tool
/
atlas
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ATLAS-3488 :- Update Simple Authentication(file-based) password with ShaPasswordEncoder with Salt.

This commit is contained in:
nixonrodrigues 2019-10-23 19:06:30 +05:30
parent 7aca24fb75
commit 25044cee5d
14 changed files with 106 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
addons/falcon-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
#username=group::sha256+salt-password
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
addons/hbase-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
addons/hive-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
addons/impala-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
addons/kafka-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
addons/sqoop-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
addons/storm-bridge/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
distro/src/conf/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

4
intg/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034

40
webapp/src/main/java/org/apache/atlas/util/CredentialProviderUtility.java
View File

@ -16,6 +16,10 @@
*/
package org.apache.atlas.util;
import org.apache.atlas.web.dao.UserDao;
import org.apache.commons.cli.BasicParser;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
@ -71,6 +75,36 @@ public class CredentialProviderUtility {
public static TextDevice textDevice = DEFAULT_TEXT_DEVICE;
public static void main(String[] args) throws IOException {
Options options = new Options();
try {
createOptions(options);
CommandLine cmd = new BasicParser().parse(options, args);
boolean generatePasswordOption = cmd.hasOption("g");
if (generatePasswordOption) {
String userName = cmd.getOptionValue("u");
String password = cmd.getOptionValue("p");
if (userName != null && password != null) {
String encryptedPassword = UserDao.encrypt(password, userName);
textDevice.printf("Your encrypted password is : " + encryptedPassword, null);
textDevice.printf("\n", null);
} else {
textDevice.printf("Please provide username and password as input. Usage:" +
" cputil.py -g -u <username> -p <password>", null);
}
return;
}
} catch (Exception e) {
System.out.println("Exception while generatePassword " + e.getMessage());
return;
}
// prompt for the provider name
CredentialProvider provider = getCredentialProvider(textDevice);
@ -100,6 +134,12 @@ public class CredentialProviderUtility {
}
}
private static void createOptions(Options options) {
options.addOption("g", "generatePassword", false, "Generate Password");
options.addOption("u", "username", true, "UserName");
options.addOption("p", "password", true, "Password");
}
/**
* Retrieves a password from the command line.
* @param textDevice the system console.

8
webapp/src/main/java/org/apache/atlas/web/dao/UserDao.java
View File

@ -28,6 +28,7 @@ import javax.annotation.PostConstruct;
import org.apache.atlas.web.security.AtlasAuthenticationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import org.springframework.stereotype.Repository;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
@ -50,6 +51,8 @@ public class UserDao {
private Properties userLogins;
private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
@PostConstruct
public void init() {
loadFileLoginsDetails();
@ -106,14 +109,12 @@ public class UserDao {
return userDetails;
}
@VisibleForTesting
public void setUserLogins(Properties userLogins) {
this.userLogins = userLogins;
}
public static String getSha256Hash(String base) throws AtlasAuthenticationException {
try {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
@ -132,4 +133,7 @@ public class UserDao {
}
}
public static String encrypt(String password, String salt) {
return sha256Encoder.encodePassword(password, salt);
}
}

26
webapp/src/main/java/org/apache/atlas/web/security/AtlasFileAuthenticationProvider.java
View File

@ -16,7 +16,9 @@
*/
package org.apache.atlas.web.security;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.web.dao.UserDao;
import org.apache.commons.configuration.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
@ -28,6 +30,7 @@ import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import java.util.Collection;
@ -38,12 +41,23 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
private static Logger logger = LoggerFactory.getLogger(AtlasFileAuthenticationProvider.class);
private final UserDetailsService userDetailsService;
private boolean v1ValidationEnabled = true;
@Inject
public AtlasFileAuthenticationProvider(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@PostConstruct
public void setup() {
try {
Configuration configuration = ApplicationProperties.get();
v1ValidationEnabled = configuration.getBoolean("atlas.authentication.method.file.v1-validation.enabled", true);
} catch (Exception e) {
logger.error("Exception while setup", e);
}
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
@ -61,9 +75,15 @@ public class AtlasFileAuthenticationProvider extends AtlasAbstractAuthentication
}
UserDetails user = userDetailsService.loadUserByUsername(username);
String encodedPassword = UserDao.getSha256Hash(password);
String encodedPassword = UserDao.encrypt(password, username);
boolean isValidPassword = encodedPassword.equals(user.getPassword());
if (!isValidPassword && v1ValidationEnabled) {
encodedPassword = UserDao.getSha256Hash(password);
}
if (!encodedPassword.equals(user.getPassword())) {
logger.error("Wrong password " + username);
throw new BadCredentialsException("Wrong password");

19
webapp/src/test/java/org/apache/atlas/web/security/FileAuthenticationTest.java
View File

@ -88,15 +88,16 @@ public class FileAuthenticationTest {
TestUtils.writeConfiguration(configuration, persistDir + File.separator
+ ApplicationProperties.APPLICATION_PROPERTIES);
}
private void setupUserCredential(String tmpDir) throws Exception {
StringBuilder credentialFileStr = new StringBuilder(1024);
credentialFileStr.append("admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
credentialFileStr.append("admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1\n");
credentialFileStr.append("adminv1=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n");
credentialFileStr.append("michael=DATA_SCIENTIST::95bfb24de17d285d734b9eaa9109bfe922adc85f20d2e5e66a78bddb4a4ebddb\n");
credentialFileStr.append("paul=DATA_STEWARD::e7c0dcf5f8a93e93791e9bac1ae454a691c1d2a902fc4256d489e96c1b9ac68c\n");
credentialFileStr.append("user= \n");
credentialFileStr.append("user12= ::bd35283fe8fcfd77d7c05a8bf2adb85c773281927e12c9829c72a9462092f7c4\n");
credentialFileStr.append("user12= ::43d864d8f9b53cd913fc6a665c8470595cefa4a360edeb78cf6c4eac00c0a3a0\n");
File credentialFile = new File(tmpDir, "users-credentials");
FileUtils.write(credentialFile, credentialFileStr.toString());
}
@ -122,6 +123,18 @@ public class FileAuthenticationTest {
assertTrue(auth.isAuthenticated());
}
@Test
public void testValidUserLoginWithV1password() {
when(authentication.getName()).thenReturn("adminv1");
when(authentication.getCredentials()).thenReturn("admin");
Authentication auth = authProvider.authenticate(authentication);
LOG.debug(" {}", auth);
assertTrue(auth.isAuthenticated());
}
@Test
public void testInValidPasswordLogin() {

4
webapp/src/test/resources/users-credentials.properties
View File

@ -1,3 +1,3 @@
#username=group::sha256-password
admin=ADMIN::8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
rangertagsync=RANGER_TAG_SYNC::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d
admin=ADMIN::a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1
rangertagsync=RANGER_TAG_SYNC::0afe7a1968b07d4c3ff4ed8c2d809a32ffea706c66cd795ead9048e81cfaf034