RANGER-4955: Add support to retrieve group information from JWT

Author: Abhishek Kumar

ranger-authn/pom.xml

@@ -86,6 +86,12 @@
             <version>${nimbus-jose-jwt.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${springframework.security.version}</version>
+        </dependency>
+
         <!-- Test -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>

ranger-authn/src/main/java/org/apache/ranger/authz/authority/JwtAuthority.java

@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.authz.authority;
+
+import java.util.Set;
+import org.springframework.security.core.GrantedAuthority;
+
+public final class JwtAuthority implements GrantedAuthority {
+    private static final long serialVersionUID = 12323L;
+    private final String role;
+    private final Set<String> groups;
+
+    public JwtAuthority(String role, Set<String> groups) {
+        this.role = role;
+        this.groups = groups;
+    }
+
+    public String getAuthority() {
+        return this.role;
+    }
+
+    public Set<String> getGroups() { return this.groups; }
+
+    public String toString() {
+        return this.role;
+    }
+}

ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java

@@ -20,6 +20,8 @@
 
 import java.net.URL;
 import java.text.ParseException;
+import java.util.Set;
+import java.util.HashSet;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
@@ -43,20 +45,25 @@
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
 import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
 
 public abstract class RangerJwtAuthHandler implements RangerAuthHandler {
     private static final Logger LOG = LoggerFactory.getLogger(RangerJwtAuthHandler.class);
 
     private JWSVerifier        verifier            = null;
+    protected SignedJWT        signedJWT           = null;
     private String             jwksProviderUrl     = null;
     public static final String TYPE                = "ranger-jwt";        // Constant that identifies the authentication mechanism.
     public static final String KEY_PROVIDER_URL    = "jwks.provider-url"; // JWKS provider URL
     public static final String KEY_JWT_PUBLIC_KEY  = "jwt.public-key";    // JWT token provider public key
     public static final String KEY_JWT_COOKIE_NAME = "jwt.cookie-name";   // JWT cookie name
     public static final String KEY_JWT_AUDIENCES   = "jwt.audiences";
     public static final String JWT_AUTHZ_PREFIX    = "Bearer ";
+    public static final String CUSTOM_JWT_CLAIM_GROUP_KEY_PARAM         = "custom.jwt.claim.group.key";
+    public static final String CUSTOM_JWT_CLAIM_GROUP_KEY_VALUE_DEFAULT = "knox.groups";
 
+    public String CUSTOM_JWT_CLAIM_GROUP_KEY_VALUE = null;
     protected List<String>               audiences = null;
     protected JWKSource<SecurityContext> keySource = null;
 
@@ -76,6 +83,7 @@ public void initialize(final Properties config) throws Exception {
 
         // optional configurations
         String pemPublicKey = config.getProperty(KEY_JWT_PUBLIC_KEY);
+        CUSTOM_JWT_CLAIM_GROUP_KEY_VALUE = config.getProperty(CUSTOM_JWT_CLAIM_GROUP_KEY_PARAM, CUSTOM_JWT_CLAIM_GROUP_KEY_VALUE_DEFAULT);
 
         // setup JWT provider public key if configured
         if (StringUtils.isNotBlank(pemPublicKey)) {
@@ -112,30 +120,36 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str
 
             if (StringUtils.isNotBlank(serializedJWT)) {
                 try {
-                    final SignedJWT jwtToken = SignedJWT.parse(serializedJWT);
-                    boolean         valid    = validateToken(jwtToken);
+                    signedJWT = SignedJWT.parse(serializedJWT);
+                    JWTClaimsSet claimsSet = getJWTClaimsSet();
+
+                    if(LOG.isDebugEnabled()){
+                        LOG.debug("RangerJwtAuthHandler.authenticate(): JWTClaimsSet - {}", claimsSet);
+                    }
+
+                    boolean         valid    = validateToken();
                     if (valid) {
                         String userName;
 
                         if (StringUtils.isNotBlank(doAsUser)) {
                             userName = doAsUser.trim();
                         } else {
-                            userName = jwtToken.getJWTClaimsSet().getSubject();
+                            userName = claimsSet.getSubject();
                         }
 
                         if (LOG.isDebugEnabled()) {
                             LOG.debug("RangerJwtAuthHandler.authenticate(): Issuing AuthenticationToken for user: [{}]", userName);
-                            LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", jwtToken.getJWTClaimsSet().getSubject(), doAsUser);
+                            LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", claimsSet.getSubject(), doAsUser);
                         }
                         token = new AuthenticationToken(userName, userName, TYPE);
                     } else {
-                        LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [{}] ", jwtToken.serialize());
+                        LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT: [{}] ", signedJWT.serialize());
                     }
-                } catch (ParseException pe) {
-                    LOG.warn("RangerJwtAuthHandler.authenticate(): Unable to parse the JWT token", pe);
+                } catch (ParseException | RuntimeException exp) {
+                    LOG.warn("RangerJwtAuthHandler.authenticate(): Unable to parse the JWT", exp);
                 }
             } else {
-                LOG.warn("RangerJwtAuthHandler.authenticate(): JWT token not found.");
+                LOG.warn("RangerJwtAuthHandler.authenticate(): JWT not found");
             }
         }
 
@@ -145,6 +159,31 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str
 
         return token;
     }
+    
+    protected JWTClaimsSet getJWTClaimsSet() throws ParseException {
+        return signedJWT.getJWTClaimsSet();
+    }
+
+    public Set<String> getGroupsFromClaimSet() {
+        List<String> groupsClaim = null;
+        try {
+            groupsClaim = (List<String>) getJWTClaimsSet().getClaim(CUSTOM_JWT_CLAIM_GROUP_KEY_VALUE);
+        } catch (ParseException e) {
+            LOG.error("Unable to parse JWT claim set", e);
+        }
+
+        if (groupsClaim == null) {
+            LOG.warn("No group claim found!");
+            return new HashSet<>();
+        }
+
+        Set<String> groups = new HashSet<>(groupsClaim);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Groups present in Claim [{}]: {}", CUSTOM_JWT_CLAIM_GROUP_KEY_VALUE, groups);
+        }
+        return groups;
+    }
+
 
     protected String getJWT(final String jwtAuthHeader, final String jwtCookie) {
         String serializedJWT = null;
@@ -171,19 +210,18 @@ protected String getJWT(final String jwtAuthHeader, final String jwtCookie) {
      * implementation through submethods used within but also allows for the
      * override of the entire token validation algorithm.
      *
-     * @param jwtToken the token to validate
      * @return true if valid
      */
-    protected boolean validateToken(final SignedJWT jwtToken) {
-        boolean expValid = validateExpiration(jwtToken);
+    protected boolean validateToken() throws ParseException {
+        boolean expValid = validateExpiration();
         boolean sigValid = false;
         boolean audValid = false;
 
         if (expValid) {
-            sigValid = validateSignature(jwtToken);
+            sigValid = validateSignature();
 
             if (sigValid) {
-                audValid = validateAudiences(jwtToken);
+                audValid = validateAudiences();
             }
         }
 
@@ -195,41 +233,40 @@ protected boolean validateToken(final SignedJWT jwtToken) {
     }
 
     /**
-     * Verify the signature of the JWT token in this method. This method depends on
+     * Verify the signature of the JWT in this method. This method depends on
      * the public key that was established during init based upon the provisioned
      * public key. Override this method in subclasses in order to customize the
      * signature verification behavior.
      *
-     * @param jwtToken the token that contains the signature to be validated
      * @return valid true if signature verifies successfully; false otherwise
      */
-    protected boolean validateSignature(final SignedJWT jwtToken) {
+    protected boolean validateSignature() {
         boolean valid = false;
 
-        if (JWSObject.State.SIGNED == jwtToken.getState()) {
+        if (JWSObject.State.SIGNED == signedJWT.getState()) {
             if (LOG.isDebugEnabled()) {
-                LOG.debug("JWT token is in a SIGNED state");
+                LOG.debug("JWT is in a SIGNED state");
             }
 
-            if (jwtToken.getSignature() != null) {
+            if (signedJWT.getSignature() != null) {
                 try {
                     if (StringUtils.isNotBlank(jwksProviderUrl)) {
-                        JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(jwtToken.getHeader().getAlgorithm(), keySource);
+                        JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(signedJWT.getHeader().getAlgorithm(), keySource);
 
                         // Create a JWT processor for the access tokens
                         ConfigurableJWTProcessor<SecurityContext> jwtProcessor = getJwtProcessor(keySelector);
 
                         // Process the token
-                        jwtProcessor.process(jwtToken, null);
+                        jwtProcessor.process(signedJWT, null);
                         valid = true;
                         if (LOG.isDebugEnabled()) {
-                            LOG.debug("JWT token has been successfully verified.");
+                            LOG.debug("JWT has been successfully verified.");
                         }
                     } else if (verifier != null) {
-                        if (jwtToken.verify(verifier)) {
+                        if (signedJWT.verify(verifier)) {
                             valid = true;
                             if (LOG.isDebugEnabled()) {
-                                LOG.debug("JWT token has been successfully verified.");
+                                LOG.debug("JWT has been successfully verified.");
                             }
                         } else {
                             LOG.warn("JWT signature verification failed.");
@@ -257,61 +294,51 @@ protected boolean validateSignature(final SignedJWT jwtToken) {
      * token claims list for audience. Override this method in subclasses in order
      * to customize the audience validation behavior.
      *
-     * @param jwtToken the JWT token where the allowed audiences will be found
      * @return true if an expected audience is present, otherwise false
      */
-    protected boolean validateAudiences(final SignedJWT jwtToken) {
+    protected boolean validateAudiences() throws ParseException {
         boolean valid = false;
-        try {
-            List<String> tokenAudienceList = jwtToken.getJWTClaimsSet().getAudience();
-            // if there were no expected audiences configured then just
-            // consider any audience acceptable
-            if (audiences == null) {
-                valid = true;
-            } else {
-                // if any of the configured audiences is found then consider it
-                // acceptable
-                for (String aud : tokenAudienceList) {
-                    if (audiences.contains(aud)) {
-                        if (LOG.isDebugEnabled()) {
-                            LOG.debug("JWT token audience has been successfully validated.");
-                        }
-                        valid = true;
-                        break;
+        JWTClaimsSet claimsSet = getJWTClaimsSet();
+        List<String> tokenAudienceList = claimsSet.getAudience();
+        // if there were no expected audiences configured then just consider any audience acceptable
+        if (audiences == null) {
+            valid = true;
+        } else {
+            // if any of the configured audiences is found then consider it acceptable
+            for (String aud : tokenAudienceList) {
+                if (audiences.contains(aud)) {
+                    if (LOG.isDebugEnabled()) {
+                        LOG.debug("JWT audience has been successfully validated.");
                     }
-                }
-                if (!valid) {
-                    LOG.warn("JWT audience validation failed.");
+                    valid = true;
+                    break;
                 }
             }
-        } catch (ParseException pe) {
-            LOG.warn("Unable to parse the JWT token.", pe);
+        }
+
+        if (!valid) {
+            LOG.warn("JWT audience validation failed.");
         }
         return valid;
     }
 
     /**
-     * Validate that the expiration time of the JWT token has not been violated. If
-     * it has then throw an AuthenticationException. Override this method in
+     * Validate that the expiration time of the JWT has not been violated. If
+     * it has, then throw an AuthenticationException. Override this method in
      * subclasses in order to customize the expiration validation behavior.
      *
-     * @param jwtToken the token that contains the expiration date to validate
      * @return valid true if the token has not expired; false otherwise
      */
-    protected boolean validateExpiration(final SignedJWT jwtToken) {
+    protected boolean validateExpiration() throws ParseException {
         boolean valid = false;
-        try {
-            Date expires = jwtToken.getJWTClaimsSet().getExpirationTime();
-            if (expires == null || new Date().before(expires)) {
-                valid = true;
-                if (LOG.isDebugEnabled()) {
-                    LOG.debug("JWT token expiration date has been successfully validated.");
-                }
-            } else {
-                LOG.warn("JWT token provided is expired.");
+        Date expires = getJWTClaimsSet().getExpirationTime();
+        if (expires == null || new Date().before(expires)) {
+            valid = true;
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("JWT expiration date has been successfully validated.");
             }
-        } catch (ParseException pe) {
-            LOG.warn("Failed to validate JWT expiry.", pe);
+        } else {
+            LOG.warn("JWT provided has expired.");
         }
 
         return valid;

security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerJwtAuthFilter.java

@@ -19,6 +19,7 @@
 package org.apache.ranger.security.web.filter;
 
 import java.io.IOException;
+import java.util.Set;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Properties;
@@ -33,6 +34,7 @@
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.log4j.Logger;
+import org.apache.ranger.authz.authority.JwtAuthority;
 import org.apache.ranger.authz.handler.RangerAuth;
 import org.apache.ranger.authz.handler.jwt.RangerDefaultJwtAuthHandler;
 import org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler;
@@ -42,7 +44,6 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -101,7 +102,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         RangerAuth rangerAuth = authenticate(httpServletRequest);
 
         if (rangerAuth != null) {
-            final List<GrantedAuthority>   grantedAuths        = Arrays.asList(new SimpleGrantedAuthority(DEFAULT_RANGER_ROLE));
+            final Set<String>                    groups        = getGroupsFromClaimSet();
+            final List<GrantedAuthority>   grantedAuths        = Arrays.asList(new JwtAuthority(DEFAULT_RANGER_ROLE, groups));
             final UserDetails              principal           = new User(rangerAuth.getUserName(), "", grantedAuths);
             final Authentication           finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
             final WebAuthenticationDetails webDetails          = new WebAuthenticationDetails(httpServletRequest);