Example 1 with KnoxJwtRealm
use of org.apache.zeppelin.realm.jwt.KnoxJwtRealm in project zeppelin by apache.
the class ShiroAuthenticationService method getAssociatedRoles.
/**
* Return the roles associated with the authenticated user if any otherwise returns empty set.
* TODO(prasadwagle) Find correct way to get user roles (see SHIRO-492)
*
* @return shiro roles
*/
@Override
public Set<String> getAssociatedRoles() {
Subject subject = org.apache.shiro.SecurityUtils.getSubject();
Set<String> roles = new HashSet<>();
Map<String, String> allRoles = null;
if (subject.isAuthenticated()) {
Collection<Realm> realmsList = getRealmsList();
for (Realm realm : realmsList) {
String name = realm.getClass().getName();
if (INI_REALM.equals(name)) {
allRoles = ((IniRealm) realm).getIni().get("roles");
break;
} else if (LDAP_REALM.equals(name)) {
try {
AuthorizationInfo auth = ((LdapRealm) realm).queryForAuthorizationInfo(new SimplePrincipalCollection(subject.getPrincipal(), realm.getName()), ((LdapRealm) realm).getContextFactory());
if (auth != null) {
roles = new HashSet<>(auth.getRoles());
}
} catch (NamingException e) {
LOGGER.error("Can't fetch roles", e);
}
break;
} else if (ACTIVE_DIRECTORY_GROUP_REALM.equals(name)) {
allRoles = ((ActiveDirectoryGroupRealm) realm).getListRoles();
break;
} else if (realm instanceof KnoxJwtRealm) {
roles = ((KnoxJwtRealm) realm).mapGroupPrincipals(getPrincipal());
break;
}
}
if (allRoles != null) {
for (Map.Entry<String, String> pair : allRoles.entrySet()) {
if (subject.hasRole(pair.getKey())) {
roles.add(pair.getKey());
}
}
}
}
return roles;
}
Also used :
IniRealm(org.apache.shiro.realm.text.IniRealm)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
KnoxJwtRealm(org.apache.zeppelin.realm.jwt.KnoxJwtRealm)
AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo)
Subject(org.apache.shiro.subject.Subject)
NamingException(javax.naming.NamingException)
LdapRealm(org.apache.zeppelin.realm.LdapRealm)
DefaultLdapRealm(org.apache.shiro.realm.ldap.DefaultLdapRealm)
IniRealm(org.apache.shiro.realm.text.IniRealm)
LdapRealm(org.apache.zeppelin.realm.LdapRealm)
Realm(org.apache.shiro.realm.Realm)
KnoxJwtRealm(org.apache.zeppelin.realm.jwt.KnoxJwtRealm)
DefaultLdapRealm(org.apache.shiro.realm.ldap.DefaultLdapRealm)
ActiveDirectoryGroupRealm(org.apache.zeppelin.realm.ActiveDirectoryGroupRealm)
JdbcRealm(org.apache.shiro.realm.jdbc.JdbcRealm)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 2 with KnoxJwtRealm
use of org.apache.zeppelin.realm.jwt.KnoxJwtRealm in project zeppelin by apache.
the class LoginRestApi method logout.
@POST
@Path("logout")
@ZeppelinApi
public Response logout() {
logoutCurrentUser();
Status status;
Map<String, String> data = new HashMap<>();
if (zConf.isAuthorizationHeaderClear()) {
status = Status.UNAUTHORIZED;
data.put("clearAuthorizationHeader", "true");
} else {
status = Status.FORBIDDEN;
data.put("clearAuthorizationHeader", "false");
}
if (isKnoxSSOEnabled()) {
KnoxJwtRealm knoxJwtRealm = getJTWRealm();
data.put("redirectURL", constructUrl(knoxJwtRealm.getProviderUrl(), knoxJwtRealm.getRedirectParam(), knoxJwtRealm.getLogout()));
data.put("isLogoutAPI", knoxJwtRealm.getLogoutAPI().toString());
} else if (isKerberosRealmEnabled()) {
KerberosRealm kerberosRealm = getKerberosRealm();
data.put("redirectURL", constructUrl(kerberosRealm.getProviderUrl(), kerberosRealm.getRedirectParam(), kerberosRealm.getLogout()));
data.put("isLogoutAPI", kerberosRealm.getLogoutAPI().toString());
}
JsonResponse<Map<String, String>> response = new JsonResponse<>(status, "", data);
LOG.info(response.toString());
return response.build();
}
Also used :
Status(javax.ws.rs.core.Response.Status)
KerberosRealm(org.apache.zeppelin.realm.kerberos.KerberosRealm)
HashMap(java.util.HashMap)
KnoxJwtRealm(org.apache.zeppelin.realm.jwt.KnoxJwtRealm)
HashMap(java.util.HashMap)
Map(java.util.Map)
JsonResponse(org.apache.zeppelin.server.JsonResponse)
Path(javax.ws.rs.Path)
ZeppelinApi(org.apache.zeppelin.annotation.ZeppelinApi)
POST(javax.ws.rs.POST)
Example 3 with KnoxJwtRealm
use of org.apache.zeppelin.realm.jwt.KnoxJwtRealm in project zeppelin by apache.
the class ShiroAuthenticationServiceTest method testKnoxGetRoles.
@Test
public void testKnoxGetRoles() {
setupPrincipalName("test");
KnoxJwtRealm realm = spy(new KnoxJwtRealm());
LifecycleUtils.init(realm);
Set<String> testRoles = new HashSet<String>() {
{
add("role1");
add("role2");
}
};
when(realm.mapGroupPrincipals("test")).thenReturn(testRoles);
DefaultSecurityManager securityManager = new DefaultSecurityManager(realm);
ThreadContext.bind(securityManager);
Set<String> roles = shiroSecurityService.getAssociatedRoles();
assertEquals(testRoles, roles);
}
Also used :
KnoxJwtRealm(org.apache.zeppelin.realm.jwt.KnoxJwtRealm)
DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager)
HashSet(java.util.HashSet)
Test(org.junit.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Example 4 with KnoxJwtRealm
use of org.apache.zeppelin.realm.jwt.KnoxJwtRealm in project zeppelin by apache.
the class LoginRestApi method getLogin.
@GET
@ZeppelinApi
public Response getLogin(@Context HttpHeaders headers) {
JsonResponse<Map<String, String>> response = null;
if (isKnoxSSOEnabled()) {
KnoxJwtRealm knoxJwtRealm = getJTWRealm();
Cookie cookie = headers.getCookies().get(knoxJwtRealm.getCookieName());
if (cookie != null && cookie.getValue() != null) {
Subject currentUser = SecurityUtils.getSubject();
JWTAuthenticationToken token = new JWTAuthenticationToken(null, cookie.getValue());
try {
String name = knoxJwtRealm.getName(token);
if (!currentUser.isAuthenticated() || !currentUser.getPrincipal().equals(name)) {
response = proceedToLogin(currentUser, token);
}
} catch (ParseException e) {
LOG.error("ParseException in LoginRestApi: ", e);
}
}
if (response == null) {
Map<String, String> data = new HashMap<>();
data.put("redirectURL", constructUrl(knoxJwtRealm.getProviderUrl(), knoxJwtRealm.getRedirectParam(), knoxJwtRealm.getLogin()));
response = new JsonResponse<>(Status.OK, "", data);
}
return response.build();
}
KerberosRealm kerberosRealm = getKerberosRealm();
if (null != kerberosRealm) {
try {
Map<String, Cookie> cookies = headers.getCookies();
KerberosToken kerberosToken = KerberosRealm.getKerberosTokenFromCookies(cookies);
if (null != kerberosToken) {
Subject currentUser = SecurityUtils.getSubject();
String name = (String) kerberosToken.getPrincipal();
if (!currentUser.isAuthenticated() || !currentUser.getPrincipal().equals(name)) {
response = proceedToLogin(currentUser, kerberosToken);
}
}
if (null == response) {
LOG.warn("No Kerberos token received");
response = new JsonResponse<>(Status.UNAUTHORIZED, "", null);
}
return response.build();
} catch (AuthenticationException e) {
LOG.error("Error in Login", e);
}
}
return new JsonResponse<>(Status.METHOD_NOT_ALLOWED).build();
}
Also used :
Cookie(javax.ws.rs.core.Cookie)
KerberosRealm(org.apache.zeppelin.realm.kerberos.KerberosRealm)
HashMap(java.util.HashMap)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
KerberosToken(org.apache.zeppelin.realm.kerberos.KerberosToken)
KnoxJwtRealm(org.apache.zeppelin.realm.jwt.KnoxJwtRealm)
Subject(org.apache.shiro.subject.Subject)
JWTAuthenticationToken(org.apache.zeppelin.realm.jwt.JWTAuthenticationToken)
ParseException(java.text.ParseException)
HashMap(java.util.HashMap)
Map(java.util.Map)
ZeppelinApi(org.apache.zeppelin.annotation.ZeppelinApi)
GET(javax.ws.rs.GET)
Aggregations
KnoxJwtRealm (org.apache.zeppelin.realm.jwt.KnoxJwtRealm)4
Map (java.util.Map)3
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
Subject (org.apache.shiro.subject.Subject)2
ZeppelinApi (org.apache.zeppelin.annotation.ZeppelinApi)2
KerberosRealm (org.apache.zeppelin.realm.kerberos.KerberosRealm)2
ParseException (java.text.ParseException)1
NamingException (javax.naming.NamingException)1
GET (javax.ws.rs.GET)1
POST (javax.ws.rs.POST)1
Path (javax.ws.rs.Path)1
Cookie (javax.ws.rs.core.Cookie)1
Status (javax.ws.rs.core.Response.Status)1
AuthenticationException (org.apache.shiro.authc.AuthenticationException)1
AuthorizationInfo (org.apache.shiro.authz.AuthorizationInfo)1
DefaultSecurityManager (org.apache.shiro.mgt.DefaultSecurityManager)1
Realm (org.apache.shiro.realm.Realm)1
JdbcRealm (org.apache.shiro.realm.jdbc.JdbcRealm)1
DefaultLdapRealm (org.apache.shiro.realm.ldap.DefaultLdapRealm)1
