Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #1247, add authentication for UI #1857

Merged
merged 1 commit into from Jan 13, 2016
Merged

fix #1247, add authentication for UI #1857

merged 1 commit into from Jan 13, 2016

Conversation

clockfly
Copy link
Member

Add authentication for UI dashboard.

/**
 * It has three categories of users: admins, users, and guests.
 * admins have unlimited permission, like shutdown a cluster, add/remove machines.
 * users have limited permission to submit an application and etc..
 * guests can not submit/kill applications, but can view the application status.
 *
 * see conf/gear.conf section gearpump.security.config-file-based-authenticator to find information
 * about how to configure this authenticator.
 *
 * [Security consideration]
 * It will keep one-way sha1 digest of password instead of password itself. The original password is NOT
 * kept in any way, so generally it is safe.
 *
 * digesting flow (from original password to digest):
 * random salt byte array of length 8 -> byte array of (salt + sha1(salt, password)) -> base64Encode
 *
 * verification user input password with stored digest:
 * base64Decode -> extract salt -> do sha1(salt, password) -> generate digest: salt + sha1 ->
 * compare the generated digest with the stored digest.
 *
 */

stanleyxu2005
stanleyxu2005 reviewed Jan 13, 2016
View reviewed changes
core/src/main/scala/io/gearpump/security/ConfigFileBasedAuthenticator.scala
} else if (guests.contains(user)) {
new Result(verify(user, password, guests), isAdministrator = false)
} else {
new Result(authenticated = false, isAdministrator = false)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think user has higher privilege than guest. So, what expect to be the else case for "!admin && !guest"? If only authenticated person is able to access the system, then I'd suggest change "guest" to "user".

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I don't think so. Guest means there is no permission to modify.

@clockfly clockfly force-pushed the security branch 12 times, most recently from 3f767ca to 562bd9f Compare January 13, 2016 07:00
kkasravi
kkasravi reviewed Jan 13, 2016
View reviewed changes
core/src/main/resources/reference.conf
maxAgeSeconds = 3600
encryptData = true
}
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will akka.session still be used if security.ui-authentication-enabled = false?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will not.
If security.ui-authentication-enabled is false, then it behave same as 0.7.3

@kkasravi
Copy link
Contributor

+1 although I have not tested in CDH environment. @clockfly if you merge then let me test in CDH environment before you tag 0.7.4. Thanks.

@kkasravi
Copy link
Contributor

Build failed under 2.10

sbt.ResolveException: unresolved dependency: com.softwaremill#akka-http-session_2.10;0.1.4: not found
    at sbt.IvyActions$.sbt$IvyActions$$resolve(IvyActions.scala:294)
    at sbt.IvyActions$$anonfun$updateEither$1.apply(IvyActions.scala:191)
    at sbt.IvyActions$$anonfun$updateEither$1.apply(IvyActions.scala:168)
    at sbt.IvySbt$Module$$anonfun$withModule$1.apply(Ivy.scala:155)
    at sbt.IvySbt$Module$$anonfun$withModule$1.apply(Ivy.scala:155)
    at sbt.IvySbt$$anonfun$withIvy$1.apply(Ivy.scala:132)
    at sbt.IvySbt.sbt$IvySbt$$action$1(Ivy.scala:57)
    at sbt.IvySbt$$anon$4.call(Ivy.scala:65)
    at xsbt.boot.Locks$GlobalLock.withChannel$1(Locks.scala:93)
    at xsbt.boot.Locks$GlobalLock.xsbt$boot$Locks$GlobalLock$$withChannelRetries$1(Locks.scala:78)
    at xsbt.boot.Locks$GlobalLock$$anonfun$withFileLock$1.apply(Locks.scala:97)
    at xsbt.boot.Using$.withResource(Using.scala:10)
    at xsbt.boot.Using$.apply(Using.scala:9)
    at xsbt.boot.Locks$GlobalLock.ignoringDeadlockAvoided(Locks.scala:58)
    at xsbt.boot.Locks$GlobalLock.withLock(Locks.scala:48)
    at xsbt.boot.Locks$.apply0(Locks.scala:31)
    at xsbt.boot.Locks$.apply(Locks.scala:28)
    at sbt.IvySbt.withDefaultLogger(Ivy.scala:65)
    at sbt.IvySbt.withIvy(Ivy.scala:127)
    at sbt.IvySbt.withIvy(Ivy.scala:124)
    at sbt.IvySbt$Module.withModule(Ivy.scala:155)
    at sbt.IvyActions$.updateEither(IvyActions.scala:168)
    at sbt.Classpaths$$anonfun$sbt$Classpaths$$work$1$1.apply(Defaults.scala:1392)
    at sbt.Classpaths$$anonfun$sbt$Classpaths$$work$1$1.apply(Defaults.scala:1388)
    at sbt.Classpaths$$anonfun$doWork$1$1$$anonfun$90.apply(Defaults.scala:1422)
    at sbt.Classpaths$$anonfun$doWork$1$1$$anonfun$90.apply(Defaults.scala:1420)
    at sbt.Tracked$$anonfun$lastOutput$1.apply(Tracked.scala:37)
    at sbt.Classpaths$$anonfun$doWork$1$1.apply(Defaults.scala:1425)
    at sbt.Classpaths$$anonfun$doWork$1$1.apply(Defaults.scala:1419)
    at sbt.Tracked$$anonfun$inputChanged$1.apply(Tracked.scala:60)
    at sbt.Classpaths$.cachedUpdate(Defaults.scala:1442)
    at sbt.Classpaths$$anonfun$updateTask$1.apply(Defaults.scala:1371)
    at sbt.Classpaths$$anonfun$updateTask$1.apply(Defaults.scala:1325)
    at scala.Function1$$anonfun$compose$1.apply(Function1.scala:47)
    at sbt.$tilde$greater$$anonfun$$u2219$1.apply(TypeFunctions.scala:40)
    at sbt.std.Transform$$anon$4.work(System.scala:63)
    at sbt.Execute$$anonfun$submit$1$$anonfun$apply$1.apply(Execute.scala:226)
    at sbt.Execute$$anonfun$submit$1$$anonfun$apply$1.apply(Execute.scala:226)
    at sbt.ErrorHandling$.wideConvert(ErrorHandling.scala:17)
    at sbt.Execute.work(Execute.scala:235)
    at sbt.Execute$$anonfun$submit$1.apply(Execute.scala:226)
    at sbt.Execute$$anonfun$submit$1.apply(Execute.scala:226)
    at sbt.ConcurrentRestrictions$$anon$4$$anonfun$1.apply(ConcurrentRestrictions.scala:159)
    at sbt.CompletionService$$anon$2.call(CompletionService.scala:28)
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
[error] (gearpump-servicesJVM/*:update) sbt.ResolveException: unresolved dependency: com.softwaremill#akka-http-session_2.10;0.1.4: not found
[error] Total time: 336 s, completed Jan 13, 2016 7:07:30 AM

@clockfly clockfly force-pushed the security branch 4 times, most recently from edb07af to aab877c Compare January 13, 2016 13:35
@clockfly
Copy link
Member Author

@kkasravi
Fixed, I build an un-official repo for akka-http-session scala 2.10

@clockfly clockfly force-pushed the security branch 2 times, most recently from 5d9cbc9 to f569baf Compare January 13, 2016 15:59
@codecov-io
Copy link

Current coverage is 63.06%

Merging #1857 into master will decrease coverage by -1.08% as of 055d7f7

@@            master   #1857   diff @@
======================================
  Files          166     172     +6
  Stmts         5026    5171   +145
  Branches       551     572    +21
  Methods                          
======================================
+ Hit           3224    3261    +37
  Partial          0       0       
- Missed        1802    1910   +108

Review entire Coverage Diff as of 055d7f7

Uncovered Suggestions

  1. +0.29% via ...cutor/Executor.scala#271...285
  2. +0.25% via .../master/Master.scala#123...135
  3. +0.21% via ...er/main/Master.scala#177...187
  4. See 7 more...

Powered by Codecov. Updated on successful CI builds.

clockfly added a commit that referenced this pull request Jan 13, 2016
@clockfly
Merge pull request #1857 from clockfly/security
514beaa 
fix #1247, add authentication for UI
@clockfly clockfly merged commit 514beaa into gearpump:master Jan 13, 2016
This was referenced Jan 14, 2016
Closed
Closed
@clockfly clockfly deleted the security branch January 15, 2016 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@clockfly @kkasravi @codecov-io @stanleyxu2005