You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/05/18 06:53:01 UTC

[03/16] incubator-ranger git commit: RANGER-483: user credential will be stored in SHA256 hashed value instead of MD5

RANGER-483:  user credential will be stored in SHA256 hashed value instead of MD5


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/64582f02
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/64582f02
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/64582f02

Branch: refs/heads/tag-policy
Commit: 64582f029e4eedc38e636aac0144134b1146abd7
Parents: cdf6df9
Author: sneethiraj <sn...@apache.org>
Authored: Sun May 17 13:33:14 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Sun May 17 13:33:14 2015 -0400

----------------------------------------------------------------------
 .../java/org/apache/ranger/biz/UserMgr.java     |  24 +++-
 .../handler/RangerAuthenticationProvider.java   | 110 ++++++++++++++++++-
 .../RangerAuthFailureHandler.java               |   5 +-
 .../conf.dist/security-applicationContext.xml   |   4 +-
 4 files changed, 135 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 188682c..145c331 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -64,13 +64,14 @@ import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 
 @Component
 public class UserMgr {
 
 	static final Logger logger = Logger.getLogger(UserMgr.class);
 	private static final Md5PasswordEncoder md5Encoder = new Md5PasswordEncoder();
-
+	private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
 	@Autowired
 	RangerDaoManager daoManager;
 
@@ -1108,7 +1109,7 @@ public class UserMgr {
 	}
 
 	public String encrypt(String loginId, String password) {
-		String saltEncodedpasswd = md5Encoder.encodePassword(password, loginId);
+		String saltEncodedpasswd = sha256Encoder.encodePassword(password, loginId);
 		return saltEncodedpasswd;
 	}
 
@@ -1248,4 +1249,23 @@ public class UserMgr {
 		}
 		return xXPortalUser;
 	}
+	@Transactional(readOnly = false, propagation = Propagation.REQUIRED)
+	public XXPortalUser updatePasswordInSHA256(String userName,String userPassword) {
+		if (userName == null || userPassword == null
+				|| userName.trim().isEmpty() || userPassword.trim().isEmpty()){
+				return null;
+		}
+
+		XXPortalUser xXPortalUser = this.findByLoginId(userName);
+
+		if (xXPortalUser == null) {
+			return null;
+		}
+
+		String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(),userPassword);
+		xXPortalUser.setPassword(encryptedNewPwd);
+		xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser);
+
+		return xXPortalUser;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index f74e5d9..a84736b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -28,11 +28,14 @@ import java.util.HashMap;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
 import javax.security.auth.login.Configuration;
+
 import org.apache.log4j.Logger;
 import org.apache.ranger.authentication.unix.jaas.RoleUserAuthorityGranter;
 import org.apache.ranger.common.PropertiesUtil;
 import org.springframework.ldap.core.support.LdapContextSource;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider;
 import org.springframework.security.authentication.jaas.memory.InMemoryConfiguration;
@@ -49,10 +52,25 @@ import org.springframework.security.ldap.authentication.LdapAuthenticator;
 import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.authentication.dao.ReflectionSaltSource;
+import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.apache.ranger.biz.UserMgr;
 
 
 
 public class RangerAuthenticationProvider implements AuthenticationProvider {
+
+	@Autowired
+	@Qualifier("userService")
+	private JdbcUserDetailsManager userDetailsService;
+
+	@Autowired
+	UserMgr userMgr;
 	private static Logger logger = Logger.getLogger(RangerAuthenticationProvider.class);
 	private String rangerAuthenticationMethod;
 
@@ -65,6 +83,9 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 	@Override
 	public Authentication authenticate(Authentication authentication)
 			throws AuthenticationException {
+		if(rangerAuthenticationMethod==null){
+			rangerAuthenticationMethod="NONE";
+		}
 		if (authentication != null && rangerAuthenticationMethod!=null) {
 			if (rangerAuthenticationMethod.equalsIgnoreCase("LDAP")) {
 				authentication=getLdapAuthentication(authentication);
@@ -89,11 +110,50 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 				}
 			}
 			if (rangerAuthenticationMethod.equalsIgnoreCase("UNIX")) {
-				return getUnixAuthentication(authentication);
+				authentication= getUnixAuthentication(authentication);
+				if(authentication!=null && authentication.isAuthenticated()){
+					return authentication;
+				}
+			}
+			String encoder="SHA256";
+			try{
+				authentication=getJDBCAuthentication(authentication,encoder);
+			}catch (BadCredentialsException e) {
+			}catch (AuthenticationServiceException e) {
+			}catch (AuthenticationException e) {
+			}catch (Exception e) {
+			}
+			if(authentication!=null && authentication.isAuthenticated()){
+				return authentication;
+			}
+			if(authentication!=null && !authentication.isAuthenticated()){
+				encoder="MD5";
+				String userName = authentication.getName();
+				String userPassword = null;
+				if (authentication.getCredentials() != null) {
+					userPassword = authentication.getCredentials().toString();
+				}
+				try{
+					authentication=getJDBCAuthentication(authentication,encoder);
+				}catch (BadCredentialsException e) {
+					throw e;
+				}catch (AuthenticationServiceException e) {
+					throw e;
+				}catch (AuthenticationException e) {
+					throw e;
+				}catch (Exception e) {
+					throw e;
+				}
+				if(authentication!=null && authentication.isAuthenticated()){
+					userMgr.updatePasswordInSHA256(userName,userPassword);
+					return authentication;
+				}else{
+					return authentication;
+				}
 			}
-			return null;
+			return authentication;
 		}
-		return null;
+		return authentication;
 	}
 
 	private Authentication getLdapAuthentication(Authentication authentication) {
@@ -410,4 +470,48 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 		}
 		return authentication;
 	}
+
+	private Authentication getJDBCAuthentication(Authentication authentication,String encoder) throws AuthenticationException{
+		try {
+
+			ReflectionSaltSource saltSource = new ReflectionSaltSource();
+			saltSource.setUserPropertyToUse("username");
+
+			DaoAuthenticationProvider authenticator = new DaoAuthenticationProvider();
+			authenticator.setUserDetailsService(userDetailsService);
+			if(encoder!=null && "SHA256".equalsIgnoreCase(encoder)){
+				authenticator.setPasswordEncoder( new ShaPasswordEncoder(256));
+			}else if(encoder!=null && "MD5".equalsIgnoreCase(encoder)){
+				authenticator.setPasswordEncoder( new Md5PasswordEncoder());
+			}
+
+			authenticator.setSaltSource(saltSource);
+
+			String userName = authentication.getName();
+			String userPassword = "";
+			if (authentication.getCredentials() != null) {
+				userPassword = authentication.getCredentials().toString();
+			}
+			String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
+			if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
+				final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+				grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+				grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
+				grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
+				final UserDetails principal = new User(userName, userPassword,grantedAuths);
+				final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
+				authentication= authenticator.authenticate(finalAuthentication);
+				return authentication;
+			}
+		} catch (BadCredentialsException e) {
+			throw e;
+		}catch (AuthenticationServiceException e) {
+			throw e;
+		}catch (AuthenticationException e) {
+			throw e;
+		}catch (Exception e) {
+			throw e;
+		}
+		return authentication;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
index b302888..94ce93a 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
@@ -84,7 +84,10 @@ ExceptionMappingAuthenticationFailureHandler {
 				if(msg.equalsIgnoreCase("Bad credentials")){
 					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
 					vXResponse.setMsgDesc("The username or password you entered is incorrect..");
-				}else{
+				}else if(msg.contains("Could not get JDBC Connection; nested exception is java.sql.SQLException: Connections could not be acquired from the underlying database!")){
+					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+					vXResponse.setMsgDesc("Unable to connect to DB..");
+				}else if(msg.contains("Communications link failure")){
 					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
 					vXResponse.setMsgDesc("Unable to connect to DB..");
 				}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/64582f02/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index f58b7ba..a648809 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -147,11 +147,11 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
 		<!-- LDAP_SEC_SETTINGS_END -->
 		<!-- UNIX_SEC_SETTINGS_START -->
 		<!-- UNIX_SEC_SETTINGS_END -->
-		<security:authentication-provider user-service-ref="userService">
+		<!-- <security:authentication-provider user-service-ref="userService">
 			<security:password-encoder hash="md5">
 				<security:salt-source user-property="username"/>
 			</security:password-encoder>
-		</security:authentication-provider>
+		</security:authentication-provider> -->
 		<!--   security:authentication-provider ref="rememberMeAuthenticationProvider"/ -->
 	</security:authentication-manager>