kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jiatao.tao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
Date Mon, 12 Feb 2018 04:15:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360290#comment-16360290
] 

jiatao.tao commented on KYLIN-3197:
-----------------------------------

I understand your description, and there's no need post again if there's no update.

And I test your scenes, as you can see in the previous comment, and can not reproduce your
problem.

I recommend that we first find what's the problem, like the it's your wrong using? environment
problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config
and Kyiln config are as follows.

 

Hope you can find the truly root clause.

LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top

# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: jenny@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==

# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))

kylin.security.acl.admin-role=admin

{code}

> When ldap is opened, I use an ignored case user to login, the page does not respond.
> ------------------------------------------------------------------------------------
>
>                 Key: KYLIN-3197
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3197
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Major
>              Labels: patch
>             Fix For: Future
>
>         Attachments: 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, image-2018-02-08-15-32-25-030.png,
image-2018-02-08-15-33-07-277.png, image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use '{color:#ff0000}wkh{color}'
to login in, which is normal.
>  But when I use '{color:#ff0000}WKH{color}' to login in, the page does not respond.
>  I analyze the backgroud code, and find the function of 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
String)' has problem.
>  When userDn is "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com"
and username is "{color:#ff0000}WKH{color}", then authorities will be empty Set by the follow
code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
>  I have test the patch, please review, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message