ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-18813. Optionally force username from LDAP authentication data to be lowercase in Ambari (rlevas)
Date Tue, 18 Apr 2017 13:52:57 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.4 943fac128 -> 34f0103f6


AMBARI-18813. Optionally force username from LDAP authentication data to be lowercase in Ambari
(rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/34f0103f
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/34f0103f
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/34f0103f

Branch: refs/heads/branch-2.4
Commit: 34f0103f6d50d27fbeb1482e86a03daee7cff795
Parents: 943fac1
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Tue Apr 18 09:52:46 2017 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Tue Apr 18 09:52:46 2017 -0400

----------------------------------------------------------------------
 .../server/configuration/Configuration.java     |  4 +++
 .../AmbariLdapBindAuthenticator.java            | 15 +++++++++--
 .../authorization/LdapServerProperties.java     | 26 ++++++++++++++++++++
 .../AmbariLdapBindAuthenticatorTest.java        | 17 +++++++++++--
 4 files changed, 58 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index a91eada..a55dbbe 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -189,6 +189,7 @@ public class Configuration {
   public static final String LDAP_MANAGER_PASSWORD_KEY = "authentication.ldap.managerPassword";
   public static final String LDAP_DN_ATTRIBUTE_KEY = "authentication.ldap.dnAttribute";
   public static final String LDAP_USERNAME_ATTRIBUTE_KEY = "authentication.ldap.usernameAttribute";
+  public static final String LDAP_USERNAME_FORCE_LOWERCASE_KEY = "authentication.ldap.username.forceLowercase";
   public static final String LDAP_USER_BASE_KEY = "authentication.ldap.userBase";
   public static final String LDAP_USER_OBJECT_CLASS_KEY = "authentication.ldap.userObjectClass";
   public static final String LDAP_GROUP_BASE_KEY = "authentication.ldap.groupBase";
@@ -517,6 +518,7 @@ public class Configuration {
   private static final String LDAP_PRIMARY_URL_DEFAULT = "localhost:33389";
   private static final String LDAP_BASE_DN_DEFAULT = "dc=ambari,dc=apache,dc=org";
   private static final String LDAP_USERNAME_ATTRIBUTE_DEFAULT = "uid";
+  private static final String LDAP_USERNAME_FORCE_LOWERCASE_DEFAULT = "false";
   private static final String LDAP_DN_ATTRIBUTE_DEFAULT = "dn";
   private static final String LDAP_USER_BASE_DEFAULT = "ou=people,dc=ambari,dc=apache,dc=org";
   private static final String LDAP_USER_OBJECT_CLASS_DEFAULT = "person";
@@ -1889,6 +1891,8 @@ public class Configuration {
       (LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT));
     ldapServerProperties.setUsernameAttribute(properties.
       getProperty(LDAP_USERNAME_ATTRIBUTE_KEY, LDAP_USERNAME_ATTRIBUTE_DEFAULT));
+    ldapServerProperties.setForceUsernameToLowercase("true".equalsIgnoreCase(properties.
+      getProperty(LDAP_USERNAME_FORCE_LOWERCASE_KEY, LDAP_USERNAME_FORCE_LOWERCASE_DEFAULT)));
 
     ldapServerProperties.setUserBase(properties.getProperty(
       LDAP_USER_BASE_KEY, LDAP_USER_BASE_DEFAULT));

http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
index 917471b..9e534a6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
@@ -71,9 +71,20 @@ public class AmbariLdapBindAuthenticator extends BindAuthenticator {
       // if authenticated user name is different from ldap user name than user has logged
in
       // with a login name that is different (e.g. user principal name) from the ambari user
name stored in
       // ambari db. In this case add the user login name  as login alias for ambari user
name.
-      LOG.info("User with {}='{}' logged in with login alias '{}'", ldapUserName, loginName);
+      LOG.info("User with {}='{}' logged in with login alias '{}'", ldapServerProperties.getUsernameAttribute(),
ldapUserName, loginName);
+
+      // If the ldap username needs to be processed (like converted to all lowercase characters,
+      // process it before setting it in the session via AuthorizationHelper#addLoginNameAlias
+      String processedLdapUserName;
+      if(ldapServerProperties.isForceUsernameToLowercase()) {
+        processedLdapUserName = ldapUserName.toLowerCase();
+        LOG.info("Forcing ldap username to be lowercase characters: {} ==> {}", ldapUserName,
processedLdapUserName);
+      }
+      else {
+        processedLdapUserName = ldapUserName;
+      }
 
-      AuthorizationHelper.addLoginNameAlias(ldapUserName, loginName);
+      AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName);
     }
 
     return user;

http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
index a3086693..e76e944 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
@@ -50,6 +50,7 @@ public class LdapServerProperties {
   private String userBase;
   private String userObjectClass;
   private String usernameAttribute;
+  private boolean forceUsernameToLowercase = false;
   private String userSearchBase = "";
 
   private String syncGroupMemberReplacePattern = "";
@@ -165,6 +166,28 @@ public class LdapServerProperties {
     this.usernameAttribute = usernameAttribute;
   }
 
+  /**
+   * Sets whether the username retrieved from the LDAP server during authentication is to
be forced
+   * to all lowercase characters before assigning to the authenticated user.
+   *
+   * @param forceUsernameToLowercase true to force the username to be lowercase; false to
leave as
+   *                                 it was when retrieved from the LDAP server
+   */
+  public void setForceUsernameToLowercase(boolean forceUsernameToLowercase) {
+    this.forceUsernameToLowercase = forceUsernameToLowercase;
+  }
+
+  /**
+   * Gets whether the username retrieved from the LDAP server during authentication is to
be forced
+   * to all lowercase characters before assigning to the authenticated user.
+   *
+   * @return true to force the username to be lowercase; false to leave as it was when retrieved
from
+   * the LDAP server
+   */
+  public boolean isForceUsernameToLowercase() {
+    return forceUsernameToLowercase;
+  }
+
   public String getGroupBase() {
     return groupBase;
   }
@@ -331,6 +354,8 @@ public class LdapServerProperties {
       return false;
     if (usernameAttribute != null ? !usernameAttribute.equals(that.usernameAttribute) : that.usernameAttribute
!= null)
       return false;
+    if (forceUsernameToLowercase != that.forceUsernameToLowercase)
+      return false;
     if (groupBase != null ? !groupBase.equals(that.groupBase) :
         that.groupBase != null) return false;
     if (groupObjectClass != null ? !groupObjectClass.equals(that.groupObjectClass) :
@@ -379,6 +404,7 @@ public class LdapServerProperties {
     result = 31 * result + (userBase != null ? userBase.hashCode() : 0);
     result = 31 * result + (userObjectClass != null ? userObjectClass.hashCode() : 0);
     result = 31 * result + (usernameAttribute != null ? usernameAttribute.hashCode() : 0);
+    result = 31 * result + (forceUsernameToLowercase ? 1 : 0);
     result = 31 * result + (groupBase != null ? groupBase.hashCode() : 0);
     result = 31 * result + (groupObjectClass != null ? groupObjectClass.hashCode() : 0);
     result = 31 * result + (groupMembershipAttr != null ? groupMembershipAttr.hashCode()
: 0);

http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
index 27e62e2..ad57395 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
@@ -84,7 +84,16 @@ public class AmbariLdapBindAuthenticatorTest extends AmbariLdapAuthenticationPro
   }
 
   @Test
-  public void testAuthenticateWithLoginAlias() throws Exception {
+  public void testAuthenticateWithLoginAliasDefault() throws Exception {
+    testAuthenticateWithLoginAlias(false);
+  }
+
+  @Test
+  public void testAuthenticateWithLoginAliasForceToLower() throws Exception {
+    testAuthenticateWithLoginAlias(true);
+  }
+
+  private void testAuthenticateWithLoginAlias(boolean forceUsernameToLower) throws Exception
{
     // Given
 
     LdapContextSource ldapCtxSource = new LdapContextSource();
@@ -101,6 +110,10 @@ public class AmbariLdapBindAuthenticatorTest extends AmbariLdapAuthenticationPro
     properties.setProperty(Configuration.SHARED_RESOURCES_DIR_KEY, "src/test/resources/");
     properties.setProperty(Configuration.LDAP_BASE_DN_KEY, "dc=ambari,dc=apache,dc=org");
 
+    if(forceUsernameToLower) {
+      properties.setProperty(Configuration.LDAP_USERNAME_FORCE_LOWERCASE_KEY, "true");
+    }
+
     Configuration configuration = new Configuration(properties);
 
     AmbariLdapBindAuthenticator bindAuthenticator = new AmbariLdapBindAuthenticator(ldapCtxSource,
configuration);
@@ -116,7 +129,7 @@ public class AmbariLdapBindAuthenticatorTest extends AmbariLdapAuthenticationPro
 
     RequestContextHolder.setRequestAttributes(servletRequestAttributes);
 
-    servletRequestAttributes.setAttribute(eq(loginAlias), eq(userName), eq(RequestAttributes.SCOPE_SESSION));
+    servletRequestAttributes.setAttribute(eq(loginAlias), eq(forceUsernameToLower ? userName.toLowerCase():
userName), eq(RequestAttributes.SCOPE_SESSION));
     expectLastCall().once();
 
     replayAll();


Mime
View raw message