ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stoa...@apache.org
Subject ambari git commit: AMBARI-16205. Disable alternate user search functionality by default. (stoader)
Date Tue, 03 May 2016 12:55:02 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk b571e4a0b -> 3d3f06ad8


AMBARI-16205. Disable alternate user search functionality by default. (stoader)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/3d3f06ad
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/3d3f06ad
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/3d3f06ad

Branch: refs/heads/trunk
Commit: 3d3f06ad83188e086564a60b687e35a1956258b0
Parents: b571e4a
Author: Toader, Sebastian <stoader@hortonworks.com>
Authored: Tue May 3 14:53:44 2016 +0200
Committer: Toader, Sebastian <stoader@hortonworks.com>
Committed: Tue May 3 14:53:44 2016 +0200

----------------------------------------------------------------------
 .../server/configuration/Configuration.java     | 24 ++++++++++++
 .../AmbariLdapAuthenticationProvider.java       |  8 +++-
 .../server/configuration/ConfigurationTest.java | 41 ++++++++++++++++++++
 ...henticationProviderForDuplicateUserTest.java | 31 ++++++++++++++-
 .../AmbariLdapAuthenticationProviderTest.java   | 11 ++++--
 5 files changed, 107 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 87f40d5..51ada16 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -198,6 +198,13 @@ public class Configuration {
   public static final String LDAP_USER_SEARCH_FILTER_KEY = "authentication.ldap.userSearchFilter";
 
   /**
+   * This configuration controls whether the use of alternate user search filter is enabled.
+   *
+   * If it is not set then the default
+   */
+  public static final String LDAP_ALT_USER_SEARCH_ENABLED_KEY = "authentication.ldap.alternateUserSearchEnabled";
+
+  /**
    * When authentication through LDAP is enabled there might be cases when {@link #LDAP_USER_SEARCH_FILTER_KEY}
    * may match multiple users in LDAP. In such cases the user is prompted to provide additional
info, e.g. the domain
    * he or she wants ot log in upon login beside the username. This filter will be used by
Ambari Server to lookup
@@ -488,6 +495,19 @@ public class Configuration {
   private static final String LDAP_GROUP_NAMING_ATTR_DEFAULT = "cn";
   private static final String LDAP_GROUP_MEMBERSHIP_ATTR_DEFAULT = "member";
   private static final String LDAP_ADMIN_GROUP_MAPPING_RULES_DEFAULT = "Ambari Administrators";
+
+  /**
+   * If the default LDAP user search filter is not able to find the authenticating user
+   * in LDAP than Ambari can fall back an alternative user search filter if this
+   * functionality is enabled. Whether this functionality is enabled or disabled
+   * can be controlled via {@link #LDAP_ALT_USER_SEARCH_ENABLED_KEY}.
+   *
+   * If {@link #LDAP_ALT_USER_SEARCH_ENABLED_KEY} not provided in ambari properties
+   * than the functionality is disabled by default.
+   *
+   */
+  protected static final String LDAP_ALT_USER_SEARCH_ENABLED_DEFAULT = "false";
+
   /**
    * When authentication through LDAP is enabled then Ambari Server uses this filter by default
to lookup
    * the user in LDAP if one not provided in the config via {@link #LDAP_USER_SEARCH_FILTER_KEY}.
@@ -2933,4 +2953,8 @@ public class Configuration {
     String udpPort = properties.getProperty(ALERTS_SNMP_DISPATCH_UDP_PORT);
     return StringUtils.isEmpty(udpPort) ? null : Integer.parseInt(udpPort);
   }
+
+  public boolean isLdapAlternateUserSearchEnabled() {
+    return Boolean.parseBoolean(properties.getProperty(LDAP_ALT_USER_SEARCH_ENABLED_KEY,
LDAP_ALT_USER_SEARCH_ENABLED_DEFAULT));
+  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
index 7b2a95c..da47407 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
@@ -80,7 +80,11 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider
         }
         throw e;
       } catch (IncorrectResultSizeDataAccessException multipleUsersFound) {
-        throw new DuplicateLdapUserFoundAuthenticationException(String.format("Login Failed:
Please append your domain to your username and try again.  Example: %s@domain", username));
+        String message = configuration.isLdapAlternateUserSearchEnabled() ?
+          String.format("Login Failed: Please append your domain to your username and try
again.  Example: %s@domain", username) :
+          "Login Failed: More than one user with that username found, please work with your
Ambari Administrator to adjust your LDAP configuration";
+
+        throw new DuplicateLdapUserFoundAuthenticationException(message);
       }
     } else {
       return null;
@@ -175,7 +179,7 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider
 
   private String getLdapUserSearchFilter(String userName) {
     return ldapServerProperties.get()
-      .getUserSearchFilter(AmbariLdapUtils.isUserPrincipalNameFormat(userName));
+      .getUserSearchFilter(configuration.isLdapAlternateUserSearchEnabled() && AmbariLdapUtils.isUserPrincipalNameFormat(userName));
   }
 
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
index 99ec786..f635f1b 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
@@ -714,4 +714,45 @@ public class ConfigurationTest {
     Assert.assertEquals("test_uid={5}", actualLdapUserSearchFilter);
   }
 
+  @Test
+  public void testAlternateUserSearchEnabledDefault() throws  Exception {
+    // Given
+    final Properties ambariProperties = new Properties();
+    final Configuration configuration = new Configuration(ambariProperties);
+
+    // When
+    boolean actual =  configuration.isLdapAlternateUserSearchEnabled();
+
+    // Then
+    Assert.assertEquals(false, actual);
+  }
+
+  @Test
+  public void testAlternateUserSearchEnabledTrue() throws  Exception {
+    // Given
+    final Properties ambariProperties = new Properties();
+    final Configuration configuration = new Configuration(ambariProperties);
+    ambariProperties.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true");
+
+    // When
+    boolean actual =  configuration.isLdapAlternateUserSearchEnabled();
+
+    // Then
+    Assert.assertEquals(true, actual);
+  }
+
+  @Test
+  public void testAlternateUserSearchEnabledFalse() throws  Exception {
+    // Given
+    final Properties ambariProperties = new Properties();
+    final Configuration configuration = new Configuration(ambariProperties);
+    ambariProperties.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "false");
+
+    // When
+    boolean actual =  configuration.isLdapAlternateUserSearchEnabled();
+
+    // Then
+    Assert.assertEquals(false, actual);
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
index f5d1412..43f860e 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
@@ -33,6 +33,7 @@ import org.easymock.MockType;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 import org.junit.runner.RunWith;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -64,6 +65,9 @@ public class AmbariLdapAuthenticationProviderForDuplicateUserTest extends
Ambari
   @Rule
   public EasyMockRule mocks = new EasyMockRule(this);
 
+  @Rule
+  public ExpectedException expectedException = ExpectedException.none();
+
   @Mock(type = MockType.NICE)
   private AmbariLdapAuthoritiesPopulator authoritiesPopulator;
 
@@ -85,10 +89,14 @@ public class AmbariLdapAuthenticationProviderForDuplicateUserTest extends
Ambari
     authenticationProvider = new AmbariLdapAuthenticationProvider(configuration, authoritiesPopulator);
   }
 
-  @Test(expected = DuplicateLdapUserFoundAuthenticationException.class)
-  public void testAuthenticateDuplicateUser() throws Exception {
+  @Test
+  public void testAuthenticateDuplicateUserAltUserSearchDisabled() throws Exception {
     // Given
     Authentication authentication = new UsernamePasswordAuthenticationToken("user_dup", "password");
+    authenticationProvider.configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY,
"false");
+
+    expectedException.expect(DuplicateLdapUserFoundAuthenticationException.class);
+    expectedException.expectMessage("Login Failed: More than one user with that username
found, please work with your Ambari Administrator to adjust your LDAP configuration");
 
     // When
     authenticationProvider.authenticate(authentication);
@@ -96,5 +104,24 @@ public class AmbariLdapAuthenticationProviderForDuplicateUserTest extends
Ambari
     // Then
     // DuplicateLdapUserFoundAuthenticationException should be thrown
 
+
+  }
+
+  @Test
+  public void testAuthenticateDuplicateUserAltUserSearchEnabled() throws Exception {
+    // Given
+    Authentication authentication = new UsernamePasswordAuthenticationToken("user_dup", "password");
+    authenticationProvider.configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY,
"true");
+
+    expectedException.expect(DuplicateLdapUserFoundAuthenticationException.class);
+    expectedException.expectMessage("Login Failed: Please append your domain to your username
and try again.  Example: user_dup@domain");
+
+    // When
+    authenticationProvider.authenticate(authentication);
+
+    // Then
+    // DuplicateLdapUserFoundAuthenticationException should be thrown
+
+
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/3d3f06ad/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
index b076e85..6d4ec60 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
@@ -95,6 +95,7 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati
     injector.getInstance(GuiceJpaInitializer.class);
     configuration.setClientSecurityType(ClientSecurityType.LDAP);
     configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_FILTER_KEY, "(&(mail={0})(objectClass={userObjectClass}))");
+    configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "false");
   }
 
   @After
@@ -198,9 +199,9 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati
   @Test
   public void testAuthenticateLoginAlias() throws Exception {
     // Given
-    assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser"));
+    assertNull("User already exists in DB", userDAO.findLdapUserByName("allowedUser"));
     Authentication authentication = new UsernamePasswordAuthenticationToken("allowedUser@ambari.apache.org",
"password");
-
+    configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true");
 
     // When
     Authentication result = authenticationProvider.authenticate(authentication);
@@ -212,8 +213,9 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati
   @Test(expected = BadCredentialsException.class)
   public void testBadCredentialsForMissingLoginAlias() throws Exception {
     // Given
-    assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser"));
+    assertNull("User already exists in DB", userDAO.findLdapUserByName("allowedUser"));
     Authentication authentication = new UsernamePasswordAuthenticationToken("missingloginalias@ambari.apache.org",
"password");
+    configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true");
 
 
     // When
@@ -227,8 +229,9 @@ public class AmbariLdapAuthenticationProviderTest extends AmbariLdapAuthenticati
   @Test(expected = BadCredentialsException.class)
   public void testBadCredentialsBadPasswordForLoginAlias() throws Exception {
     // Given
-    assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser"));
+    assertNull("User already exists in DB", userDAO.findLdapUserByName("allowedUser"));
     Authentication authentication = new UsernamePasswordAuthenticationToken("allowedUser@ambari.apache.org",
"bad_password");
+    configuration.setProperty(Configuration.LDAP_ALT_USER_SEARCH_ENABLED_KEY, "true");
 
 
     // When


Mime
View raw message