kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peng Xing (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
Date Mon, 12 Feb 2018 07:42:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360388#comment-16360388
] 

Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM:
-----------------------------------------------------------

Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive
ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com'
in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com",
the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really
ok. 

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}

But my environment is Redhat, the memberUid format is username or cn just like 'wkh' in group,
so when username is "WKH", the ldap can not use "WKH" to match the ldap group.

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 10000
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}

Then I will answer your two questions. 
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username, that is to say
'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring
source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user,
username)' to get the roles again, then I can get the real username from the DirContextOperations
object.

2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations
user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the
real one from DirContextOperations  object by 'username = user.getStringAttribute("cn");'


was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive
ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com'
in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com",
the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really
ok. 

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}

But my environment is Redhat, the member format is username or cn just like 'wkh' in group,
so when username is "WKH", the ldap can not use "WKH" to match the ldap group.

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 10000
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}

Then I will answer your two questions. 
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username, that is to say
'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring
source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user,
username)' to get the roles again, then I can get the real username from the DirContextOperations
object.

2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations
user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the
real one from DirContextOperations  object by 'username = user.getStringAttribute("cn");'

> When ldap is opened, I use an ignored case user to login, the page does not respond.
> ------------------------------------------------------------------------------------
>
>                 Key: KYLIN-3197
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3197
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Major
>              Labels: patch
>             Fix For: Future
>
>         Attachments: 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, image-2018-02-08-15-32-25-030.png,
image-2018-02-08-15-33-07-277.png, image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, image-2018-02-12-12-15-39-132.png,
image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use '{color:#ff0000}wkh{color}'
to login in, which is normal.
>  But when I use '{color:#ff0000}WKH{color}' to login in, the page does not respond.
>  I analyze the backgroud code, and find the function of 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
String)' has problem.
>  When userDn is "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com"
and username is "{color:#ff0000}WKH{color}", then authorities will be empty Set by the follow
code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
>  I have test the patch, please review, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message