knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX=987 - Missing Audit Entries from Various Auth/Fed Providers
Date Mon, 31 Jul 2017 19:35:47 GMT
Repository: knox
Updated Branches:
  refs/heads/master 0b15afc6c -> 659e02ce3


KNOX=987 - Missing Audit Entries from Various Auth/Fed Providers

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/659e02ce
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/659e02ce
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/659e02ce

Branch: refs/heads/master
Commit: 659e02ce37416e0652485fbe5b17969f98b08409
Parents: 0b15afc
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Mon Jul 31 15:35:35 2017 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Mon Jul 31 15:35:35 2017 -0400

----------------------------------------------------------------------
 .../gateway/filter/AnonymousAuthFilter.java     | 14 ++++++++++++
 .../hadoopauth/filter/HadoopAuthPostFilter.java | 19 +++++++++++++---
 .../jwt/filter/AbstractJWTFilter.java           | 23 ++++++++++++++++++++
 .../filter/PicketlinkIdentityAdapter.java       | 10 +++++++++
 .../filter/AbstractPreAuthFederationFilter.java | 16 ++++++++++++++
 5 files changed, 79 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/659e02ce/gateway-provider-security-authc-anon/src/main/java/org/apache/hadoop/gateway/filter/AnonymousAuthFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authc-anon/src/main/java/org/apache/hadoop/gateway/filter/AnonymousAuthFilter.java
b/gateway-provider-security-authc-anon/src/main/java/org/apache/hadoop/gateway/filter/AnonymousAuthFilter.java
index 619e7e3..59b64fd 100755
--- a/gateway-provider-security-authc-anon/src/main/java/org/apache/hadoop/gateway/filter/AnonymousAuthFilter.java
+++ b/gateway-provider-security-authc-anon/src/main/java/org/apache/hadoop/gateway/filter/AnonymousAuthFilter.java
@@ -17,6 +17,13 @@
  */
 package org.apache.hadoop.gateway.filter;
 
+import org.apache.hadoop.gateway.audit.api.Action;
+import org.apache.hadoop.gateway.audit.api.ActionOutcome;
+import org.apache.hadoop.gateway.audit.api.AuditService;
+import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
+import org.apache.hadoop.gateway.audit.api.Auditor;
+import org.apache.hadoop.gateway.audit.api.ResourceType;
+import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 
 import java.io.IOException;
@@ -34,6 +41,10 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 public class AnonymousAuthFilter implements Filter {
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(
+      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+      AuditConstants.KNOX_COMPONENT_NAME );
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
@@ -49,6 +60,9 @@ public class AnonymousAuthFilter implements Filter {
     }
     Subject subject = new Subject();
     subject.getPrincipals().add(new PrimaryPrincipal(principal));
+    auditService.getContext().setUsername( principal ); //KM: Audit Fix
+    String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME
);
+    auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS
);
     continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response,
filterChain);
   }
 

http://git-wip-us.apache.org/repos/asf/knox/blob/659e02ce/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
index ba74667..70db96c 100755
--- a/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
+++ b/gateway-provider-security-hadoopauth/src/main/java/org/apache/hadoop/gateway/hadoopauth/filter/HadoopAuthPostFilter.java
@@ -18,8 +18,6 @@
 package org.apache.hadoop.gateway.hadoopauth.filter;
 
 import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 
@@ -35,12 +33,24 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+import org.apache.hadoop.gateway.audit.api.Action;
+import org.apache.hadoop.gateway.audit.api.ActionOutcome;
+import org.apache.hadoop.gateway.audit.api.AuditService;
+import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
+import org.apache.hadoop.gateway.audit.api.Auditor;
+import org.apache.hadoop.gateway.audit.api.ResourceType;
+import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
 import org.apache.hadoop.gateway.hadoopauth.HadoopAuthMessages;
 
 public class HadoopAuthPostFilter implements Filter {
 
   private static HadoopAuthMessages log = MessagesFactory.get( HadoopAuthMessages.class );
-  
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(
+      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+      AuditConstants.KNOX_COMPONENT_NAME );
+
   @Override
   public void init( FilterConfig filterConfig ) throws ServletException {
   }
@@ -58,6 +68,9 @@ public class HadoopAuthPostFilter implements Filter {
         Subject subject = new Subject();
         subject.getPrincipals().add(new PrimaryPrincipal(principal));
         log.hadoopAuthAssertedPrincipal(principal);
+        auditService.getContext().setUsername( principal ); //KM: Audit Fix
+        String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME
);
+        auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS
);
         doAs(httpRequest, response, chain, subject);
     } 
     else {

http://git-wip-us.apache.org/repos/asf/knox/blob/659e02ce/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index d887340..8627b3f 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -39,6 +39,15 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.hadoop.gateway.audit.api.Action;
+import org.apache.hadoop.gateway.audit.api.ActionOutcome;
+import org.apache.hadoop.gateway.audit.api.AuditContext;
+import org.apache.hadoop.gateway.audit.api.AuditService;
+import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
+import org.apache.hadoop.gateway.audit.api.Auditor;
+import org.apache.hadoop.gateway.audit.api.ResourceType;
+import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
@@ -56,6 +65,10 @@ public abstract class AbstractJWTFilter implements Filter {
   protected JWTokenAuthority authority;
   protected String verificationPEM = null;
   protected RSAPublicKey publicKey = null;
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(
+      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+      AuditConstants.KNOX_COMPONENT_NAME );
 
   public abstract void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain)
       throws IOException, ServletException;
@@ -138,6 +151,16 @@ public abstract class AbstractJWTFilter implements Filter {
   }
 
   protected void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest
request, final HttpServletResponse response, final FilterChain chain) throws IOException,
ServletException {
+    Principal principal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
+    AuditContext context = auditService.getContext();
+    if (context != null) {
+      context.setUsername( principal.getName() );
+      String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME
);
+      if (sourceUri != null) {
+        auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS
);
+      }
+    }
+
     try {
       Subject.doAs(
         subject,

http://git-wip-us.apache.org/repos/asf/knox/blob/659e02ce/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
index 2684a60..333f91d 100644
--- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
@@ -18,6 +18,7 @@
 package org.apache.hadoop.gateway.picketlink.filter;
 
 import java.io.IOException;
+import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import javax.security.auth.Subject;
@@ -29,10 +30,14 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.hadoop.gateway.audit.api.Action;
+import org.apache.hadoop.gateway.audit.api.ActionOutcome;
 import org.apache.hadoop.gateway.audit.api.AuditService;
 import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
 import org.apache.hadoop.gateway.audit.api.Auditor;
+import org.apache.hadoop.gateway.audit.api.ResourceType;
 import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 
 public class PicketlinkIdentityAdapter implements Filter {
@@ -59,6 +64,11 @@ public class PicketlinkIdentityAdapter implements Filter {
     Subject subject = new Subject();
     subject.getPrincipals().add(pp);
     
+    Principal principal = (Principal) subject.getPrincipals(PrimaryPrincipal.class);
+    auditService.getContext().setUsername( principal.getName() );
+    String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME
);
+    auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS
);
+
     doAs(request, response, chain, subject);
   }
   

http://git-wip-us.apache.org/repos/asf/knox/blob/659e02ce/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
index 3a435e4..fa4df69 100644
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
@@ -35,6 +35,15 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import com.google.common.annotations.VisibleForTesting;
+
+import org.apache.hadoop.gateway.audit.api.Action;
+import org.apache.hadoop.gateway.audit.api.ActionOutcome;
+import org.apache.hadoop.gateway.audit.api.AuditService;
+import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
+import org.apache.hadoop.gateway.audit.api.Auditor;
+import org.apache.hadoop.gateway.audit.api.ResourceType;
+import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 
 /**
@@ -44,6 +53,10 @@ public abstract class AbstractPreAuthFederationFilter implements Filter
{
 
   private List<PreAuthValidator> validators = null;
   private FilterConfig filterConfig;
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(
+      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+      AuditConstants.KNOX_COMPONENT_NAME );
 
   /**
    * 
@@ -73,6 +86,9 @@ public abstract class AbstractPreAuthFederationFilter implements Filter
{
         Subject subject = new Subject();
         subject.getPrincipals().add(new PrimaryPrincipal(principal));
         addGroupPrincipals(httpRequest, subject.getPrincipals());
+        auditService.getContext().setUsername( principal ); //KM: Audit Fix
+        String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME
);
+        auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS
);
         doAs(httpRequest, response, chain, subject);
       }
       else {


Mime
View raw message