kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jiatao.tao (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
Date Mon, 12 Feb 2018 04:36:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360290#comment-16360290
] 

jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:35 AM:
------------------------------------------------------------

Hi [~xingpeng1]

I understand your description, and there's no need post again if there's no update.

And I test your scenes, as you can see in the previous comment, and can not reproduce your
problem.

Let's put aside your patch first, and the root clause may not the one you think, I recommend
that we first find what's the problem, eg. wrong using? environment problem? LDAP problem?
or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config
are as follows.

 (As for me, in your config is very suspicious, ldap may use this as username to search group
members.  )

Hope you can find the truly root clause.

LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top

# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: jenny@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==

# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))

kylin.security.acl.admin-role=admin

{code}


was (Author: aron.tao):
Hi [~xingpeng1]

I understand your description, and there's no need post again if there's no update.

And I test your scenes, as you can see in the previous comment, and can not reproduce your
problem.

Let's put aside your patch first, and the root clause may not the one you think, I recommend
that we first find what's the problem, eg. wrong using? environment problem? LDAP problem?
or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config
are as follows.

 

Hope you can find the truly root clause.

LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top

# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: jenny@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==

# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))

kylin.security.acl.admin-role=admin

{code}

> When ldap is opened, I use an ignored case user to login, the page does not respond.
> ------------------------------------------------------------------------------------
>
>                 Key: KYLIN-3197
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3197
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Major
>              Labels: patch
>             Fix For: Future
>
>         Attachments: 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, image-2018-02-08-15-32-25-030.png,
image-2018-02-08-15-33-07-277.png, image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, image-2018-02-12-12-15-39-132.png,
image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use '{color:#ff0000}wkh{color}'
to login in, which is normal.
>  But when I use '{color:#ff0000}WKH{color}' to login in, the page does not respond.
>  I analyze the backgroud code, and find the function of 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
String)' has problem.
>  When userDn is "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com"
and username is "{color:#ff0000}WKH{color}", then authorities will be empty Set by the follow
code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
>  I have test the patch, please review, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message