Uploaded image for project: 'Atlas'
  1. Atlas
  2. ATLAS-2166

On refreshing Atlas page logged in via Knox proxy ,which has ATLASSESSION ID expired (idle for a long time) , logs in as knox user.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.8.2, 1.0.0
    • 0.8.2, 1.0.0
    • atlas-intg
    • None

    Description

      1. Added the following topology ui.xml in knox topologies :

      <topology>
    <gateway>
        <provider>
            <role>authentication</role>
            <name>Anonymous</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>false</enabled>
        </provider>
    </gateway>
<service>
        <role>ATLAS</role>
        <url>http://atlashost:21000</url>
    </service>
<service>
        <role>ATLAS-API</role>
        <url>http://atlashost:21000</url>
    </service>
</topology>

      2. Accessed Atlas UI via knox proxy :

      https://knoxhost:8443/gateway/ui/atlas/

      with user admin.

      3.Left the page idle for a long time (approx 60 mins) . When refreshed , expected that it would land in login.jsp and ask for username and password. Instead , it logged in as knox user.

      Following logs from application logs :

      2017-09-22 07:17:23,267 INFO  - [Thread-6:] ~ TGT valid starting at:        Fri Sep 22 07:17:23 UTC 2017 (Login:302)
2017-09-22 07:17:23,268 INFO  - [Thread-6:] ~ TGT expires:                  Sat Sep 23 07:17:23 UTC 2017 (Login:303)
2017-09-22 07:17:23,268 INFO  - [Thread-6:] ~ TGT refresh sleeping until: Sat Sep 23 03:38:59 UTC 2017 (Login:181)
2017-09-22 08:28:23,731 INFO  - [pool-2-thread-9:] ~ Logged into Atlas as = knox (AtlasAuthenticationFilter:291)
2017-09-22 08:28:23,732 INFO  - [pool-2-thread-9:knox:POST/api/atlas/v2/search/basic] ~ Request from authenticated user: knox, URL=/api/atlas/v2/search/basic (AtlasAuthenticationFilter:305)
2017-09-22 08:28:26,685 INFO  - [org.apache.ranger.audit.queue.AuditBatchQueue1:] ~ Audit Status Log: name=atlas.async.multi_dest.batch.solr, interval=01:40:30.245 hours, events=1, succcessCount=1, totalEvents=363, totalSuccessCount=363 (BaseAuditHandler:310)
2017-09-22 08:28:26,706 INFO  - [org.apache.ranger.audit.queue.AuditBatchQueue0:] ~ Audit Status Log: name=atlas.async.multi_dest.batch.hdfs, interval=01:40:30.247 hours, events=1, succcessCount=1, totalEvents=363, totalSuccessCount=363 (BaseAuditHandler:310)

      Note : Accessed Atlas UI at 08:28:23,731 after 07:17:23,268

      No suspicious logs from knox gateway.log.

      4. Tried to reproduce the issue by deleting the ATLASSESSIONID and refreshed the page. This time it landed in login.jsp correctly.

      Not sure what other cases can reproduce this issue.

      Attached the video recording of the scenario explained.

      Note : Ranger Atlas plugin is enabled. Not sure where Atlas fetches the knox user from. Atlas' users-credentials.properties has only admin and rangertagsync users.

      Attachments

        1. ATLAS-2166.2.patch
          3 kB
          Nixon Rodrigues
        2. ATLAS-2166.patch
          2 kB
          Nixon Rodrigues
        3. Atlas_knox_proxy_1.mov
          11.55 MB
          Sharmadha S

        Issue Links

          links to

          Web Link Review request

          Activity

            People

              nixon Nixon Rodrigues
              sharmadhas Sharmadha S
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: