kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jiatao.tao (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
Date Tue, 13 Feb 2018 02:50:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361734#comment-16361734
] 

jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:49 AM:
------------------------------------------------------------

Hi [~xingpeng1]

About Redhat we may need further discussion, it's need a full discussion and comparison or
we can solve one problem today, but next day, another problem may occur.And can you also put
your user's ldif?

Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say
is that should we use this method like this way? Can you find some examples like document
or other projects use this way? Not asking for how it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.

Because the Redhat linux can not support the case insensitive ldap username, that is to say
'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring
source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user,
username)' to get the roles again, then I can get the real username from the DirContextOperations
object.

{code}
Also, I think it may be a requirements or issue that need discussion, but not directly get
"cn" from  DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one
from DirContextOperations object by 'username = user.getStringAttribute("cn");'
{code}
 

Looking forward your opinion.


was (Author: aron.tao):
Hi [~xingpeng1]

About Redhat we may need further discussion, can you also put your user's ldif?

Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say
is that should we use this method like this way? Can you find some examples like document
or other projects use this way? Not asking for how it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.

Because the Redhat linux can not support the case insensitive ldap username, that is to say
'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring
source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user,
username)' to get the roles again, then I can get the real username from the DirContextOperations
object.

{code}
Also, I think it may be a requirements or issue that need discussion, but not directly get
"cn" from  DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one
from DirContextOperations object by 'username = user.getStringAttribute("cn");'
{code}
 

Looking forward your opinion.

> When ldap is opened, I use an ignored case user to login, the page does not respond.
> ------------------------------------------------------------------------------------
>
>                 Key: KYLIN-3197
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3197
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Major
>              Labels: patch
>             Fix For: Future
>
>         Attachments: 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, image-2018-02-08-15-32-25-030.png,
image-2018-02-08-15-33-07-277.png, image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, image-2018-02-12-12-15-39-132.png,
image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use '{color:#ff0000}wkh{color}'
to login in, which is normal.
>  But when I use '{color:#ff0000}WKH{color}' to login in, the page does not respond.
>  I analyze the backgroud code, and find the function of 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
String)' has problem.
>  When userDn is "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com"
and username is "{color:#ff0000}WKH{color}", then authorities will be empty Set by the follow
code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
>  I have test the patch, please review, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message