Return-Path: <commits-return-41812-archive-asf-public=cust-asf.ponee.io@ambari.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 3CA57200C5A
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 18 Apr 2017 15:52:59 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 3B35C160BA1; Tue, 18 Apr 2017 13:52:59 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 5BBAF160B90
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 18 Apr 2017 15:52:58 +0200 (CEST)
Received: (qmail 63399 invoked by uid 500); 18 Apr 2017 13:52:57 -0000
Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@ambari.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@ambari.apache.org>
List-Post: <mailto:commits@ambari.apache.org>
List-Id: <commits.ambari.apache.org>
Reply-To: ambari-dev@ambari.apache.org
Delivered-To: mailing list commits@ambari.apache.org
Received: (qmail 63390 invoked by uid 99); 18 Apr 2017 13:52:57 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Apr 2017 13:52:57 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 75E4ADFC31; Tue, 18 Apr 2017 13:52:57 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: rlevas@apache.org
To: commits@ambari.apache.org
Message-Id: <afe460a618d84906a203815df9dbbe6d@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: ambari git commit: AMBARI-18813. Optionally force username from LDAP
 authentication data to be lowercase in Ambari (rlevas)
Date: Tue, 18 Apr 2017 13:52:57 +0000 (UTC)
archived-at: Tue, 18 Apr 2017 13:52:59 -0000

Repository: ambari
Updated Branches:
  refs/heads/branch-2.4 943fac128 -> 34f0103f6


AMBARI-18813. Optionally force username from LDAP authentication data to be lowercase in Ambari (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/34f0103f
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/34f0103f
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/34f0103f

Branch: refs/heads/branch-2.4
Commit: 34f0103f6d50d27fbeb1482e86a03daee7cff795
Parents: 943fac1
Author: Robert Levas <rlevas@hortonworks.com>
Authored: Tue Apr 18 09:52:46 2017 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Tue Apr 18 09:52:46 2017 -0400

----------------------------------------------------------------------
 .../server/configuration/Configuration.java     |  4 +++
 .../AmbariLdapBindAuthenticator.java            | 15 +++++++++--
 .../authorization/LdapServerProperties.java     | 26 ++++++++++++++++++++
 .../AmbariLdapBindAuthenticatorTest.java        | 17 +++++++++++--
 4 files changed, 58 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index a91eada..a55dbbe 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -189,6 +189,7 @@ public class Configuration {
   public static final String LDAP_MANAGER_PASSWORD_KEY = "authentication.ldap.managerPassword";
   public static final String LDAP_DN_ATTRIBUTE_KEY = "authentication.ldap.dnAttribute";
   public static final String LDAP_USERNAME_ATTRIBUTE_KEY = "authentication.ldap.usernameAttribute";
+  public static final String LDAP_USERNAME_FORCE_LOWERCASE_KEY = "authentication.ldap.username.forceLowercase";
   public static final String LDAP_USER_BASE_KEY = "authentication.ldap.userBase";
   public static final String LDAP_USER_OBJECT_CLASS_KEY = "authentication.ldap.userObjectClass";
   public static final String LDAP_GROUP_BASE_KEY = "authentication.ldap.groupBase";
@@ -517,6 +518,7 @@ public class Configuration {
   private static final String LDAP_PRIMARY_URL_DEFAULT = "localhost:33389";
   private static final String LDAP_BASE_DN_DEFAULT = "dc=ambari,dc=apache,dc=org";
   private static final String LDAP_USERNAME_ATTRIBUTE_DEFAULT = "uid";
+  private static final String LDAP_USERNAME_FORCE_LOWERCASE_DEFAULT = "false";
   private static final String LDAP_DN_ATTRIBUTE_DEFAULT = "dn";
   private static final String LDAP_USER_BASE_DEFAULT = "ou=people,dc=ambari,dc=apache,dc=org";
   private static final String LDAP_USER_OBJECT_CLASS_DEFAULT = "person";
@@ -1889,6 +1891,8 @@ public class Configuration {
       (LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT));
     ldapServerProperties.setUsernameAttribute(properties.
       getProperty(LDAP_USERNAME_ATTRIBUTE_KEY, LDAP_USERNAME_ATTRIBUTE_DEFAULT));
+    ldapServerProperties.setForceUsernameToLowercase("true".equalsIgnoreCase(properties.
+      getProperty(LDAP_USERNAME_FORCE_LOWERCASE_KEY, LDAP_USERNAME_FORCE_LOWERCASE_DEFAULT)));
 
     ldapServerProperties.setUserBase(properties.getProperty(
       LDAP_USER_BASE_KEY, LDAP_USER_BASE_DEFAULT));

http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
index 917471b..9e534a6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
@@ -71,9 +71,20 @@ public class AmbariLdapBindAuthenticator extends BindAuthenticator {
       // if authenticated user name is different from ldap user name than user has logged in
       // with a login name that is different (e.g. user principal name) from the ambari user name stored in
       // ambari db. In this case add the user login name  as login alias for ambari user name.
-      LOG.info("User with {}='{}' logged in with login alias '{}'", ldapUserName, loginName);
+      LOG.info("User with {}='{}' logged in with login alias '{}'", ldapServerProperties.getUsernameAttribute(), ldapUserName, loginName);
+
+      // If the ldap username needs to be processed (like converted to all lowercase characters,
+      // process it before setting it in the session via AuthorizationHelper#addLoginNameAlias
+      String processedLdapUserName;
+      if(ldapServerProperties.isForceUsernameToLowercase()) {
+        processedLdapUserName = ldapUserName.toLowerCase();
+        LOG.info("Forcing ldap username to be lowercase characters: {} ==> {}", ldapUserName, processedLdapUserName);
+      }
+      else {
+        processedLdapUserName = ldapUserName;
+      }
 
-      AuthorizationHelper.addLoginNameAlias(ldapUserName, loginName);
+      AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName);
     }
 
     return user;

http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
index a3086693..e76e944 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
@@ -50,6 +50,7 @@ public class LdapServerProperties {
   private String userBase;
   private String userObjectClass;
   private String usernameAttribute;
+  private boolean forceUsernameToLowercase = false;
   private String userSearchBase = "";
 
   private String syncGroupMemberReplacePattern = "";
@@ -165,6 +166,28 @@ public class LdapServerProperties {
     this.usernameAttribute = usernameAttribute;
   }
 
+  /**
+   * Sets whether the username retrieved from the LDAP server during authentication is to be forced
+   * to all lowercase characters before assigning to the authenticated user.
+   *
+   * @param forceUsernameToLowercase true to force the username to be lowercase; false to leave as
+   *                                 it was when retrieved from the LDAP server
+   */
+  public void setForceUsernameToLowercase(boolean forceUsernameToLowercase) {
+    this.forceUsernameToLowercase = forceUsernameToLowercase;
+  }
+
+  /**
+   * Gets whether the username retrieved from the LDAP server during authentication is to be forced
+   * to all lowercase characters before assigning to the authenticated user.
+   *
+   * @return true to force the username to be lowercase; false to leave as it was when retrieved from
+   * the LDAP server
+   */
+  public boolean isForceUsernameToLowercase() {
+    return forceUsernameToLowercase;
+  }
+
   public String getGroupBase() {
     return groupBase;
   }
@@ -331,6 +354,8 @@ public class LdapServerProperties {
       return false;
     if (usernameAttribute != null ? !usernameAttribute.equals(that.usernameAttribute) : that.usernameAttribute != null)
       return false;
+    if (forceUsernameToLowercase != that.forceUsernameToLowercase)
+      return false;
     if (groupBase != null ? !groupBase.equals(that.groupBase) :
         that.groupBase != null) return false;
     if (groupObjectClass != null ? !groupObjectClass.equals(that.groupObjectClass) :
@@ -379,6 +404,7 @@ public class LdapServerProperties {
     result = 31 * result + (userBase != null ? userBase.hashCode() : 0);
     result = 31 * result + (userObjectClass != null ? userObjectClass.hashCode() : 0);
     result = 31 * result + (usernameAttribute != null ? usernameAttribute.hashCode() : 0);
+    result = 31 * result + (forceUsernameToLowercase ? 1 : 0);
     result = 31 * result + (groupBase != null ? groupBase.hashCode() : 0);
     result = 31 * result + (groupObjectClass != null ? groupObjectClass.hashCode() : 0);
     result = 31 * result + (groupMembershipAttr != null ? groupMembershipAttr.hashCode() : 0);

http://git-wip-us.apache.org/repos/asf/ambari/blob/34f0103f/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
index 27e62e2..ad57395 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
@@ -84,7 +84,16 @@ public class AmbariLdapBindAuthenticatorTest extends AmbariLdapAuthenticationPro
   }
 
   @Test
-  public void testAuthenticateWithLoginAlias() throws Exception {
+  public void testAuthenticateWithLoginAliasDefault() throws Exception {
+    testAuthenticateWithLoginAlias(false);
+  }
+
+  @Test
+  public void testAuthenticateWithLoginAliasForceToLower() throws Exception {
+    testAuthenticateWithLoginAlias(true);
+  }
+
+  private void testAuthenticateWithLoginAlias(boolean forceUsernameToLower) throws Exception {
     // Given
 
     LdapContextSource ldapCtxSource = new LdapContextSource();
@@ -101,6 +110,10 @@ public class AmbariLdapBindAuthenticatorTest extends AmbariLdapAuthenticationPro
     properties.setProperty(Configuration.SHARED_RESOURCES_DIR_KEY, "src/test/resources/");
     properties.setProperty(Configuration.LDAP_BASE_DN_KEY, "dc=ambari,dc=apache,dc=org");
 
+    if(forceUsernameToLower) {
+      properties.setProperty(Configuration.LDAP_USERNAME_FORCE_LOWERCASE_KEY, "true");
+    }
+
     Configuration configuration = new Configuration(properties);
 
     AmbariLdapBindAuthenticator bindAuthenticator = new AmbariLdapBindAuthenticator(ldapCtxSource, configuration);
@@ -116,7 +129,7 @@ public class AmbariLdapBindAuthenticatorTest extends AmbariLdapAuthenticationPro
 
     RequestContextHolder.setRequestAttributes(servletRequestAttributes);
 
-    servletRequestAttributes.setAttribute(eq(loginAlias), eq(userName), eq(RequestAttributes.SCOPE_SESSION));
+    servletRequestAttributes.setAttribute(eq(loginAlias), eq(forceUsernameToLower ? userName.toLowerCase(): userName), eq(RequestAttributes.SCOPE_SESSION));
     expectLastCall().once();
 
     replayAll();