Return-Path: X-Original-To: apmail-ranger-commits-archive@www.apache.org Delivered-To: apmail-ranger-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 786D718F72 for ; Mon, 7 Sep 2015 03:26:27 +0000 (UTC) Received: (qmail 76382 invoked by uid 500); 7 Sep 2015 03:26:27 -0000 Delivered-To: apmail-ranger-commits-archive@ranger.apache.org Received: (qmail 76357 invoked by uid 500); 7 Sep 2015 03:26:27 -0000 Mailing-List: contact commits-help@ranger.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.incubator.apache.org Delivered-To: mailing list commits@ranger.incubator.apache.org Received: (qmail 76347 invoked by uid 99); 7 Sep 2015 03:26:27 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Sep 2015 03:26:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id A4D2EC17B0 for ; Mon, 7 Sep 2015 03:26:26 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.781 X-Spam-Level: X-Spam-Status: No, score=0.781 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id vBqGOCQIl6ln for ; Mon, 7 Sep 2015 03:26:19 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with SMTP id C7BC842B13 for ; Mon, 7 Sep 2015 03:26:18 +0000 (UTC) Received: (qmail 74502 invoked by uid 99); 7 Sep 2015 03:26:18 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Sep 2015 03:26:18 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id E1C4CDFB90; Mon, 7 Sep 2015 03:26:17 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: vel@apache.org To: commits@ranger.incubator.apache.org Message-Id: <41dae06630fc4ea5a54889da85f2253a@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: incubator-ranger git commit: RANGER-628 : Make filters for ranger-admin search binds configurable Date: Mon, 7 Sep 2015 03:26:17 +0000 (UTC) Repository: incubator-ranger Updated Branches: refs/heads/master c4b9499a9 -> 44246aec4 RANGER-628 : Make filters for ranger-admin search binds configurable Signed-off-by: Velmurugan Periasamy Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/44246aec Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/44246aec Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/44246aec Branch: refs/heads/master Commit: 44246aec4388525e14f0730aa231521fe2f7d637 Parents: c4b9499 Author: Gautam Borad Authored: Mon Aug 31 15:34:09 2015 +0530 Committer: Velmurugan Periasamy Committed: Sun Sep 6 23:24:16 2015 -0400 ---------------------------------------------------------------------- security-admin/scripts/install.properties | 6 +++++- security-admin/scripts/setup.sh | 8 ++++++++ .../handler/RangerAuthenticationProvider.java | 18 +++++++++++++----- .../resources/conf.dist/ranger-admin-site.xml | 10 ++++++++++ 4 files changed, 36 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44246aec/security-admin/scripts/install.properties ---------------------------------------------------------------------- diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 4618ee3..eb0c7ec 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -47,7 +47,7 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # DB password for the DB admin user-id # ************************************************************************** # ** If the password is left empty or not-defined here, -# ** it will be prompted to enter the password during installation process +# ** it will try with blank password during installation process # ************************************************************************** # #db_root_user=root|SYS|postgres|sa|dba @@ -138,6 +138,7 @@ authServicePort=5151 #xa_ldap_bind_dn="cn=admin,ou=users,dc=xasecure,dc=net" #xa_ldap_bind_password= #xa_ldap_referral=follow|ignore +#xa_ldap_userSearchFilter="(uid={0})" xa_ldap_url= xa_ldap_userDNpattern= @@ -148,6 +149,7 @@ xa_ldap_base_dn= xa_ldap_bind_dn= xa_ldap_bind_password= xa_ldap_referral= +xa_ldap_userSearchFilter= ####ACTIVE_DIRECTORY settings - Required only if have selected AD authentication #### # # Sample Settings @@ -158,6 +160,7 @@ xa_ldap_referral= #xa_ldap_ad_bind_dn="cn=administrator,ou=users,dc=xasecure,dc=net" #xa_ldap_ad_bind_password= #xa_ldap_ad_referral=follow|ignore +#xa_ldap_ad_userSearchFilter="(sAMAccountName={0})" xa_ldap_ad_domain= xa_ldap_ad_url= @@ -165,6 +168,7 @@ xa_ldap_ad_base_dn= xa_ldap_ad_bind_dn= xa_ldap_ad_bind_password= xa_ldap_ad_referral= +xa_ldap_ad_userSearchFilter= # ----------------------------------------------------------- # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44246aec/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index e0b14c5..bae6298 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1330,6 +1330,10 @@ do_authentication_setup(){ newPropertyValue="${xa_ldap_referral}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.ldap.user.searchfilter + newPropertyValue="${xa_ldap_userSearchFilter}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + keystore="${cred_keystore_filename}" if [ "${keystore}" != "" ] @@ -1411,6 +1415,10 @@ do_authentication_setup(){ newPropertyValue="${xa_ldap_ad_referral}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.ldap.ad.user.searchfilter + newPropertyValue="${xa_ldap_ad_userSearchFilter}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + keystore="${cred_keystore_filename}" if [ "${keystore}" != "" ] http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44246aec/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index 1f1d957..abf4db4 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -363,6 +363,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { String rangerADBindPassword = PropertiesUtil.getProperty("ranger.ldap.ad.bind.password", ""); String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); String rangerLdapReferral = PropertiesUtil.getProperty("ranger.ldap.ad.referral", "follow"); + String rangerLdapUserSearchFilter = PropertiesUtil.getProperty("ranger.ldap.ad.user.searchfilter", "(sAMAccountName={0})"); String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -378,8 +379,11 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { ldapContextSource.setPooled(true); ldapContextSource.afterPropertiesSet(); - String searchFilter="(sAMAccountName={0})"; - FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, searchFilter,ldapContextSource); + //String searchFilter="(sAMAccountName={0})"; + if(rangerLdapUserSearchFilter==null||rangerLdapUserSearchFilter.trim().isEmpty()){ + rangerLdapUserSearchFilter="(sAMAccountName={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, rangerLdapUserSearchFilter,ldapContextSource); userSearch.setSearchSubtree(true); BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); @@ -417,6 +421,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { String rangerLdapBindDN = PropertiesUtil.getProperty("ranger.ldap.bind.dn", ""); String rangerLdapBindPassword = PropertiesUtil.getProperty("ranger.ldap.bind.password", ""); String rangerLdapReferral = PropertiesUtil.getProperty("ranger.ldap.referral", "follow"); + String rangerLdapUserSearchFilter = PropertiesUtil.getProperty("ranger.ldap.user.searchfilter", "(uid={0})"); String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -428,7 +433,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { ldapContextSource.setPassword(rangerLdapBindPassword); ldapContextSource.setReferral(rangerLdapReferral); ldapContextSource.setCacheEnvironmentProperties(false); - ldapContextSource.setAnonymousReadOnly(true); + ldapContextSource.setAnonymousReadOnly(false); ldapContextSource.setPooled(true); ldapContextSource.afterPropertiesSet(); @@ -437,8 +442,11 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { defaultLdapAuthoritiesPopulator.setGroupSearchFilter(rangerLdapGroupSearchFilter); defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); - String searchFilter="(uid={0})"; - FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, searchFilter,ldapContextSource); + //String searchFilter="(uid={0})"; + if(rangerLdapUserSearchFilter==null||rangerLdapUserSearchFilter.trim().isEmpty()){ + rangerLdapUserSearchFilter="(uid={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, rangerLdapUserSearchFilter,ldapContextSource); userSearch.setSearchSubtree(true); BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44246aec/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index 822a507..6009693 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -217,4 +217,14 @@ + + ranger.ldap.user.searchfilter + (uid={0}) + + + + ranger.ldap.ad.user.searchfilter + (sAMAccountName={0}) + +