AMBARI-14044. Change Anonymous API Authentication To A Declared User (rlevas)

ambari-server/conf/unix/ambari.properties

@@ -54,7 +54,6 @@ server.tmp.dir=/var/lib/ambari-server/data/tmp
 ambari.python.wrap=ambari-python-wrap
 ambari-server.user=root
 
-api.authenticate=true
 server.connection.max.idle.millis=900000
 server.fqdn.service.url=http://169.254.169.254/latest/meta-data/public-hostname
 server.stages.parallel=true
@@ -110,4 +109,4 @@ views.http.x-frame-options=SAMEORIGIN
 
 # Enable Metrics Collector auto-restart
 recovery.type=AUTO_START
-recovery.enabled_components=METRICS_COLLECTOR
+recovery.enabled_components=METRICS_COLLECTOR

ambari-server/conf/windows/ambari.properties

@@ -41,7 +41,6 @@ webapp.dir=web
 bootstrap.dir=bootstrap
 bootstrap.script=sbin\\bootstrap.py
 bootstrap.setup_agent.script=resources\\bootstrap.zip
-api.authenticate=true
 server.connection.max.idle.millis=900000
 server.fqdn.service.url=http://127.0.0.1/latest/meta-data/public-hostname
 server.stages.parallel=true
@@ -95,4 +94,4 @@ http.x-frame-options=DENY
 # HTTP Header settings for Ambari Views
 views.http.strict-transport-security=max-age=31536000
 views.http.x-xss-protection=1; mode=block
-views.http.x-frame-options=SAMEORIGIN
+views.http.x-frame-options=SAMEORIGIN

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -99,7 +99,7 @@ public class Configuration {
   public static final String STACK_ADVISOR_SCRIPT_DEFAULT = "/var/lib/ambari-server/resources/scripts/stack_advisor.py";
   public static final String AMBARI_PYTHON_WRAP_KEY = "ambari.python.wrap";
   public static final String AMBARI_PYTHON_WRAP_DEFAULT = "ambari-python-wrap";
-  public static final String API_AUTHENTICATE = "api.authenticate";
+  public static final String API_AUTHENTICATED_USER = "api.authenticated.user";
   public static final String API_USE_SSL = "api.ssl";
   public static final String API_CSRF_PREVENTION_KEY = "api.csrfPrevention.enabled";
   public static final String API_GZIP_COMPRESSION_ENABLED_KEY = "api.gzip.compression.enabled";
@@ -1126,11 +1126,15 @@ public class Configuration {
   }
 
   /**
-   * Check to see if the API should be authenticated or not
-   * @return false if not, true if the authentication is enabled.
+   * Gets the username of the default user assumed to be executing API calls.
+   * <p/>
+   * If this value is <code>null</code> or empty then no default user is set and one must be
+   * specified when issuing API calls.
+   *
+   * @return the username of a user.
    */
-  public boolean getApiAuthentication() {
-    return ("true".equals(properties.getProperty(API_AUTHENTICATE, "false")));
+  public String getDefaultApiAuthenticatedUser() {
+    return properties.getProperty(API_AUTHENTICATED_USER);
   }
 
   /**

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -335,15 +335,12 @@ public class AmbariServer {
       // register listener to capture request context
       root.addEventListener(new RequestContextListener());
 
+      root.addFilter(new FilterHolder(springSecurityFilter), "/api/*", DISPATCHER_TYPES);
+
       // session-per-request strategy for agents
       agentroot.addFilter(new FilterHolder(injector.getInstance(AmbariPersistFilter.class)), "/agent/*", DISPATCHER_TYPES);
       agentroot.addFilter(SecurityFilter.class, "/*", DISPATCHER_TYPES);
 
-      if (configs.getApiAuthentication()) {
-        root.addFilter(new FilterHolder(springSecurityFilter), "/api/*", DISPATCHER_TYPES);
-        // root.addFilter(new FilterHolder(springSecurityFilter), "/proxy/*", DISPATCHER_TYPES);
-      }
-
       Map<String, String> configsMap = configs.getConfigsMap();
 
       if (configs.getAgentSSLAuthentication()) {

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java

@@ -19,6 +19,7 @@
 package org.apache.ambari.server.security.authorization;
 
 import java.io.IOException;
+import java.security.Principal;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -31,11 +32,16 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.google.inject.Inject;
+import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrivilegeEntity;
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity.ViewInstanceVersionDTO;
 import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken;
 import org.apache.ambari.server.view.ViewRegistry;
+import org.apache.commons.lang.StringUtils;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
@@ -50,23 +56,35 @@ public class AmbariAuthorizationFilter implements Filter {
 
   private static final Pattern STACK_ADVISOR_REGEX = Pattern.compile("/api/v[0-9]+/stacks/[^/]+/versions/[^/]+/(validations|recommendations).*");
 
-  public static final String API_VERSION_PREFIX        = "/api/v[0-9]+";
+  public static final String API_VERSION_PREFIX = "/api/v[0-9]+";
   public static final String VIEWS_CONTEXT_PATH_PREFIX = "/views/";
 
-  private static final String VIEWS_CONTEXT_PATH_PATTERN       = VIEWS_CONTEXT_PATH_PREFIX + "([^/]+)/([^/]+)/([^/]+)(.*)";
-  private static final String VIEWS_CONTEXT_ALL_PATTERN        = VIEWS_CONTEXT_PATH_PREFIX + ".*";
-  private static final String API_USERS_ALL_PATTERN            = API_VERSION_PREFIX + "/users.*";
-  private static final String API_PRIVILEGES_ALL_PATTERN       = API_VERSION_PREFIX + "/privileges.*";
-  private static final String API_GROUPS_ALL_PATTERN           = API_VERSION_PREFIX + "/groups.*";
-  private static final String API_CLUSTERS_ALL_PATTERN         = API_VERSION_PREFIX + "/clusters.*";
-  private static final String API_VIEWS_ALL_PATTERN            = API_VERSION_PREFIX + "/views.*";
-  private static final String API_PERSIST_ALL_PATTERN          = API_VERSION_PREFIX + "/persist.*";
+  private static final String VIEWS_CONTEXT_PATH_PATTERN = VIEWS_CONTEXT_PATH_PREFIX + "([^/]+)/([^/]+)/([^/]+)(.*)";
+  private static final String VIEWS_CONTEXT_ALL_PATTERN = VIEWS_CONTEXT_PATH_PREFIX + ".*";
+  private static final String API_USERS_ALL_PATTERN = API_VERSION_PREFIX + "/users.*";
+  private static final String API_PRIVILEGES_ALL_PATTERN = API_VERSION_PREFIX + "/privileges.*";
+  private static final String API_GROUPS_ALL_PATTERN = API_VERSION_PREFIX + "/groups.*";
+  private static final String API_CLUSTERS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters.*";
+  private static final String API_VIEWS_ALL_PATTERN = API_VERSION_PREFIX + "/views.*";
+  private static final String API_PERSIST_ALL_PATTERN = API_VERSION_PREFIX + "/persist.*";
   private static final String API_LDAP_SYNC_EVENTS_ALL_PATTERN = API_VERSION_PREFIX + "/ldap_sync_events.*";
-  private static final String API_CREDENTIALS_ALL_PATTERN      = API_VERSION_PREFIX + "/clusters/.*?/credentials.*";
-  private static final String API_CREDENTIALS_AMBARI_PATTERN   = API_VERSION_PREFIX + "/clusters/.*?/credentials/ambari\\..*";
+  private static final String API_CREDENTIALS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials.*";
+  private static final String API_CREDENTIALS_AMBARI_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/credentials/ambari\\..*";
 
   protected static final String LOGIN_REDIRECT_BASE = "/#/login?targetURI=";
 
+  /**
+   * Access to Ambari configuration data
+   */
+  @Inject
+  private Configuration configuration;
+
+  /**
+   * Access to user information
+   */
+  @Inject
+  private Users users;
+
   /**
    * The realm to use for the basic http auth
    */
@@ -79,7 +97,7 @@ public class AmbariAuthorizationFilter implements Filter {
 
   @Override
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-    HttpServletRequest  httpRequest  = (HttpServletRequest) request;
+    HttpServletRequest httpRequest = (HttpServletRequest) request;
     HttpServletResponse httpResponse = (HttpServletResponse) response;
 
     String requestURI = httpRequest.getRequestURI();
@@ -87,6 +105,16 @@ public class AmbariAuthorizationFilter implements Filter {
     SecurityContext context = getSecurityContext();
 
     Authentication authentication = context.getAuthentication();
+
+    //  If no explicit authenticated user is set, set it to the default user (if one is specified)
+    if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
+      Authentication defaultAuthentication = getDefaultAuthentication();
+      if (defaultAuthentication != null) {
+        context.setAuthentication(authentication);
+        authentication = defaultAuthentication;
+      }
+    }
+
     if (authentication == null || !authentication.isAuthenticated()) {
       String token = httpRequest.getHeader(INTERNAL_TOKEN_HEADER);
       if (token != null) {
@@ -104,7 +132,7 @@ public class AmbariAuthorizationFilter implements Filter {
           httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Authentication required");
         }
       }
-    } else if(!authorizationPerformedInternally(requestURI)) {
+    } else if (!authorizationPerformedInternally(requestURI)) {
       boolean authorized = false;
 
       for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
@@ -135,7 +163,7 @@ public class AmbariAuthorizationFilter implements Filter {
             }
           } else if (requestURI.matches(API_CLUSTERS_ALL_PATTERN)) {
             if (permissionId.equals(PermissionEntity.CLUSTER_USER_PERMISSION) ||
-              permissionId.equals(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION)) {
+                permissionId.equals(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION)) {
               authorized = true;
               break;
             }
@@ -170,10 +198,10 @@ public class AmbariAuthorizationFilter implements Filter {
       // allow GET for everything except /views, /api/v1/users, /api/v1/groups, /api/v1/ldap_sync_events
       if (!authorized &&
           (!httpRequest.getMethod().equals("GET")
-            || requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)
-            || requestURI.matches(API_GROUPS_ALL_PATTERN)
-            || requestURI.matches(API_CREDENTIALS_ALL_PATTERN)
-            || requestURI.matches(API_LDAP_SYNC_EVENTS_ALL_PATTERN))) {
+              || requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN)
+              || requestURI.matches(API_GROUPS_ALL_PATTERN)
+              || requestURI.matches(API_CREDENTIALS_ALL_PATTERN)
+              || requestURI.matches(API_LDAP_SYNC_EVENTS_ALL_PATTERN))) {
 
         httpResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
         httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "You do not have permissions to access this resource.");
@@ -188,6 +216,37 @@ public class AmbariAuthorizationFilter implements Filter {
     chain.doFilter(request, response);
   }
 
+  /**
+   * Creates the default Authentication if a default user is configured
+   *
+   * @return an Authentication representing the default user
+   */
+  private Authentication getDefaultAuthentication() {
+    Authentication defaultUser = null;
+
+    if ((configuration != null) && (users != null)) {
+      String username = configuration.getDefaultApiAuthenticatedUser();
+
+      if (!StringUtils.isEmpty(username)) {
+        final User user = users.getAnyUser(username);
+
+        if (user != null) {
+          Principal principal = new Principal() {
+            @Override
+            public String getName() {
+              return user.getUserName();
+            }
+          };
+
+          defaultUser = new UsernamePasswordAuthenticationToken(principal, null,
+              users.getUserAuthorities(user.getUserName(), user.getUserType()));
+        }
+      }
+    }
+
+    return defaultUser;
+  }
+
   /**
    * Tests the URI to determine if authorization checks are performed internally or should be
    * performed in the filter.
@@ -211,10 +270,9 @@ public class AmbariAuthorizationFilter implements Filter {
   /**
    * Get the parameter value from the given servlet filter configuration.
    *
-   * @param filterConfig   the servlet configuration
-   * @param parameterName  the parameter name
-   * @param defaultValue   the default value
-   *
+   * @param filterConfig  the servlet configuration
+   * @param parameterName the parameter name
+   * @param defaultValue  the default value
    * @return the parameter value or the default value if not set
    */
   private static String getParameterValue(

ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java

@@ -893,8 +893,7 @@ public class ClustersImpl implements Clusters {
 
     Cluster cluster = findCluster(clusterName);
 
-    return (cluster == null && readOnly) || !configuration.getApiAuthentication()
-      || checkPermission(cluster, readOnly);
+    return (cluster == null && readOnly) || checkPermission(cluster, readOnly);
   }
 
   @Override

ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java

@@ -755,8 +755,7 @@ public class ViewRegistry {
 
     ResourceEntity resourceEntity = instanceEntity == null ? null : instanceEntity.getResource();
 
-    return !configuration.getApiAuthentication() ||
-        (resourceEntity == null && readOnly) || checkAuthorization(resourceEntity);
+    return (resourceEntity == null && readOnly) || checkAuthorization(resourceEntity);
   }
 
   /**

ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java

@@ -1249,7 +1249,6 @@ public class ViewRegistryTest {
     expect(privilegeEntity.getPermission()).andReturn(permissionEntity);
     expect(permissionEntity.getId()).andReturn(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION);
 
-    expect(configuration.getApiAuthentication()).andReturn(true);
     replay(securityHelper, adminAuthority, privilegeEntity, permissionEntity, configuration);
 
     Assert.assertTrue(registry.includeDefinition(viewEntity));
@@ -1270,7 +1269,6 @@ public class ViewRegistryTest {
     EasyMock.expectLastCall().andReturn(authorities);
     expect(viewEntity.getInstances()).andReturn(instances);
 
-    expect(configuration.getApiAuthentication()).andReturn(true);
     replay(securityHelper, viewEntity, configuration);
 
     Assert.assertFalse(registry.includeDefinition(viewEntity));
@@ -1302,7 +1300,6 @@ public class ViewRegistryTest {
     expect(permissionEntity.getId()).andReturn(PermissionEntity.VIEW_USER_PERMISSION).anyTimes();
     securityHelper.getCurrentAuthorities();
     EasyMock.expectLastCall().andReturn(authorities).anyTimes();
-    expect(configuration.getApiAuthentication()).andReturn(true);
     replay(securityHelper, viewEntity, instanceEntity, viewUseAuthority, privilegeEntity, permissionEntity, configuration);
 
     Assert.assertTrue(registry.includeDefinition(viewEntity));
@@ -1346,19 +1343,6 @@ public class ViewRegistryTest {
     testOnAmbariEventServiceCreation(AUTO_VIEW_XML, serviceNames, false);
   }
 
-  @Test
-  public void testIncludeDefinitionForNoApiAuthentication() {
-    ViewRegistry registry = ViewRegistry.getInstance();
-    ViewEntity viewEntity = createNiceMock(ViewEntity.class);
-
-    expect(configuration.getApiAuthentication()).andReturn(false);
-    replay(securityHelper, viewEntity, configuration);
-
-    Assert.assertTrue(registry.includeDefinition(viewEntity));
-
-    verify(securityHelper, viewEntity, configuration);
-  }
-
   @Test
   public void testCheckViewVersions() {
     ViewRegistry registry = ViewRegistry.getInstance();

ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json

@@ -2553,7 +2553,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json

@@ -2553,7 +2553,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json

@@ -2553,7 +2553,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json

@@ -2553,7 +2553,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json

@@ -2203,7 +2203,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json

@@ -2553,7 +2553,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json

@@ -2203,7 +2203,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json

@@ -2553,7 +2553,6 @@
     "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
     "server.fqdn.service.url" : "http://169.254.169.254/latest/meta-data/public-hostname",
     "metadata.path" : "/var/lib/ambari-server/resources/stacks",
-    "api.authenticate" : "true",
     "views.request.connect.timeout.millis" : "5000",
     "skip.service.checks" : "false",
     "stackadvisor.script" : "/var/lib/ambari-server/resources/scripts/stack_advisor.py",

ambari-web/app/assets/data/services/ambari.json

@@ -25,7 +25,6 @@
           "agent.task.timeout" : "600",
           "agent.threadpool.size.max" : "25",
           "ambari-server.user" : "root",
-          "api.authenticate" : "true",
           "bootstrap.dir" : "/var/run/ambari-server/bootstrap",
           "bootstrap.script" : "/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py",
           "bootstrap.setup_agent.script" : "/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py",

contrib/ambari-scom/ambari-scom-server/conf/ambari.properties

@@ -19,7 +19,6 @@
 #
 
 server.connection.max.idle.millis=900000
-api.authenticate=false
 server.os_type=windows2012
 server.persistence.type=in-memory
 security.passwords.encryption.enabled=false

contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties

@@ -26,9 +26,8 @@ webapp.dir=/usr/lib/ambari-server/web
 bootstrap.dir=/var/run/ambari-server/bootstrap
 bootstrap.script=/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py
 bootstrap.setup_agent.script=/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py
-api.authenticate=true
 server.connection.max.idle.millis=900000
 server.fqdn.service.url=http://169.254.169.254/latest/meta-data/public-hostname
 
 scom.sink.db.url=jdbc:sqlserver://10.0.2.2:2301;databaseName=HadoopMonitoring;user=sink
-scom.sink.db.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
+scom.sink.db.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver