kylin-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marek Wiewiorka <marek.wiewio...@gmail.com>
Subject Re: Kylin authorization and roles/LDAP
Date Tue, 15 Dec 2015 13:54:46 GMT
Hi - I opened a jira for that:
https://issues.apache.org/jira/browse/KYLIN-1234

Thanks!
Marek

2015-12-14 16:03 GMT+01:00 Marek Wiewiorka <marek.wiewiorka@gmail.com>:

> Sure I can do that :) !
> Just  could you please try to double check the second problem because
> maybe I do not get something and I wouldn't like to confuse anyone.
> Once I know how to set up security e2e with ACLs  correctly I will draft
> the Kylin security manual :)
>
> Thanks again!
> Marek
>
> 2015-12-14 15:58 GMT+01:00 ShaoFeng Shi <shaofengshi@apache.org>:
>
>> Hi Marek,
>>
>> If you're familiar with Spring Security framework, the "ROLE_" prefix is
>> added by that when converting the user groups to role authorities. You can
>> check http://fmanea.blogspot.com/2015/04/spring-security-role-prefix.html,
>> or search Google for more discussions. It is a little tricky, we should
>> have a specific document on this. And we welcome contribution from the
>> community, if you'd like to do a summary from an Kylin end user's
>> pespective, that would be very nice. I believe you know more about LDAP
>> setup and configurations than me :)
>>
>> Regarding the problem you described, we will double check. In the
>> meanwhile you can report a JIRA at
>> https://issues.apache.org/jira/browse/KYLIN and we will follow up it
>> there. Thanks!
>>
>>
>> 2015-12-14 21:25 GMT+08:00 Marek Wiewiorka <marek.wiewiorka@gmail.com>:
>>
>>> Ok - I found the rootcause for the point 1-it was just a typo.
>>> But I still do not understand how to proceed with ACLs.
>>>
>>> Thanks and I'm sorry for the confusion.
>>> BTW the part with prefixing entries with "ROLE_" is tricky and I do not
>>> it it's documented anywhere.
>>>
>>> Regards,
>>> Marek
>>>
>>>
>>> 2015-12-14 14:07 GMT+01:00 Marek Wiewiorka <marek.wiewiorka@gmail.com>:
>>>
>>>> Hi - thanks!
>>>>
>>>> Regarding my first question - I tried as follows:
>>>>
>>>> #properties:
>>>> acl.adminRole=ROLE_KYLIN_ADMINS
>>>>
>>>> #LDAP:
>>>> [image: Obraz w treści 1]
>>>>
>>>> Debug output:
>>>>
>>>> [http-bio-7070-exec-5]:[2015-12-14
>>>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)]
>>>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net)
>>>> [http-bio-7070-exec-5]:[2015-12-14
>>>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)]
>>>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net)
>>>> [http-bio-7070-exec-5]:[2015-12-14
>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)]
>>>> - Roles from search: [KYLIN_ADMINS]
>>>> [http-bio-7070-exec-5]:[2015-12-14
>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)]
>>>> - Roles from search: [KYLIN_ADMINS]
>>>> [http-bio-7070-exec-5]:[2015-12-14
>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)]
>>>> - Mapping user details from context with DN:
>>>> uid=kylinadmin,ou=users,dc=example,dc=net
>>>> [http-bio-7070-exec-5]:[2015-12-14
>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)]
>>>> - Mapping user details from context with DN:
>>>> uid=kylinadmin,ou=users,dc=example,dc=net
>>>>
>>>> still I do not have admin rights (particulary I cannot see admin tab in
>>>> the UI)
>>>>
>>>> 2)What I meant is that cubes ACL do not  work for me as well.
>>>> I'm calling REST api with a sql query with a user that isn't in any ACL
>>>> - so does not have even read right.
>>>> User is authenticated using LDAP, isn't a member of any group, default
>>>> acl role isn't set at all but the call does not fail - user can read data
>>>> from the cube via rest api.
>>>> I assume it's wrong and by default no one should be allowed to read the
>>>> data unless is a member of a group that has at least CUBE_READ privilege,
>>>> right?
>>>>
>>>>
>>>> Marek
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <shaofengshi@apache.org>:
>>>> >
>>>> > For question 1) map a LDAP group to admin role in Kylin
>>>> >
>>>> > In conf/kylin.properties there are two properties:
>>>> > acl.adminRole=
>>>> > acl.defaultRole=
>>>> >
>>>> > "acl.adminRole" is mapped to the LDAP group which you want to grant
>>>> the admin role in Kylin. For example, in LDAP you create a group called
>>>> "KYLIN_ADMINS", then here you should set the property value to
>>>> "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he will
>>>> have the admin authority (can see the "Admin" tab and doing all actions)
>>>> >
>>>> > "acl.defaultRole" is the default roles that you want to grant to all
>>>> authenticated user; In our case, we set this property to
>>>> "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and
>>>> modeler role.
>>>> >
>>>> > Beside this, you can grant the permissions at cube level, please find
>>>> the "Access" tab when expanding a cube.
>>>> >
>>>> > For question 2), I didn't get your point, a sample case should be
>>>> helpful.
>>>> >
>>>> > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka <marek.wiewiorka@gmail.com
>>>> >:
>>>> >>
>>>> >> I would be extreme grateful!!!
>>>> >> In the first place if you could please write a few hints on how
to
>>>> configure cubes  ACLs + admin role mapping with LDAP.
>>>> >>
>>>> >> Many thanks in advance!
>>>> >> Marek
>>>> >>
>>>> >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <shaofengshi@gmail.com>:
>>>> >>>
>>>> >>> I planned to write a doc on this, but seems it need be prioritized
>>>> now.
>>>> >>>
>>>> >>> Marek Wiewiorka <marek.wiewiorka@gmail.com>编写:
>>>> >>>
>>>> >>>
>>>> >>> Hi All - I managed to get LDAP authentication working but I'm
>>>> unable to setup proper authorization.
>>>> >>>
>>>> >>> Does anybody of you got it working properly - roles mapping,
>>>> privileges on cubes with LDAP?
>>>> >>>
>>>> >>> I will summarize briefly what I wasn't able to do:
>>>> >>> 1)map a LDAP group to admin role in Kylin
>>>> >>> 2)Despite granting only one group 'cube query' privilege on
a cube
>>>> everyone who is properly authenticated can query the data which is
>>>> obviously wrong.
>>>> >>>
>>>> >>> Any help more than welcome!
>>>> >>>
>>>> >>> Marek
>>>> >>>
>>>> >>>
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Best regards,
>>>> >
>>>> > Shaofeng Shi
>>>> >
>>>>
>>>
>>>
>>
>>
>> --
>> Best regards,
>>
>> Shaofeng Shi
>>
>>
>

Mime
View raw message