider;
import org.springframework.security.authentication.jaas.memory.InMemoryConfiguration;
@@ -49,10 +52,25 @@ import org.springframework.security.ldap.authentication.LdapAuthenticator;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.authentication.dao.ReflectionSaltSource;
+import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.apache.ranger.biz.UserMgr;
public class RangerAuthenticationProvider implements AuthenticationProvider {
+
+ @Autowired
+ @Qualifier("userService")
+ private JdbcUserDetailsManager userDetailsService;
+
+ @Autowired
+ UserMgr userMgr;
private static Logger logger = Logger.getLogger(RangerAuthenticationProvider.class);
private String rangerAuthenticationMethod;
@@ -65,6 +83,9 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
+ if(rangerAuthenticationMethod==null){
+ rangerAuthenticationMethod="NONE";
+ }
if (authentication != null && rangerAuthenticationMethod!=null) {
if (rangerAuthenticationMethod.equalsIgnoreCase("LDAP")) {
authentication=getLdapAuthentication(authentication);
@@ -89,11 +110,50 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
}
}
if (rangerAuthenticationMethod.equalsIgnoreCase("UNIX")) {
- return getUnixAuthentication(authentication);
+ authentication= getUnixAuthentication(authentication);
+ if(authentication!=null && authentication.isAuthenticated()){
+ return authentication;
+ }
+ }
+ String encoder="SHA256";
+ try{
+ authentication=getJDBCAuthentication(authentication,encoder);
+ }catch (BadCredentialsException e) {
+ }catch (AuthenticationServiceException e) {
+ }catch (AuthenticationException e) {
+ }catch (Exception e) {
+ }
+ if(authentication!=null && authentication.isAuthenticated()){
+ return authentication;
+ }
+ if(authentication!=null && !authentication.isAuthenticated()){
+ encoder="MD5";
+ String userName = authentication.getName();
+ String userPassword = null;
+ if (authentication.getCredentials() != null) {
+ userPassword = authentication.getCredentials().toString();
+ }
+ try{
+ authentication=getJDBCAuthentication(authentication,encoder);
+ }catch (BadCredentialsException e) {
+ throw e;
+ }catch (AuthenticationServiceException e) {
+ throw e;
+ }catch (AuthenticationException e) {
+ throw e;
+ }catch (Exception e) {
+ throw e;
+ }
+ if(authentication!=null && authentication.isAuthenticated()){
+ userMgr.updatePasswordInSHA256(userName,userPassword);
+ return authentication;
+ }else{
+ return authentication;
+ }
}
- return null;
+ return authentication;
}
- return null;
+ return authentication;
}
private Authentication getLdapAuthentication(Authentication authentication) {
@@ -410,4 +470,48 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
}
return authentication;
}
+
+ private Authentication getJDBCAuthentication(Authentication authentication,String encoder) throws AuthenticationException{
+ try {
+
+ ReflectionSaltSource saltSource = new ReflectionSaltSource();
+ saltSource.setUserPropertyToUse("username");
+
+ DaoAuthenticationProvider authenticator = new DaoAuthenticationProvider();
+ authenticator.setUserDetailsService(userDetailsService);
+ if(encoder!=null && "SHA256".equalsIgnoreCase(encoder)){
+ authenticator.setPasswordEncoder( new ShaPasswordEncoder(256));
+ }else if(encoder!=null && "MD5".equalsIgnoreCase(encoder)){
+ authenticator.setPasswordEncoder( new Md5PasswordEncoder());
+ }
+
+ authenticator.setSaltSource(saltSource);
+
+ String userName = authentication.getName();
+ String userPassword = "";
+ if (authentication.getCredentials() != null) {
+ userPassword = authentication.getCredentials().toString();
+ }
+ String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
+ if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
+ final UserDetails principal = new User(userName, userPassword,grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
+ authentication= authenticator.authenticate(finalAuthentication);
+ return authentication;
+ }
+ } catch (BadCredentialsException e) {
+ throw e;
+ }catch (AuthenticationServiceException e) {
+ throw e;
+ }catch (AuthenticationException e) {
+ throw e;
+ }catch (Exception e) {
+ throw e;
+ }
+ return authentication;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
index b302888..94ce93a 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
@@ -84,7 +84,10 @@ ExceptionMappingAuthenticationFailureHandler {
if(msg.equalsIgnoreCase("Bad credentials")){
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("The username or password you entered is incorrect..");
- }else{
+ }else if(msg.contains("Could not get JDBC Connection; nested exception is java.sql.SQLException: Connections could not be acquired from the underlying database!")){
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Unable to connect to DB..");
+ }else if(msg.contains("Communications link failure")){
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Unable to connect to DB..");
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index f58b7ba..a648809 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -147,11 +147,11 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<!-- LDAP_SEC_SETTINGS_END -->
<!-- UNIX_SEC_SETTINGS_START -->
<!-- UNIX_SEC_SETTINGS_END -->
- <security:authentication-provider user-service-ref="userService">
+ <!-- <security:authentication-provider user-service-ref="userService">
<security:password-encoder hash="md5">
<security:salt-source user-property="username"/>
</security:password-encoder>
- </security:authentication-provider>
+ </security:authentication-provider> -->
<!-- security:authentication-provider ref="rememberMeAuthenticationProvider"/ -->
</security:authentication-manager>