diff --git a/auth-agents-common/pom.xml b/auth-agents-common/pom.xml index 7d63912e3d..aa37156d5f 100644 --- a/auth-agents-common/pom.xml +++ b/auth-agents-common/pom.xml @@ -51,7 +51,7 @@ org.apache.atlas - client-keycloak + client-auth ${project.version} diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/KeycloakUserStore.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/KeycloakUserStore.java index a73fdcac8d..b322458543 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/KeycloakUserStore.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/KeycloakUserStore.java @@ -19,9 +19,9 @@ package org.apache.atlas.plugin.util; -import com.google.common.util.concurrent.ThreadFactoryBuilder; import org.apache.atlas.AtlasConfiguration; import org.apache.atlas.RequestContext; +import org.apache.atlas.auth.client.heracles.models.HeraclesRoleViewRepresentation; import org.apache.atlas.exception.AtlasBaseException; import org.apache.atlas.plugin.model.RangerRole; import org.apache.atlas.utils.AtlasPerfMetrics; @@ -33,13 +33,10 @@ import org.slf4j.LoggerFactory; import java.util.*; -import java.util.concurrent.Callable; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; -import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; -import static org.apache.atlas.keycloak.client.AtlasKeycloakClient.getKeycloakClient; +import static org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient.getKeycloakClient; +import static org.apache.atlas.auth.client.heracles.AtlasHeraclesClient.getHeraclesClient; import static org.apache.atlas.repository.Constants.*; import static org.apache.atlas.repository.util.AccessControlUtils.ARGO_SERVICE_USER_NAME; import static org.apache.atlas.repository.util.AccessControlUtils.BACKEND_SERVICE_USER_NAME; @@ -58,6 +55,14 @@ public class KeycloakUserStore { private static List OPERATION_TYPES = Arrays.asList("CREATE", "UPDATE", "DELETE"); private static List RESOURCE_TYPES = Arrays.asList("USER", "GROUP", "REALM_ROLE", "CLIENT", "REALM_ROLE_MAPPING", "GROUP_MEMBERSHIP", "CLIENT_ROLE_MAPPING"); + private enum KEYCLOAK_FIELDS { + ROLES, + COMPOSITE_ROLES, + GROUPS, + USERS, + + } + private final String serviceName; public KeycloakUserStore(String serviceName) { @@ -72,13 +77,6 @@ public KeycloakUserStore(String serviceName) { } } - public static ExecutorService getExecutorService(String namePattern) { - ExecutorService service = Executors.newFixedThreadPool(NUM_THREADS, - new ThreadFactoryBuilder().setNameFormat(namePattern + Thread.currentThread().getName()) - .build()); - return service; - } - public boolean isKeycloakSubjectsStoreUpdated(long cacheLastUpdatedTime) throws AtlasBaseException { AtlasPerfMetrics.MetricRecorder metricRecorder = RequestContext.get().startMetricRecord("getKeycloakSubjectsStoreUpdatedTime"); if (cacheLastUpdatedTime == -1) { @@ -156,21 +154,62 @@ public RangerRoles loadRolesIfUpdated(long lastUpdatedTime) throws AtlasBaseExce if (!isKeycloakUpdated) { return null; } + RangerRoles rangerRoles = new RangerRoles(); + Map> roleUserMapping = new HashMap<>(); + Set roleSet = new HashSet<>(); - List kRoles = getKeycloakClient().getAllRoles(); - LOG.info("Found {} keycloak roles", kRoles.size()); + int userSize = AtlasConfiguration.HERACLES_CLIENT_PAGINATION_SIZE.getInt(); + int userFrom = 0; + List userRetrievalResult; - Set roleSet = new HashSet<>(); - RangerRoles rangerRoles = new RangerRoles(); - List userNamesList = new ArrayList<>(); + do { + userRetrievalResult = getHeraclesClient().getUsersMappings(userFrom, userSize, new String[]{KEYCLOAK_FIELDS.ROLES.name().toLowerCase()}); + + if (!CollectionUtils.isEmpty(userRetrievalResult)) { + userRetrievalResult.forEach(user -> { + Set userRoles = new HashSet<>(user.getRealmRoles()); + + userRoles.forEach(role -> roleUserMapping + .computeIfAbsent(role, k -> new ArrayList<>()) + .add(new RangerRole.RoleMember(user.getUsername(), false)) + ); + }); + + userFrom += userSize; + } + + } while (!CollectionUtils.isEmpty(userRetrievalResult) && userRetrievalResult.size() % userSize == 0); + + int roleSize = AtlasConfiguration.HERACLES_CLIENT_PAGINATION_SIZE.getInt(); + int roleFrom = 0; + List roleRetrievalResult; + + do { + roleRetrievalResult = getHeraclesClient().getRolesMappings(roleFrom, roleSize, new String[]{KEYCLOAK_FIELDS.COMPOSITE_ROLES.name().toLowerCase(), + KEYCLOAK_FIELDS.GROUPS.name()}); + + if (!CollectionUtils.isEmpty(roleRetrievalResult)) { + roleRetrievalResult.forEach(role -> { + RangerRole rangerRole = new RangerRole(); + rangerRole.setName(role.getName()); + rangerRole.setGroups(role.getGroups().stream() + .map(x -> new RangerRole.RoleMember(x, false)) + .collect(Collectors.toList())); + rangerRole.setUsers(roleUserMapping.get(role.getName())); + rangerRole.setRoles(role.getRoles().stream() + .map(x -> new RangerRole.RoleMember(x, false)) + .collect(Collectors.toList())); + + roleSet.add(rangerRole); + }); + + roleFrom += roleSize; + } + + } while (!CollectionUtils.isEmpty(roleRetrievalResult) && roleRetrievalResult.size() % roleSize == 0); - submitCallablesAndWaitToFinish("RoleSubjectsFetcher", - kRoles.stream() - .map(x -> new RoleSubjectsFetcher(x, roleSet, userNamesList)) - .collect(Collectors.toList())); processDefaultRole(roleSet); - LOG.info("Inverting roles"); invertRoles(roleSet); @@ -187,6 +226,12 @@ public RangerRoles loadRolesIfUpdated(long lastUpdatedTime) throws AtlasBaseExce return rangerRoles; } + private void extractUserGroupMapping(List users, Map> userGroupMapping) { + for (UserRepresentation user : users) { + userGroupMapping.put(user.getUsername(), new HashSet<>(user.getGroups() == null ? Collections.emptyList() : user.getGroups())); + } + } + public void invertRoles(Set roleSet) { Map roleMap = new HashMap<>(); for (RangerRole role : roleSet) { @@ -269,239 +314,39 @@ private void processDefaultRole(Set roleSet) { public RangerUserStore loadUserStoreIfUpdated(long lastUpdatedTime) throws AtlasBaseException { AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("loadUserStoreIfUpdated"); - boolean isKeycloakUpdated = isKeycloakSubjectsStoreUpdated(lastUpdatedTime); if (!isKeycloakUpdated) { return null; } + int userSize = 100; + int userFrom = 0; + boolean userFound = true; Map> userGroupMapping = new HashMap<>(); + List ret = new ArrayList<>(); - List kUsers = getKeycloakClient().getAllUsers(); - LOG.info("Found {} keycloak users", kUsers.size()); - - List> callables = new ArrayList<>(); - kUsers.forEach(x -> callables.add(new UserGroupsFetcher(x, userGroupMapping))); + do { + List users = getHeraclesClient().getUsersMappings(userFrom, userSize, + new String[]{KEYCLOAK_FIELDS.GROUPS.name().toLowerCase()}); + if (CollectionUtils.isEmpty(users)) { + userFound = false; + } else { + ret.addAll(users); + userFrom += userSize; + } + extractUserGroupMapping(users, userGroupMapping); - submitCallablesAndWaitToFinish("UserGroupsFetcher", callables); + } while (userFound && ret.size() % userSize == 0); RangerUserStore userStore = new RangerUserStore(); userStore.setUserGroupMapping(userGroupMapping); - Date current = new Date(); - userStore.setUserStoreUpdateTime(current); + userStore.setUserStoreUpdateTime(new Date()); userStore.setServiceName(serviceName); userStore.setUserStoreVersion(-1L); RequestContext.get().endMetricRecord(recorder); - return userStore; - } - - private static RangerRole keycloakRoleToRangerRole(RoleRepresentation kRole) { - AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("keycloakRolesToRangerRoles"); - RangerRole rangerRole = new RangerRole(); - rangerRole.setName(kRole.getName()); - rangerRole.setDescription(kRole.getDescription() + " " + kRole.getId()); - - RequestContext.get().endMetricRecord(recorder); - return rangerRole; - } - - private static List keycloakGroupsToRangerRoleMember(Set kGroups) { - AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("keycloakGroupsToRangerRoleMember"); - List rangerGroups = new ArrayList<>(); - - for (GroupRepresentation kGroup : kGroups) { - //TODO: Revisit isAdmin flag - rangerGroups.add(new RangerRole.RoleMember(kGroup.getName(), false)); - } - - RequestContext.get().endMetricRecord(recorder); - return rangerGroups; - } - - private static List keycloakUsersToRangerRoleMember(Set kUsers) { - AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("keycloakUsersToRangerRoleMember"); - List rangerUsers = new ArrayList<>(); - - for (UserRepresentation kUser : kUsers) { - //TODO: Revisit isAdmin flag - rangerUsers.add(new RangerRole.RoleMember(kUser.getUsername(), false)); - } - - RequestContext.get().endMetricRecord(recorder); - return rangerUsers; - } - - private static List keycloakRolesToRangerRoleMember(Set kRoles) { - AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("keycloakRolesToRangerRoleMember"); - List rangerRoles = new ArrayList<>(); - - for (RoleRepresentation kRole : kRoles) { - //TODO: Revisit isAdmin flag - rangerRoles.add(new RangerRole.RoleMember(kRole.getName(), false)); - } - - RequestContext.get().endMetricRecord(recorder); - return rangerRoles; - } - - protected static void submitCallablesAndWaitToFinish(String threadName, List> callables) throws AtlasBaseException { - ExecutorService service = getExecutorService(threadName + "-%d-"); - try { - - LOG.info("Submitting callables: {}", threadName); - callables.forEach(service::submit); - - service.shutdown(); - - boolean terminated = service.awaitTermination(Long.MAX_VALUE, TimeUnit.NANOSECONDS); - LOG.info("awaitTermination done: {}", threadName); - - if (!terminated) { - LOG.warn("Time out occurred while waiting to complete {}", threadName); - } - } catch (InterruptedException e) { - throw new AtlasBaseException(); - } - } - - static class RoleSubjectsFetcher implements Callable { - private Set roleSet; - private RoleRepresentation kRole; - List userNamesList; - - public RoleSubjectsFetcher(RoleRepresentation kRole, - Set roleSet, - List userNamesList) { - this.kRole = kRole; - this.roleSet = roleSet; - this.userNamesList = userNamesList; - } - - @Override - public RangerRole call() throws Exception { - AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("roleSubjectsFetcher"); - final RangerRole rangerRole = keycloakRoleToRangerRole(kRole); - - try { - //get all groups for Roles - Thread groupsFetcher = new Thread(() -> { - int start = 0; - int size = AtlasConfiguration.KEYCLOAK_ADMIN_CLIENT_PAGINATION_SIZE.getInt(); - boolean found = true; - Set ret = new HashSet<>(); - - do { - try { - Set kGroups = getKeycloakClient().getRoleGroupMembers(kRole.getName(), start, size); - if (CollectionUtils.isNotEmpty(kGroups)) { - ret.addAll(kGroups); - start += size; - } else { - found = false; - } - } catch (Exception e) { - LOG.error("Failed to get group members with role", e); - throw new RuntimeException(e); - } - - } while (found && ret.size() % size == 0); - - rangerRole.setGroups(keycloakGroupsToRangerRoleMember(ret)); - }); - groupsFetcher.start(); - - //get all users for Roles - Thread usersFetcher = new Thread(() -> { - int start = 0; - int size = AtlasConfiguration.KEYCLOAK_ADMIN_CLIENT_PAGINATION_SIZE.getInt(); - boolean found = true; - Set ret = new HashSet<>(); - - do { - try { - Set userRepresentations = getKeycloakClient().getRoleUserMembers(kRole.getName(), start, size); - if (CollectionUtils.isNotEmpty(userRepresentations)) { - ret.addAll(userRepresentations); - start += size; - } else { - found = false; - } - } catch (Exception e) { - LOG.error("Failed to get users for role {}", kRole.getName(), e); - throw new RuntimeException(e); - } - - } while (found && ret.size() % size == 0); - - rangerRole.setUsers(keycloakUsersToRangerRoleMember(ret)); - userNamesList.addAll(ret); - }); - usersFetcher.start(); - - //get all roles for Roles - Thread subRolesFetcher = new Thread(() -> { - Set kSubRoles = null; - try { - kSubRoles = getKeycloakClient().getRoleComposites(kRole.getName()); - rangerRole.setRoles(keycloakRolesToRangerRoleMember(kSubRoles)); - } catch (AtlasBaseException e) { - LOG.error("Failed to get composite for role {}", kRole.getName(), e); - throw new RuntimeException(e); - } - }); - subRolesFetcher.start(); - - try { - groupsFetcher.join(); - usersFetcher.join(); - subRolesFetcher.join(); - } catch (InterruptedException e) { - LOG.error("Failed to wait for threads to complete: {}", kRole.getName()); - e.printStackTrace(); - } - - RequestContext.get().endMetricRecord(recorder); - roleSet.add(rangerRole); - } catch (Exception e) { - LOG.error("RoleSubjectsFetcher: Failed to process role {}: {}", kRole.getName(), e.getMessage()); - } finally { - RequestContext.get().endMetricRecord(recorder); - } - - return rangerRole; - } - } - - static class UserGroupsFetcher implements Callable { - private Map> userGroupMapping; - private UserRepresentation kUser; - - public UserGroupsFetcher(UserRepresentation kUser, Map> userGroupMapping) { - this.kUser = kUser; - this.userGroupMapping = userGroupMapping; - } - - @Override - public Object call() throws Exception { - AtlasPerfMetrics.MetricRecorder recorder = RequestContext.get().startMetricRecord("userGroupsFetcher"); - - try { - List kGroups = getKeycloakClient().getGroupsForUserById(kUser.getId()); - userGroupMapping.put(kUser.getUsername(), - kGroups.stream() - .map(GroupRepresentation::getName) - .collect(Collectors.toSet())); - - } catch (Exception e) { - LOG.error("UserGroupsFetcher: Failed to process user {}: {}", kUser.getUsername(), e.getMessage()); - } finally { - RequestContext.get().endMetricRecord(recorder); - } - - return null; - } + return userStore; } } diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/RangerUserStoreProvider.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/RangerUserStoreProvider.java index 89980504b0..3dd97bcee8 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/RangerUserStoreProvider.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/RangerUserStoreProvider.java @@ -26,7 +26,6 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; -import org.apache.atlas.admin.client.RangerAdminClient; import org.apache.atlas.plugin.service.RangerBasePlugin; import java.io.File; @@ -34,7 +33,6 @@ import java.io.FileWriter; import java.io.Reader; import java.io.Writer; -import java.util.Date; import java.util.HashMap; import java.util.Set; diff --git a/client-keycloak/pom.xml b/client-auth/pom.xml similarity index 98% rename from client-keycloak/pom.xml rename to client-auth/pom.xml index b0a231b0c3..9087a98bed 100644 --- a/client-keycloak/pom.xml +++ b/client-auth/pom.xml @@ -27,7 +27,7 @@ 4.0.0 - client-keycloak + client-auth 8 diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/AbstractKeycloakClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/auth/AbstractAuthClient.java similarity index 69% rename from client-keycloak/src/main/java/org/apache/atlas/keycloak/client/AbstractKeycloakClient.java rename to client-auth/src/main/java/org/apache/atlas/auth/client/auth/AbstractAuthClient.java index 86bdf6fbf7..cb13431384 100644 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/AbstractKeycloakClient.java +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/auth/AbstractAuthClient.java @@ -1,13 +1,15 @@ -package org.apache.atlas.keycloak.client; +package org.apache.atlas.auth.client.auth; +import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; import io.micrometer.core.instrument.Timer; +import org.apache.atlas.auth.client.config.AuthConfig; +import org.apache.atlas.auth.client.heracles.RetrofitHeraclesClient; +import org.apache.atlas.auth.client.keycloak.RetrofitKeycloakClient; import okhttp3.*; import okhttp3.logging.HttpLoggingInterceptor; import org.apache.atlas.AtlasErrorCode; import org.apache.atlas.exception.AtlasBaseException; -import org.apache.atlas.keycloak.client.config.KeycloakConfig; -import org.apache.atlas.keycloak.client.service.AtlasKeycloakAuthService; import org.apache.atlas.service.metrics.MetricUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -26,22 +28,23 @@ import static org.apache.atlas.AtlasErrorCode.BAD_REQUEST; import static org.apache.atlas.AtlasErrorCode.RESOURCE_NOT_FOUND; -abstract class AbstractKeycloakClient { +public class AbstractAuthClient { - private final static Logger LOG = LoggerFactory.getLogger(AbstractKeycloakClient.class); + private final static Logger LOG = LoggerFactory.getLogger(AbstractAuthClient.class); private static final Map ERROR_CODE_MAP = new HashMap<>(); - private static final int DEFAULT_KEYCLOAK_RETRY = 3; + private static final int DEFAULT_RETRY = 3; private static final String AUTHORIZATION = "Authorization"; private static final String BEARER = "Bearer "; private static final int TIMEOUT_IN_SEC = 60; private static final String INTEGRATION = "integration"; private static final String KEYCLOAK = "keycloak"; - protected final KeycloakConfig keycloakConfig; - protected final RetrofitKeycloakClient retrofit; + protected final AuthConfig authConfig; + protected final RetrofitKeycloakClient retrofitKeycloakClient; + protected final RetrofitHeraclesClient retrofitHeraclesClient; - private final AtlasKeycloakAuthService authService; + private final KeycloakAuthenticationService authService; private MetricUtils metricUtils = null; static { @@ -49,8 +52,8 @@ abstract class AbstractKeycloakClient { ERROR_CODE_MAP.put(HTTP_BAD_REQUEST, BAD_REQUEST); } - public AbstractKeycloakClient(KeycloakConfig keycloakConfig) { - this.keycloakConfig = keycloakConfig; + public AbstractAuthClient(AuthConfig authConfig) { + this.authConfig = authConfig; this.metricUtils = new MetricUtils(); HttpLoggingInterceptor httpInterceptor = new HttpLoggingInterceptor(); httpInterceptor.setLevel(HttpLoggingInterceptor.Level.BODY); @@ -64,11 +67,15 @@ public AbstractKeycloakClient(KeycloakConfig keycloakConfig) { .writeTimeout(TIMEOUT_IN_SEC, TimeUnit.SECONDS) .readTimeout(TIMEOUT_IN_SEC, TimeUnit.SECONDS) .build(); - this.retrofit = new Retrofit.Builder().client(okHttpClient) - .baseUrl(this.keycloakConfig.getAuthServerUrl()) + this.retrofitKeycloakClient = new Retrofit.Builder().client(okHttpClient) + .baseUrl(this.authConfig.getAuthServerUrl()) .addConverterFactory(JacksonConverterFactory.create(new ObjectMapper())).build() .create(RetrofitKeycloakClient.class); - authService = new AtlasKeycloakAuthService(keycloakConfig); + this.retrofitHeraclesClient = new Retrofit.Builder().client(okHttpClient) + .baseUrl(this.authConfig.getHeraclesApiServerUrl()) + .addConverterFactory(JacksonConverterFactory.create(new ObjectMapper().disable(DeserializationFeature.FAIL_ON_IGNORED_PROPERTIES))).build() + .create(RetrofitHeraclesClient.class); + authService = new KeycloakAuthenticationService(authConfig); } /** @@ -97,21 +104,20 @@ public Response intercept(@NonNull Chain chain) throws IOException { return chain.proceed(request); } }; - /** * Called only during auth failures. */ Authenticator authInterceptor = new Authenticator() { @Override public Request authenticate(Route route, @NonNull Response response) { - if (responseCount(response) > DEFAULT_KEYCLOAK_RETRY) { - LOG.warn("Keycloak: Falling back, retried {} times", DEFAULT_KEYCLOAK_RETRY); + if (responseCount(response) > DEFAULT_RETRY) { + LOG.warn("Auth Client: Falling back, retried {} times", DEFAULT_RETRY); return null; } - LOG.info("Keycloak: Current keycloak token status, Expired: {}", authService.isTokenExpired()); + LOG.info("Auth Client: Current keycloak token status, Expired: {}", authService.isTokenExpired()); return response.request().newBuilder() - .addHeader(AUTHORIZATION, BEARER + authService.getAuthToken()) - .build(); + .addHeader(AUTHORIZATION, BEARER + authService.getAuthToken()) + .build(); } private int responseCount(Response response) { @@ -134,13 +140,14 @@ protected retrofit2.Response processResponse(retrofit2.Call req) throw return response; } String errMsg = response.errorBody().string(); - LOG.error("Keycloak: Client request processing failed code {} message:{}, request: {} {}", + LOG.error("Auth Client: Client request processing failed code {} message:{}, request: {} {}", response.code(), errMsg, req.request().method(), req.request().url()); throw new AtlasBaseException(ERROR_CODE_MAP.getOrDefault(response.code(), BAD_REQUEST), errMsg); } catch (Exception e) { - LOG.error("Keycloak: request failed, request: {} {}, Exception: {}", req.request().method(), req.request().url(), e); - throw new AtlasBaseException(BAD_REQUEST, "Keycloak request failed"); + LOG.error("Auth Client: request failed, request: {} {}, Exception: {}", req.request().method(), req.request().url(), e); + throw new AtlasBaseException(BAD_REQUEST, "Auth request failed"); } } + } diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/service/AtlasKeycloakAuthService.java b/client-auth/src/main/java/org/apache/atlas/auth/client/auth/KeycloakAuthenticationService.java similarity index 75% rename from client-keycloak/src/main/java/org/apache/atlas/keycloak/client/service/AtlasKeycloakAuthService.java rename to client-auth/src/main/java/org/apache/atlas/auth/client/auth/KeycloakAuthenticationService.java index fc4d40df7e..a3b3e9255e 100644 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/service/AtlasKeycloakAuthService.java +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/auth/KeycloakAuthenticationService.java @@ -1,11 +1,11 @@ -package org.apache.atlas.keycloak.client.service; +package org.apache.atlas.auth.client.auth; import com.fasterxml.jackson.databind.ObjectMapper; import okhttp3.*; import okhttp3.logging.HttpLoggingInterceptor; +import org.apache.atlas.auth.client.config.AuthConfig; import org.apache.atlas.exception.AtlasBaseException; -import org.apache.atlas.keycloak.client.RetrofitKeycloakClient; -import org.apache.atlas.keycloak.client.config.KeycloakConfig; +import org.apache.atlas.auth.client.keycloak.RetrofitKeycloakClient; import org.jetbrains.annotations.NotNull; import org.keycloak.representations.AccessTokenResponse; import org.slf4j.Logger; @@ -19,9 +19,9 @@ import static org.apache.atlas.AtlasErrorCode.BAD_REQUEST; -public final class AtlasKeycloakAuthService { +public final class KeycloakAuthenticationService { - public final static Logger LOG = LoggerFactory.getLogger(AtlasKeycloakAuthService.class); + public final static Logger LOG = LoggerFactory.getLogger(KeycloakAuthenticationService.class); private final static String GRANT_TYPE = "grant_type"; private static final String CLIENT_ID = "client_id"; @@ -30,14 +30,14 @@ public final class AtlasKeycloakAuthService { private static final int TIMEOUT_IN_SECS = 60; private final RetrofitKeycloakClient retrofit; - private final KeycloakConfig keycloakConfig; + private final AuthConfig authConfig; private AccessTokenResponse currentAccessToken; private long expirationTime = -1; - public AtlasKeycloakAuthService(KeycloakConfig keycloakConfig) { - this.keycloakConfig = keycloakConfig; + public KeycloakAuthenticationService(AuthConfig authConfig) { + this.authConfig = authConfig; this.retrofit = new Retrofit.Builder().client(getOkHttpClient()) - .baseUrl(this.keycloakConfig.getAuthServerUrl()) + .baseUrl(this.authConfig.getAuthServerUrl()) .addConverterFactory(JacksonConverterFactory.create(new ObjectMapper())).build() .create(RetrofitKeycloakClient.class); } @@ -59,7 +59,7 @@ private OkHttpClient getOkHttpClient() { Interceptor responseLoggingInterceptor = chain -> { Request request = chain.request(); okhttp3.Response response = chain.proceed(request); - LOG.info("Keycloak: Auth Request for url {} Status: {}", request.url(), response.code()); + LOG.info("Auth Client: Auth Request for url {} Status: {}", request.url(), response.code()); return response; }; @@ -70,16 +70,16 @@ public String getAuthToken() { synchronized (this) { if (isTokenExpired()) { try { - retrofit2.Response resp = this.retrofit.grantToken(this.keycloakConfig.getRealmId(), getTokenRequest()).execute(); + retrofit2.Response resp = this.retrofit.grantToken(this.authConfig.getRealmId(), getTokenRequest()).execute(); if (resp.isSuccessful()) { currentAccessToken = resp.body(); expirationTime = currentTime() + currentAccessToken.getExpiresIn() - EXPIRY_OFFSET_SEC; - LOG.info("Keycloak: Auth token fetched with expiry:{} sec", expirationTime); + LOG.info("Auth Client: Auth token fetched with expiry:{} sec", expirationTime); } else { throw new AtlasBaseException(BAD_REQUEST, resp.errorBody().string()); } } catch (Exception e) { - LOG.error("Keycloak: Error while fetching access token for keycloak client.", e); + LOG.error("Auth Client: Error while fetching access token for keycloak client.", e); throw new RuntimeException(e); } } @@ -97,7 +97,7 @@ public boolean isTokenExpired() { } private RequestBody getTokenRequest() { - return new FormBody.Builder().addEncoded(CLIENT_ID, this.keycloakConfig.getClientId()).addEncoded(CLIENT_SECRET, this.keycloakConfig.getClientSecret()).addEncoded(GRANT_TYPE, this.keycloakConfig.getGrantType()).build(); + return new FormBody.Builder().addEncoded(CLIENT_ID, this.authConfig.getClientId()).addEncoded(CLIENT_SECRET, this.authConfig.getClientSecret()).addEncoded(GRANT_TYPE, this.authConfig.getGrantType()).build(); } private long currentTime() { diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/config/AuthConfig.java b/client-auth/src/main/java/org/apache/atlas/auth/client/config/AuthConfig.java new file mode 100644 index 0000000000..33d98de049 --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/config/AuthConfig.java @@ -0,0 +1,100 @@ +package org.apache.atlas.auth.client.config; + +import org.apache.atlas.AtlasErrorCode; +import org.apache.atlas.exception.AtlasBaseException; +import org.apache.commons.lang.StringUtils; +import org.codehaus.jettison.json.JSONObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.util.Optional; + +import static org.apache.atlas.ApplicationProperties.ATLAS_CONFIGURATION_DIRECTORY_PROPERTY; + +public class AuthConfig { + private static final Logger LOG = LoggerFactory.getLogger(AuthConfig.class); + + public String authServerUrl; + public String realmId; + public String clientId; + public String clientSecret; + public String grantType; + public String heraclesApiServerUrl; + + private static final String KEYCLOAK_PROPERTIES = "keycloak.json"; + private static final String DEFAULT_GRANT_TYPE = "client_credentials"; + private static final String KEY_REALM_ID = "realm"; + private static final String KEY_AUTH_SERVER_URL = "auth-server-url"; + private static final String KEY_CLIENT_ID = "resource"; + private static final String KEY_CREDENTIALS = "credentials"; + private static final String KEY_SECRET = "secret"; + + public String getAuthServerUrl() { + return authServerUrl; + } + + public String getRealmId() { + return realmId; + } + + public String getClientId() { + return clientId; + } + + public String getClientSecret() { + return clientSecret; + } + + public String getGrantType() { + return grantType; + } + + public String getHeraclesApiServerUrl() { + return heraclesApiServerUrl; + } + + public static AuthConfig getConfig() throws AtlasBaseException { + String confLocation = System.getProperty(ATLAS_CONFIGURATION_DIRECTORY_PROPERTY); + Optional confFile = getConfigurationFile(confLocation); + + if (confFile.isPresent()) { + try { + JSONObject object = new JSONObject(readFileToString(confFile.get())); + return buildAuthConfigFromJson(object); + } catch (Exception e) { + LOG.error("Error parsing Keycloak configuration: ", e); + throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, "Error parsing Keycloak configuration"); + } + } else { + throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, "Keycloak configuration file not found in location " + confLocation); + } + } + + private static Optional getConfigurationFile(String confLocation) { + if (StringUtils.isNotEmpty(confLocation)) { + File confFile = new File(confLocation, KEYCLOAK_PROPERTIES); + if (confFile.exists()) { + return Optional.of(confFile); + } + } + return Optional.empty(); + } + + private static String readFileToString(File file) throws Exception { + return new String(Files.readAllBytes(file.toPath()), StandardCharsets.UTF_8); + } + + private static AuthConfig buildAuthConfigFromJson(JSONObject object) throws Exception { + String realmId = object.getString(KEY_REALM_ID); + String authServerUrl = object.getString(KEY_AUTH_SERVER_URL) + "/"; + String clientId = object.getString(KEY_CLIENT_ID); + String grantType = DEFAULT_GRANT_TYPE; + String clientSecret = object.getJSONObject(KEY_CREDENTIALS).getString(KEY_SECRET); + + LOG.info("Keycloak configuration: REALM_ID:{}, AUTH_SERVER_URL:{}", realmId, authServerUrl); + return AuthConfigBuilder.builder().realId(realmId).authServerUrl(authServerUrl).clientId(clientId).grantType(grantType).clientSecret(clientSecret).build(); + } +} diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/config/AuthConfigBuilder.java b/client-auth/src/main/java/org/apache/atlas/auth/client/config/AuthConfigBuilder.java new file mode 100644 index 0000000000..552033d2c1 --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/config/AuthConfigBuilder.java @@ -0,0 +1,55 @@ +package org.apache.atlas.auth.client.config; + +import org.apache.atlas.AtlasConfiguration; + +public class AuthConfigBuilder { + + private String authServerUrl; + private String realmId; + private String clientId; + private String clientSecret; + private String grantType = "client_credentials"; + + private AuthConfigBuilder() { + } + + public static AuthConfigBuilder builder() { + return new AuthConfigBuilder(); + } + + public AuthConfigBuilder authServerUrl(String authServerUrl) { + this.authServerUrl = authServerUrl; + return this; + } + + public AuthConfigBuilder realId(String realId) { + this.realmId = realId; + return this; + } + + public AuthConfigBuilder clientId(String clientId) { + this.clientId = clientId; + return this; + } + + public AuthConfigBuilder clientSecret(String clientSecret) { + this.clientSecret = clientSecret; + return this; + } + + public AuthConfigBuilder grantType(String grantType) { + this.grantType = grantType; + return this; + } + + public AuthConfig build() { + AuthConfig authConfig = new AuthConfig(); + authConfig.authServerUrl = authServerUrl; + authConfig.realmId = realmId; + authConfig.clientId = clientId; + authConfig.clientSecret = clientSecret; + authConfig.grantType = grantType; + authConfig.heraclesApiServerUrl= AtlasConfiguration.HERACLES_API_SERVER_URL.getString()+"/"; + return authConfig; + } +} diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/AtlasHeraclesClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/AtlasHeraclesClient.java new file mode 100644 index 0000000000..6c0c4b7d56 --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/AtlasHeraclesClient.java @@ -0,0 +1,59 @@ +package org.apache.atlas.auth.client.heracles; + +import org.apache.atlas.auth.client.config.AuthConfig; +import org.apache.atlas.auth.client.heracles.models.HeraclesRoleViewRepresentation; +import org.apache.atlas.auth.client.heracles.models.HeraclesUserViewRepresentation; +import org.apache.atlas.exception.AtlasBaseException; +import org.keycloak.representations.idm.UserRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.List; +import java.util.Objects; +import java.util.stream.Collectors; + +public class AtlasHeraclesClient { + public final static Logger LOG = LoggerFactory.getLogger(AtlasHeraclesClient.class); + + private static HeraclesRestClient HERACLES; + private static AtlasHeraclesClient HERACLES_CLIENT; + + public AtlasHeraclesClient() {} + + public static AtlasHeraclesClient getHeraclesClient() { + if(Objects.isNull(HERACLES_CLIENT)) { + LOG.info("Initializing Heracles client.."); + try{ + init(AuthConfig.getConfig()); + } catch (Exception e) { + LOG.error("Error initializing Heracles client", e); + } + } + return HERACLES_CLIENT; + } + + private static void init(AuthConfig authConfig) { + synchronized (AtlasHeraclesClient.class) { + if (HERACLES == null) { + HERACLES = new HeraclesRestClient(authConfig); + HERACLES_CLIENT = new AtlasHeraclesClient(); + } + } + } + + public List getUsersMappings(int start, int size, String[] columns) throws AtlasBaseException {; + List views = HERACLES.getUsersMappings(start, size, HeraclesUserViewRepresentation.sortBy, columns).body(); + return views.stream().map(x -> { + UserRepresentation userRepresentation = new UserRepresentation(); + userRepresentation.setId(x.getId()); + userRepresentation.setUsername(x.getUsername()); + userRepresentation.setRealmRoles(x.getRoles()); + userRepresentation.setGroups(x.getGroups()); + return userRepresentation; + }).collect(Collectors.toList()); + } + + public List getRolesMappings(int start, int size, String[] columns) throws AtlasBaseException { + return HERACLES.getRolesMappings(start, size, HeraclesRoleViewRepresentation.sortBy, columns).body(); + } +} diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/HeraclesRestClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/HeraclesRestClient.java new file mode 100644 index 0000000000..c6fbbcb935 --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/HeraclesRestClient.java @@ -0,0 +1,25 @@ +package org.apache.atlas.auth.client.heracles; + +import org.apache.atlas.auth.client.config.AuthConfig; +import org.apache.atlas.auth.client.auth.AbstractAuthClient; +import org.apache.atlas.auth.client.heracles.models.HeraclesRoleViewRepresentation; +import org.apache.atlas.auth.client.heracles.models.HeraclesUserViewRepresentation; +import org.apache.atlas.exception.AtlasBaseException; +import retrofit2.Response; + +import java.util.List; + +public class HeraclesRestClient extends AbstractAuthClient { + + public HeraclesRestClient(final AuthConfig authConfig) { + super(authConfig); + } + public Response> getUsersMappings(int offset, int limit, String sort, String[] columns) throws AtlasBaseException { + return processResponse(this.retrofitHeraclesClient.getUsersMapping(offset, limit,sort, columns)); + } + + public Response> getRolesMappings(int offset, int limit, String sort, String[] columns) throws AtlasBaseException { + return processResponse(this.retrofitHeraclesClient.getRolesMapping(offset, limit, sort, columns)); + } + +} \ No newline at end of file diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/RetrofitHeraclesClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/RetrofitHeraclesClient.java new file mode 100644 index 0000000000..b9fd8de6ca --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/RetrofitHeraclesClient.java @@ -0,0 +1,24 @@ +package org.apache.atlas.auth.client.heracles; + +import org.apache.atlas.auth.client.heracles.models.HeraclesRoleViewRepresentation; +import org.apache.atlas.auth.client.heracles.models.HeraclesUserViewRepresentation; +import retrofit2.Call; +import retrofit2.http.GET; +import retrofit2.http.Headers; +import retrofit2.http.Query; + +import java.util.List; + +public interface RetrofitHeraclesClient { + @Headers({"Accept: application/json,text/plain", "Cache-Control: no-store", "Cache-Control: no-cache"}) + @GET("/users/mappings") + Call> getUsersMapping(@Query("offset") Integer offset, @Query("limit") Integer limit, @Query("sort") String sort, + @Query("columns") String[] columns); + + @Headers({"Accept: application/json,text/plain", "Cache-Control: no-store", "Cache-Control: no-cache"}) + @GET("/roles/mappings") + Call> getRolesMapping(@Query("offset") Integer offset, @Query("limit") Integer limit, @Query("sort") String sort, + @Query("columns") String[] columns); + + +} diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/models/HeraclesRoleViewRepresentation.java b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/models/HeraclesRoleViewRepresentation.java new file mode 100644 index 0000000000..5b695bcf71 --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/models/HeraclesRoleViewRepresentation.java @@ -0,0 +1,60 @@ +package org.apache.atlas.auth.client.heracles.models; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; + +import java.util.ArrayList; +import java.util.List; + +@JsonIgnoreProperties(ignoreUnknown = true) +public class HeraclesRoleViewRepresentation { + protected String id; + protected String name; + protected String realmId; + protected List roles; + protected List groups; + + public static String sortBy = "name"; + + public HeraclesRoleViewRepresentation() { + } + + public String getId() { + return id; + } + + public String getName() { + return name; + } + + public String getRealmId() { + return realmId; + } + + public List getRoles() { + return roles == null ? new ArrayList<>() : roles; + } + + public List getGroups() { + return groups == null ? new ArrayList<>() : groups; + } + + public void setId(String id) { + this.id = id; + } + + public void setName(String name) { + this.name = name; + } + + public void setRealmId(String realmId) { + this.realmId = realmId; + } + + public void setRoles(List roles) { + this.roles = roles; + } + + public void setGroups(List groups) { + this.groups = groups; + } +} diff --git a/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/models/HeraclesUserViewRepresentation.java b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/models/HeraclesUserViewRepresentation.java new file mode 100644 index 0000000000..de3bc1e105 --- /dev/null +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/heracles/models/HeraclesUserViewRepresentation.java @@ -0,0 +1,61 @@ +package org.apache.atlas.auth.client.heracles.models; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import org.keycloak.representations.idm.UserRepresentation; + +import java.util.List; + +@JsonIgnoreProperties(ignoreUnknown = true) +public class HeraclesUserViewRepresentation { + protected String id; + protected String username; + protected boolean enabled; + protected List roles; + protected List groups; + + public static String sortBy = "username"; + + public HeraclesUserViewRepresentation() { + } + + public String getId() { + return id; + } + + public String getUsername() { + return username; + } + + public boolean isEnabled() { + return enabled; + } + + public List getRoles() { + return roles; + } + + public List getGroups() { + return groups; + } + + public void setId(String id) { + this.id = id; + } + + public void setUsername(String username) { + this.username = username; + } + + public void setEnabled(boolean enabled) { + this.enabled = enabled; + } + + public void setRoles(List roles) { + this.roles = roles; + } + + public void setGroups(List groups) { + this.groups = groups; + } + +} diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/AtlasKeycloakClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/AtlasKeycloakClient.java similarity index 70% rename from client-keycloak/src/main/java/org/apache/atlas/keycloak/client/AtlasKeycloakClient.java rename to client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/AtlasKeycloakClient.java index fe723bbce1..9ec43428e6 100644 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/AtlasKeycloakClient.java +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/AtlasKeycloakClient.java @@ -1,29 +1,19 @@ -package org.apache.atlas.keycloak.client; +package org.apache.atlas.auth.client.keycloak; +import org.apache.atlas.auth.client.config.AuthConfig; import org.apache.atlas.AtlasErrorCode; import org.apache.atlas.exception.AtlasBaseException; -import org.apache.atlas.keycloak.client.config.KeycloakConfig; -import org.apache.atlas.keycloak.client.config.KeycloakConfigBuilder; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang.StringUtils; -import org.codehaus.jettison.json.JSONException; -import org.codehaus.jettison.json.JSONObject; import org.keycloak.representations.idm.*; import org.keycloak.representations.oidc.TokenMetadataRepresentation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.File; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; import java.util.ArrayList; import java.util.List; import java.util.Objects; import java.util.Set; -import static org.apache.atlas.ApplicationProperties.ATLAS_CONFIGURATION_DIRECTORY_PROPERTY; - /** * Keycloak client, deals with token creation refresh. */ @@ -31,14 +21,6 @@ public final class AtlasKeycloakClient { public final static Logger LOG = LoggerFactory.getLogger(AtlasKeycloakClient.class); - private final static String KEYCLOAK_PROPERTIES = "keycloak.json"; - private final static String DEFAULT_GRANT_TYPE = "client_credentials"; - private final static String KEY_REALM_ID = "realm"; - private final static String KEY_AUTH_SERVER_URL = "auth-server-url"; - private final static String KEY_CLIENT_ID = "resource"; - private final static String KEY_CREDENTIALS = "credentials"; - private final static String KEY_SECRET = "secret"; - private static KeycloakRestClient KEYCLOAK; private static AtlasKeycloakClient KEYCLOAK_CLIENT; @@ -183,13 +165,7 @@ public static AtlasKeycloakClient getKeycloakClient() throws AtlasBaseException if (Objects.isNull(KEYCLOAK_CLIENT)) { LOG.info("Initializing Keycloak client.."); try { - init(getConfig()); - } catch (IOException e) { - LOG.error("Failed to fetch Keycloak conf {}", e.getMessage()); - throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, e.getMessage()); - } catch (JSONException e) { - LOG.error("Failed to parse Keycloak conf {}", e.getMessage()); - throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, e.getMessage()); + init(AuthConfig.getConfig()); } catch (Exception e) { LOG.error("Failed to connect to Keycloak {}", e.getMessage()); throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, e.getMessage()); @@ -201,7 +177,7 @@ public static AtlasKeycloakClient getKeycloakClient() throws AtlasBaseException return KEYCLOAK_CLIENT; } - private static void init(KeycloakConfig config) { + private static void init(AuthConfig config) { synchronized (AtlasKeycloakClient.class) { if (KEYCLOAK_CLIENT == null) { KEYCLOAK = new KeycloakRestClient(config); @@ -209,30 +185,4 @@ private static void init(KeycloakConfig config) { } } } - - private static KeycloakConfig getConfig() throws Exception { - String confLocation = System.getProperty(ATLAS_CONFIGURATION_DIRECTORY_PROPERTY); - File confFile; - if (StringUtils.isNotEmpty(confLocation)) { - confFile = new File(confLocation, KEYCLOAK_PROPERTIES); - - if (confFile.exists()) { - String keyConf = new String(Files.readAllBytes(confFile.toPath()), StandardCharsets.UTF_8); - JSONObject object = new JSONObject(keyConf); - - String REALM_ID = object.getString(KEY_REALM_ID); - String AUTH_SERVER_URL = object.getString(KEY_AUTH_SERVER_URL) + "/"; - String CLIENT_ID = object.getString(KEY_CLIENT_ID); - String GRANT_TYPE = DEFAULT_GRANT_TYPE; - String CLIENT_SECRET = object.getJSONObject(KEY_CREDENTIALS).getString(KEY_SECRET); - - LOG.info("Keycloak conf: REALM_ID:{}, AUTH_SERVER_URL:{}", REALM_ID, AUTH_SERVER_URL); - return KeycloakConfigBuilder.builder().realId(REALM_ID).authServerUrl(AUTH_SERVER_URL).clientId(CLIENT_ID).grantType(GRANT_TYPE).clientSecret(CLIENT_SECRET).build(); - } else { - throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, "Keycloak configuration file not found in location " + confLocation); - } - } else { - throw new AtlasBaseException(AtlasErrorCode.KEYCLOAK_INIT_FAILED, "Configuration location not found " + confLocation); - } - } } diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/KeycloakRestClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/KeycloakRestClient.java similarity index 54% rename from client-keycloak/src/main/java/org/apache/atlas/keycloak/client/KeycloakRestClient.java rename to client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/KeycloakRestClient.java index 7cc1eea22f..b6f58982e6 100644 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/KeycloakRestClient.java +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/KeycloakRestClient.java @@ -1,9 +1,10 @@ -package org.apache.atlas.keycloak.client; +package org.apache.atlas.auth.client.keycloak; +import org.apache.atlas.auth.client.auth.AbstractAuthClient; import okhttp3.FormBody; import okhttp3.RequestBody; +import org.apache.atlas.auth.client.config.AuthConfig; import org.apache.atlas.exception.AtlasBaseException; -import org.apache.atlas.keycloak.client.config.KeycloakConfig; import org.keycloak.representations.idm.*; import org.keycloak.representations.oidc.TokenMetadataRepresentation; import retrofit2.Response; @@ -14,129 +15,129 @@ /** * Keycloak Rest client wrapper used in atlas metastore */ -public final class KeycloakRestClient extends AbstractKeycloakClient { +public final class KeycloakRestClient extends AbstractAuthClient { private static final String TOKEN = "token"; private static final String CLIENT_ID = "client_id"; private static final String CLIENT_SECRET = "client_secret"; - public KeycloakRestClient(final KeycloakConfig keycloakConfig) { - super(keycloakConfig); + public KeycloakRestClient(final AuthConfig authConfig) { + super(authConfig); } public Response> searchUserByUserName(String username) throws AtlasBaseException { - return processResponse(this.retrofit.searchUserByUserName(this.keycloakConfig.getRealmId(), username)); + return processResponse(this.retrofitKeycloakClient.searchUserByUserName(this.authConfig.getRealmId(), username)); } public Response> getAllUsers(int start, int size) throws AtlasBaseException { - return processResponse(this.retrofit.getAllUsers(this.keycloakConfig.getRealmId(), start, size)); + return processResponse(this.retrofitKeycloakClient.getAllUsers(this.authConfig.getRealmId(), start, size)); } public Response> getRoleUserMembers(String roleName) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleUserMembers(this.keycloakConfig.getRealmId(), roleName)); + return processResponse(this.retrofitKeycloakClient.getRoleUserMembers(this.authConfig.getRealmId(), roleName)); } public Response> getRoleUserMembers(String roleName, Integer start, Integer size) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleUserMembers(this.keycloakConfig.getRealmId(), roleName, start, size)); + return processResponse(this.retrofitKeycloakClient.getRoleUserMembers(this.authConfig.getRealmId(), roleName, start, size)); } public Response> searchGroupByName(String groupName, Integer start, Integer size) throws AtlasBaseException { - return processResponse(this.retrofit.searchGroupByName(this.keycloakConfig.getRealmId(), groupName, start, size)); + return processResponse(this.retrofitKeycloakClient.searchGroupByName(this.authConfig.getRealmId(), groupName, start, size)); } public Response> getRoleGroupMembers(String roleName) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleGroupMembers(this.keycloakConfig.getRealmId(), roleName)); + return processResponse(this.retrofitKeycloakClient.getRoleGroupMembers(this.authConfig.getRealmId(), roleName)); } public Response> getRoleGroupMembers(String roleName, Integer first, Integer size) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleGroupMembers(this.keycloakConfig.getRealmId(), roleName, first, size)); + return processResponse(this.retrofitKeycloakClient.getRoleGroupMembers(this.authConfig.getRealmId(), roleName, first, size)); } public Response> getGroupsForUserById(String userId) throws AtlasBaseException { - return processResponse(this.retrofit.getGroupsForUserById(this.keycloakConfig.getRealmId(), userId)); + return processResponse(this.retrofitKeycloakClient.getGroupsForUserById(this.authConfig.getRealmId(), userId)); } public void addRealmLevelRoleMappingsForGroup(String groupId, List roles) throws AtlasBaseException { - processResponse(this.retrofit.addRealmLevelRoleMappingsForGroup(this.keycloakConfig.getRealmId(), groupId, roles)); + processResponse(this.retrofitKeycloakClient.addRealmLevelRoleMappingsForGroup(this.authConfig.getRealmId(), groupId, roles)); } public void deleteRealmLevelRoleMappingsForGroup(String groupId, List roles) throws AtlasBaseException { - processResponse(this.retrofit.deleteRealmLevelRoleMappingsForGroup(this.keycloakConfig.getRealmId(), groupId, roles)); + processResponse(this.retrofitKeycloakClient.deleteRealmLevelRoleMappingsForGroup(this.authConfig.getRealmId(), groupId, roles)); } public Response> getAllRoles(int start, int size) throws AtlasBaseException { - return processResponse(this.retrofit.getAllRoles(this.keycloakConfig.getRealmId(), start, size)); + return processResponse(this.retrofitKeycloakClient.getAllRoles(this.authConfig.getRealmId(), start, size)); } public void deleteRoleById(String roleId) throws AtlasBaseException { - processResponse(this.retrofit.deleteRoleById(this.keycloakConfig.getRealmId(), roleId)); + processResponse(this.retrofitKeycloakClient.deleteRoleById(this.authConfig.getRealmId(), roleId)); } public void deleteRoleByName(String roleName) throws AtlasBaseException { - processResponse(this.retrofit.deleteRoleByName(this.keycloakConfig.getRealmId(), roleName)); + processResponse(this.retrofitKeycloakClient.deleteRoleByName(this.authConfig.getRealmId(), roleName)); } public Response> addRealmLevelRoleMappingsForUser(String userId, List roles) throws AtlasBaseException { - return processResponse(this.retrofit.addRealmLevelRoleMappingsForUser(this.keycloakConfig.getRealmId(), userId, roles)); + return processResponse(this.retrofitKeycloakClient.addRealmLevelRoleMappingsForUser(this.authConfig.getRealmId(), userId, roles)); } public void deleteRealmLevelRoleMappingsForUser(String userId, List roles) throws AtlasBaseException { - processResponse(this.retrofit.deleteRealmLevelRoleMappingsForUser(this.keycloakConfig.getRealmId(), userId, roles)); + processResponse(this.retrofitKeycloakClient.deleteRealmLevelRoleMappingsForUser(this.authConfig.getRealmId(), userId, roles)); } public void createRole(RoleRepresentation roleRepresentation) throws AtlasBaseException { - processResponse(this.retrofit.createRole(this.keycloakConfig.getRealmId(), roleRepresentation)); + processResponse(this.retrofitKeycloakClient.createRole(this.authConfig.getRealmId(), roleRepresentation)); } public void updateRole(String roleId, RoleRepresentation roleRepresentation) throws AtlasBaseException { - processResponse(this.retrofit.updateRole(this.keycloakConfig.getRealmId(), roleId, roleRepresentation)); + processResponse(this.retrofitKeycloakClient.updateRole(this.authConfig.getRealmId(), roleId, roleRepresentation)); } public Response getRoleById(String roleId) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleById(this.keycloakConfig.getRealmId(), roleId)); + return processResponse(this.retrofitKeycloakClient.getRoleById(this.authConfig.getRealmId(), roleId)); } public Response getRoleByName(String roleName) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleByName(this.keycloakConfig.getRealmId(), roleName)); + return processResponse(this.retrofitKeycloakClient.getRoleByName(this.authConfig.getRealmId(), roleName)); } public Response> getAllRoles(Integer first, Integer max) throws AtlasBaseException { - return processResponse(this.retrofit.getAllRoles(this.keycloakConfig.getRealmId(), first, max)); + return processResponse(this.retrofitKeycloakClient.getAllRoles(this.authConfig.getRealmId(), first, max)); } public Response> getRoleComposites(String roleName) throws AtlasBaseException { - return processResponse(this.retrofit.getRoleComposites(this.keycloakConfig.getRealmId(), roleName)); + return processResponse(this.retrofitKeycloakClient.getRoleComposites(this.authConfig.getRealmId(), roleName)); } public void addComposites(String roleName, List roles) throws AtlasBaseException { - processResponse(this.retrofit.addComposites(this.keycloakConfig.getRealmId(), roleName, roles)); + processResponse(this.retrofitKeycloakClient.addComposites(this.authConfig.getRealmId(), roleName, roles)); } public void deleteComposites(String roleName, List roles) throws AtlasBaseException { - processResponse(this.retrofit.deleteComposites(this.keycloakConfig.getRealmId(), roleName, roles)); + processResponse(this.retrofitKeycloakClient.deleteComposites(this.authConfig.getRealmId(), roleName, roles)); } public Response> getAdminEvents(List operationTypes, String authRealm, String authClient, String authUser, String authIpAddress, String resourcePath, String dateFrom, String dateTo, Integer first, Integer max) throws AtlasBaseException { - return processResponse(this.retrofit.getAdminEvents(this.keycloakConfig.getRealmId(), operationTypes, + return processResponse(this.retrofitKeycloakClient.getAdminEvents(this.authConfig.getRealmId(), operationTypes, authRealm, authClient, authUser, authIpAddress, resourcePath, dateFrom, dateTo, first, max)); } public Response> getEvents(List type, String client, String user, String dateFrom, String dateTo, String ipAddress, Integer first, Integer max) throws AtlasBaseException { - return processResponse(this.retrofit.getEvents(this.keycloakConfig.getRealmId(), type, client, user, dateFrom, dateTo, ipAddress, first, max)); + return processResponse(this.retrofitKeycloakClient.getEvents(this.authConfig.getRealmId(), type, client, user, dateFrom, dateTo, ipAddress, first, max)); } public Response introspectToken(String token) throws AtlasBaseException { - return processResponse(this.retrofit.introspectToken(this.keycloakConfig.getRealmId(), getIntrospectTokenRequest(token))); + return processResponse(this.retrofitKeycloakClient.introspectToken(this.authConfig.getRealmId(), getIntrospectTokenRequest(token))); } private RequestBody getIntrospectTokenRequest(String token) { return new FormBody.Builder() .addEncoded(TOKEN, token) - .addEncoded(CLIENT_ID, this.keycloakConfig.getClientId()) - .addEncoded(CLIENT_SECRET, this.keycloakConfig.getClientSecret()) + .addEncoded(CLIENT_ID, this.authConfig.getClientId()) + .addEncoded(CLIENT_SECRET, this.authConfig.getClientSecret()) .build(); } } diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/RetrofitKeycloakClient.java b/client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/RetrofitKeycloakClient.java similarity index 99% rename from client-keycloak/src/main/java/org/apache/atlas/keycloak/client/RetrofitKeycloakClient.java rename to client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/RetrofitKeycloakClient.java index c396c9368d..4fe8bb6ff5 100644 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/RetrofitKeycloakClient.java +++ b/client-auth/src/main/java/org/apache/atlas/auth/client/keycloak/RetrofitKeycloakClient.java @@ -1,4 +1,4 @@ -package org.apache.atlas.keycloak.client; +package org.apache.atlas.auth.client.keycloak; import okhttp3.RequestBody; import org.keycloak.representations.AccessTokenResponse; diff --git a/client-heracles/pom.xml b/client-heracles/pom.xml new file mode 100644 index 0000000000..b812aefb65 --- /dev/null +++ b/client-heracles/pom.xml @@ -0,0 +1,75 @@ + + + + + + apache-atlas + org.apache.atlas + 3.0.0-SNAPSHOT + + 4.0.0 + + client-heracles + + + 8 + 8 + + + + + org.keycloak + keycloak-core + ${keycloak-admin-client.version} + + + * + * + + + + + com.squareup.okhttp3 + okhttp + ${okhttp3.version} + + + com.squareup.retrofit2 + retrofit + ${retrofit.version} + + + com.squareup.retrofit2 + converter-jackson + ${retrofit.version} + + + com.squareup.okhttp3 + logging-interceptor + ${okhttp3.version} + + + org.apache.atlas + atlas-common + + + + \ No newline at end of file diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/config/KeycloakConfig.java b/client-heracles/src/main/java/heracles/client/config/HeraclesConfigBuilder.java similarity index 84% rename from client-keycloak/src/main/java/org/apache/atlas/keycloak/client/config/KeycloakConfig.java rename to client-heracles/src/main/java/heracles/client/config/HeraclesConfigBuilder.java index 048d2fac71..863eec0021 100644 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/config/KeycloakConfig.java +++ b/client-heracles/src/main/java/heracles/client/config/HeraclesConfigBuilder.java @@ -1,6 +1,6 @@ -package org.apache.atlas.keycloak.client.config; +package main.java.heracles.client.config; -public final class KeycloakConfig { +public class HeraclesConfigBuilder { String authServerUrl; String realmId; @@ -27,5 +27,4 @@ public String getClientSecret() { public String getGrantType() { return grantType; } - } diff --git a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/config/KeycloakConfigBuilder.java b/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/config/KeycloakConfigBuilder.java deleted file mode 100644 index 44583c59f3..0000000000 --- a/client-keycloak/src/main/java/org/apache/atlas/keycloak/client/config/KeycloakConfigBuilder.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.apache.atlas.keycloak.client.config; - -public final class KeycloakConfigBuilder { - - private String authServerUrl; - private String realmId; - private String clientId; - private String clientSecret; - private String grantType = "client_credentials"; - - private KeycloakConfigBuilder() { - } - - public static KeycloakConfigBuilder builder() { - return new KeycloakConfigBuilder(); - } - - public KeycloakConfigBuilder authServerUrl(String authServerUrl) { - this.authServerUrl = authServerUrl; - return this; - } - - public KeycloakConfigBuilder realId(String realId) { - this.realmId = realId; - return this; - } - - public KeycloakConfigBuilder clientId(String clientId) { - this.clientId = clientId; - return this; - } - - public KeycloakConfigBuilder clientSecret(String clientSecret) { - this.clientSecret = clientSecret; - return this; - } - - public KeycloakConfigBuilder grantType(String grantType) { - this.grantType = grantType; - return this; - } - - public KeycloakConfig build() { - KeycloakConfig keycloakConfig = new KeycloakConfig(); - keycloakConfig.authServerUrl = authServerUrl; - keycloakConfig.realmId = realmId; - keycloakConfig.clientId = clientId; - keycloakConfig.clientSecret = clientSecret; - keycloakConfig.grantType = grantType; - return keycloakConfig; - } -} \ No newline at end of file diff --git a/intg/src/main/java/org/apache/atlas/AtlasConfiguration.java b/intg/src/main/java/org/apache/atlas/AtlasConfiguration.java index 889d5b413f..c9452ebf0d 100644 --- a/intg/src/main/java/org/apache/atlas/AtlasConfiguration.java +++ b/intg/src/main/java/org/apache/atlas/AtlasConfiguration.java @@ -108,7 +108,8 @@ public enum AtlasConfiguration { PERSONA_POLICY_ASSET_MAX_LIMIT("atlas.persona.policy.asset.maxlimit", 1000), ENABLE_KEYCLOAK_TOKEN_INTROSPECTION("atlas.canary.keycloak.token-introspection", false), - KEYCLOAK_ADMIN_CLIENT_PAGINATION_SIZE("atlas.keycloak.admin.resource-pagination-size", 1500); + HERACLES_CLIENT_PAGINATION_SIZE("atlas.heracles.admin.resource-pagination-size", 100), + HERACLES_API_SERVER_URL("atlas.heracles.api.service.url", "http://heracles-service.heracles.svc.cluster.local"); private static final Configuration APPLICATION_PROPERTIES; diff --git a/pom.xml b/pom.xml index 6ffea247db..1cc9aa70dc 100644 --- a/pom.xml +++ b/pom.xml @@ -790,7 +790,7 @@ server-api notification client - client-keycloak + client-auth graphdb repository diff --git a/repository/pom.xml b/repository/pom.xml index 03e66a8310..10d8d876fb 100755 --- a/repository/pom.xml +++ b/repository/pom.xml @@ -318,7 +318,7 @@ org.apache.atlas - client-keycloak + client-auth 3.0.0-SNAPSHOT diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/ConnectionPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/ConnectionPreProcessor.java index b994398c23..02fb63bbc8 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/ConnectionPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/ConnectionPreProcessor.java @@ -55,7 +55,6 @@ import static org.apache.atlas.authorize.AtlasAuthorizerFactory.ATLAS_AUTHORIZER_IMPL; import static org.apache.atlas.authorize.AtlasAuthorizerFactory.CURRENT_AUTHORIZER_IMPL; -import static org.apache.atlas.keycloak.client.AtlasKeycloakClient.getKeycloakClient; import static org.apache.atlas.repository.Constants.ATTR_ADMIN_GROUPS; import static org.apache.atlas.repository.Constants.ATTR_ADMIN_ROLES; import static org.apache.atlas.repository.Constants.ATTR_ADMIN_USERS; @@ -63,6 +62,7 @@ import static org.apache.atlas.repository.Constants.POLICY_ENTITY_TYPE; import static org.apache.atlas.repository.Constants.QUALIFIED_NAME; import static org.apache.atlas.repository.util.AtlasEntityUtils.mapOf; +import static org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient.getKeycloakClient; public class ConnectionPreProcessor implements PreProcessor { private static final Logger LOG = LoggerFactory.getLogger(ConnectionPreProcessor.class); diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/accesscontrol/PersonaPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/accesscontrol/PersonaPreProcessor.java index f579dc4ff7..77078f5c53 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/accesscontrol/PersonaPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/accesscontrol/PersonaPreProcessor.java @@ -20,7 +20,7 @@ import org.apache.atlas.RequestContext; import org.apache.atlas.exception.AtlasBaseException; -import org.apache.atlas.keycloak.client.AtlasKeycloakClient; +import org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient; import org.apache.atlas.model.instance.AtlasEntity; import org.apache.atlas.model.instance.AtlasObjectId; import org.apache.atlas.model.instance.AtlasStruct; diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java index 63e8ba4250..5dec4d3190 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/preprocessor/sql/QueryCollectionPreProcessor.java @@ -58,7 +58,7 @@ import static org.apache.atlas.authorize.AtlasAuthorizerFactory.ATLAS_AUTHORIZER_IMPL; import static org.apache.atlas.authorize.AtlasAuthorizerFactory.CURRENT_AUTHORIZER_IMPL; -import static org.apache.atlas.keycloak.client.AtlasKeycloakClient.getKeycloakClient; +import static org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient.getKeycloakClient; import static org.apache.atlas.repository.Constants.ATTR_ADMIN_GROUPS; import static org.apache.atlas.repository.Constants.ATTR_ADMIN_USERS; import static org.apache.atlas.repository.Constants.ATTR_VIEWER_GROUPS; diff --git a/repository/src/main/java/org/apache/atlas/repository/store/users/KeycloakStore.java b/repository/src/main/java/org/apache/atlas/repository/store/users/KeycloakStore.java index 3a5f1782f0..22e04cd751 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/users/KeycloakStore.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/users/KeycloakStore.java @@ -33,8 +33,7 @@ import java.util.stream.Collectors; import static org.apache.atlas.AtlasErrorCode.RESOURCE_NOT_FOUND; -import static org.apache.atlas.keycloak.client.AtlasKeycloakClient.getKeycloakClient; -import static org.apache.atlas.repository.util.AccessControlUtils.INSTANCE_DOMAIN_KEY; +import static org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient.getKeycloakClient; public class KeycloakStore { private static final Logger LOG = LoggerFactory.getLogger(KeycloakStore.class); diff --git a/webapp/src/main/java/org/apache/atlas/web/rest/MigrationREST.java b/webapp/src/main/java/org/apache/atlas/web/rest/MigrationREST.java index b1cb307550..b491bb88ce 100644 --- a/webapp/src/main/java/org/apache/atlas/web/rest/MigrationREST.java +++ b/webapp/src/main/java/org/apache/atlas/web/rest/MigrationREST.java @@ -33,7 +33,7 @@ import java.util.*; import java.util.stream.Collectors; -import static org.apache.atlas.keycloak.client.AtlasKeycloakClient.getKeycloakClient; +import static org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient.getKeycloakClient; import static org.apache.atlas.repository.Constants.*; @Path("migration") diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java index 88523998cd..1a22038398 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasKeycloakAuthenticationProvider.java @@ -18,7 +18,7 @@ import io.micrometer.core.instrument.Counter; import org.apache.atlas.AtlasConfiguration; -import org.apache.atlas.keycloak.client.AtlasKeycloakClient; +import org.apache.atlas.auth.client.keycloak.AtlasKeycloakClient; import org.apache.atlas.service.metrics.MetricUtils; import org.apache.atlas.ApplicationProperties; import org.apache.commons.configuration.Configuration;