Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISSUE:569: Support Kerberos credentials based Basic Authentication #567

Merged
merged 6 commits into from
Jul 9, 2019
Merged

ISSUE:569: Support Kerberos credentials based Basic Authentication #567

merged 6 commits into from
Jul 9, 2019

Conversation

guruchai
Copy link
Contributor

@guruchai guruchai commented Jul 3, 2019
edited by raju-saravanan
Loading

Fixes #569

@guruchai guruchai requested a review from raju-saravanan July 4, 2019 03:49
@raju-saravanan
Copy link
Collaborator

@guruchai: Can you create an ISSUE for this and explain what is being done in this PR?

@guruchai guruchai changed the title Kerberos login ISSUE:569: Kerberos login Jul 4, 2019
@guruchai guruchai changed the title ISSUE:569: Kerberos login ISSUE:569: Support Kerberos credentials based Authentication Jul 4, 2019
@guruchai
Copy link
Contributor Author

guruchai commented Jul 4, 2019

@guruchai: Can you create an ISSUE for this and explain what is being done in this PR?

Done. Thanks!

@guruchai guruchai changed the title ISSUE:569: Support Kerberos credentials based Authentication ISSUE:569: Support Kerberos credentials based Basic Authentication Jul 4, 2019
@guruchai guruchai requested a review from kamalcph July 8, 2019 08:40
kamalcph
kamalcph reviewed Jul 8, 2019
View reviewed changes
Copy link
Contributor

@kamalcph kamalcph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good to me. Left some minor comments to address.

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java
@@ -0,0 +1,204 @@
package com.hortonworks.registries.auth.server;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

license is missing. Add license for all the newly added files.

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java Outdated
public static final String AUTHORIZATION_HEADER = "Authorization";
public static final String BASIC_AUTHENTICATION = "Basic";

private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthenticationHandler.class);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update the class name in the logger.

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java Outdated
}

if (LOG.isDebugEnabled()) {
LOG.debug("Ran provider.authenticate() and returned authentication for " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whether to check authentication is null before printing the log?

...test/java/com/hortonworks/registries/auth/server/TestKerberosBasicAuthenticationHandler.java
}

@Test
public void testRequestWithInvalidAuthorization() throws Exception {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testRequestWithInvalidAuthorization and testRequestWithInvalidCredentials looks similar.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exactly. testRequestWithInvalidAuthorization tests the invalidity of Authorization header. testRequestWithInvalidCredentials tests the invalidity of the credentials after validating the Authorization header. They are like 2 steps in parsing step.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree.

...test/java/com/hortonworks/registries/auth/server/TestKerberosBasicAuthenticationHandler.java Outdated
AuthenticationToken authToken = handler.authenticate(request, response);

if (authToken != null) {
Assert.fail("AuthToken should have been null if the SPNEGO is disabled in KerberosAuthenticationLoginHandler.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

KerberosAuthenticationLoginHandler -> KerberosBasicAuthenticationHandler

@guruchai
Copy link
Contributor Author

guruchai commented Jul 8, 2019

Thanks for the review, @kamalcph!! made the changes suggested.

kamalcph
kamalcph reviewed Jul 8, 2019
View reviewed changes
Copy link
Contributor

@kamalcph kamalcph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some more minor comments.

...test/java/com/hortonworks/registries/auth/server/TestKerberosBasicAuthenticationHandler.java
@@ -0,0 +1,302 @@
package com.hortonworks.registries.auth.server;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

license is missing.

...test/java/com/hortonworks/registries/auth/server/TestKerberosBasicAuthenticationHandler.java
}

@Test
public void testRequestWithInvalidAuthorization() throws Exception {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree.

common-auth/src/main/java/com/hortonworks/registries/auth/util/Utils.java Outdated
}
}
return true;
} else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

else block can be removed.

raju-saravanan
raju-saravanan reviewed Jul 8, 2019
View reviewed changes
Copy link
Collaborator

@raju-saravanan raju-saravanan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good. Left some comments.

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java
*/
public class KerberosBasicAuthenticationHandler extends KerberosAuthenticationHandler {

public static final String LOGIN_ENABLED_CONFIG = "login.enabled";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you mention these props in the registry .yaml under the "servletFilters" section?

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java Outdated
public static final String BASIC_AUTHENTICATION = "Basic";

private static final Logger LOG = LoggerFactory.getLogger(KerberosBasicAuthenticationHandler.class);
private static final String METHOD = "POST";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename this to "HTTP_LOGIN_METHOD" or more something meaningful?

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java Outdated
try {
provider = new KerberosAuthenticationProvider();
SunJaasKerberosClient client = new SunJaasKerberosClient();
client.setDebug(true);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how much logs the client will generate in debug mode. Can we enable this if debug mode is enabled for LOG?

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java Outdated
}
String credentials = authorization.split(BASIC_AUTHENTICATION)[1].trim();
byte[] credentialsArray = Base64.getDecoder().decode(credentials);
String[] userPassword = new String(credentialsArray, StandardCharsets.UTF_8).split(":");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename this to "principalAndPassword"? I was bit confused when rawPrincipal was extracted from "userPassword".

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java Outdated
return identity;
}

static class KerberosUserDetailsService implements UserDetailsService {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need static keyword here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

static nested classes are usually preferred if the class is not using any of the fields from the enclosing class.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. I hurried up. Did not pay much attention. Considering no access to enclosing class, static should have been finer for this case!

...src/main/java/com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.java
* <li>login.enabled: a boolean string to indicate whether the enabling of Kerberos login.</li>
* </ul>
*/
public class KerberosBasicAuthenticationHandler extends KerberosAuthenticationHandler {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you talk about this authentication method in security.rst under docs pacakge ?

@guruchai
Copy link
Contributor Author

guruchai commented Jul 9, 2019

Made the changes.
@raju-saravanan , @kamalcph, can we merge the PR if things look good?

kamalcph
kamalcph approved these changes Jul 9, 2019
View reviewed changes
Copy link
Contributor

@kamalcph kamalcph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

raju-saravanan
raju-saravanan approved these changes Jul 9, 2019
View reviewed changes
Copy link
Collaborator

@raju-saravanan raju-saravanan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 LGTM, Thanks @guruchai for this PR.

@raju-saravanan raju-saravanan merged commit 6e9b463 into master Jul 9, 2019
guruchai added a commit that referenced this pull request Jul 11, 2019
@guruchai
ISSUE:569: Support Kerberos credentials based Basic Authentication (#567
772c4c6 
)

* Bumping the version

* CSP-51: Auth changes to support credentials based Kerberos Login

* Changing nexus repo from http to https as http is not active

* Added few comments and modified the class name

* Addressed review comments

* Addressed review comments and added some documentation
guruchai added a commit that referenced this pull request Jul 11, 2019
@guruchai
ISSUE:569: Support Kerberos credentials based Basic Authentication (#567
6d5e28b 
)

* Bumping the version

* CSP-51: Auth changes to support credentials based Kerberos Login

* Changing nexus repo from http to https as http is not active

* Added few comments and modified the class name

* Addressed review comments

* Addressed review comments and added some documentation
@guruchai guruchai deleted the kerberos_login branch September 12, 2019 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raju-saravanan raju-saravanan raju-saravanan approved these changes

@kamalcph kamalcph kamalcph approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Kerberos Credentials based Basic Authentication
3 participants
@guruchai @raju-saravanan @kamalcph