kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peng Xing (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (KYLIN-3199) The login dialog should be closed when ldap user with no permission login correctly
Date Tue, 30 Jan 2018 09:20:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344724#comment-16344724
] 

Peng Xing edited comment on KYLIN-3199 at 1/30/18 9:19 AM:
-----------------------------------------------------------

Hi, [~Zhixiong Chen] and [~Aron.tao], I have found out the reason.
After refactor with follow issue.
[KYLIN-2960|https://issues.apache.org/jira/browse/KYLIN-2960] 
The 'curUser.userDetails.authorities' contains only one group named '{color:red}xpGroup{color}',
which is not configured for '{color:red}kylin.security.acl.admin-role{color}' in kylin.properties,
so the user '{color:red}xp{color}' who belongs to '{color:red}xpGroup{color}' has no permission.
Then you login in with user '{color:red}xp{color}', '{color:#205081}roles[authority.authority]{color}'
is undefined.

But before refactor, every user has at least two default roles which is configured in kylin.properties
as follow.
{code:java}
kylin.security.acl.default-role=ROLE_ANALYST,ROLE_MODELER
{code}
so the user '{color:#d04437}xp{color}' who belongs to 'xpGroup' has two default roles '{color:#d04437}ROLE_ANALYST{color}'
and '{color:#d04437}ROLE_MODELER{color}'.
Then you login in with user '{color:#d04437}xp{color}', '{color:#205081}roles[authority.authority]{color}'
is '{color:#d04437}/models{color}'.

So I think the real reason is that the return value of background interface has changed.
Before: the user has two default roles 'ROLE_ANALYST' and 'ROLE_MODELER'.
After:    the user has no default role.

So [~Zhixiong Chen] and [~Aron.tao], can you give a suggestion? can I modified the web code
or backgroud code? thanks!


was (Author: xingpeng1):
Hi, [~Zhixiong Chen] and [~Aron.tao], I have found out the reason.
After refactor with follow issue.
[KYLIN-2960|https://issues.apache.org/jira/browse/KYLIN-2960] 
The 'curUser.userDetails.authorities' contains only one group named 'xpGroup', which is not
configured for 'kylin.security.acl.admin-role' in kylin.properties, so the user 'xp' who belongs
to 'xpGroup' has no permission.
Then you login in with user 'xp', 'roles[authority.authority]' is undefined.

But before refactor, every user has at least two default roles which is configured in kylin.properties
as follow.
{code:java}
kylin.security.acl.default-role=ROLE_ANALYST,ROLE_MODELER
{code}
so the user 'xp' who belongs to 'xpGroup' has two default roles 'ROLE_ANALYST' and 'ROLE_MODELER'.
Then you login in with user 'xp', 'roles[authority.authority]' is '/models'.

So I think the real reason is that the return value of background interface has changed.
Before: the user has two default roles 'ROLE_ANALYST' and 'ROLE_MODELER'.
After:    the user has no default role.

So [~Zhixiong Chen] and [~Aron.tao], can you give a suggestion? can I modified the web code
or backgroud code? thanks!

> The login dialog should be closed when ldap user with no permission login correctly
> -----------------------------------------------------------------------------------
>
>                 Key: KYLIN-3199
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3199
>             Project: Kylin
>          Issue Type: Bug
>          Components: Web 
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Minor
>              Labels: patch
>         Attachments: 0001-KYLIN-3199-The-login-dialog-should-be-closed-when-ld.patch,
ldap_user_login.png
>
>
> 1. Open ldap authentication, but I do not give the admin permission to group 'xpGroup';
> 2. Create a ldap user 'xp', who belongs to group 'xpGroup', so this user has none permission.
> 3. When user 'xp' login in, the above bar has showed and been enabled, but the login
dialog still show.
> 4. Then you can click any button on above bar.
> Please refer to 'ldap_user_login.png'
> I think the login dialog should be closed when you login in correctly, and redirect to
the 'Model' page, but this user has no permission.
> I have modified this issue, please review the patch, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message