Updated Branches: refs/heads/trunk 257d92f28 -> 59b24e512
AMBARI-3251. When Bind DN credentials are incorrect - we should log it Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/59b24e51 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/59b24e51 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/59b24e51 Branch: refs/heads/trunk Commit: 59b24e5123f9d0cf3e8817a0e553f2e6645e8f6d Parents: 257d92f Author: Lisnichenko Dmitro <[email protected]> Authored: Mon Sep 16 23:50:28 2013 +0300 Committer: Lisnichenko Dmitro <[email protected]> Committed: Mon Sep 16 23:51:39 2013 +0300 ---------------------------------------------------------------------- .../AmbariLdapAuthenticationProvider.java | 33 ++++++--- .../AmbariLdapAuthenticationProviderTest.java | 78 +++++++++++++++++++- 2 files changed, 99 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/59b24e51/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java index f0e2a5f..20cf2fd 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java @@ -37,7 +37,7 @@ import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; * Provides LDAP user authorization logic for Ambari Server */ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider { - private static final Logger log = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class); + Logger LOG = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class); Configuration configuration; @@ -56,9 +56,24 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider public Authentication authenticate(Authentication authentication) throws AuthenticationException { if (isLdapEnabled()) { - - return loadLdapAuthenticationProvider().authenticate(authentication); - + try { + return loadLdapAuthenticationProvider().authenticate(authentication); + } catch (AuthenticationException e) { + LOG.debug("Got exception during LDAP authentification attempt", e); + // Try to help in troubleshooting + Throwable cause = e.getCause(); + if (cause != null) { + // Below we check the cause of an AuthenticationException . If it is + // caused by another AuthenticationException, than probably + // the problem is with LDAP ManagerDN/password + if ((cause != e) && (cause instanceof + org.springframework.ldap.AuthenticationException)) { + LOG.warn("Looks like LDAP manager credentials (that are used for " + + "connecting to LDAP server) are invalid.", e); + } + } + throw e; + } } else { return null; } @@ -74,9 +89,9 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider * Reloads LDAP Context Source and depending objects if properties were changed * @return corresponding LDAP authentication provider */ - private LdapAuthenticationProvider loadLdapAuthenticationProvider() { + LdapAuthenticationProvider loadLdapAuthenticationProvider() { if (reloadLdapServerProperties()) { - log.info("LDAP Properties changed - rebuilding Context"); + LOG.info("LDAP Properties changed - rebuilding Context"); LdapContextSource springSecurityContextSource = new LdapContextSource(); List<String> ldapUrls = ldapServerProperties.get().getLdapUrls(); springSecurityContextSource.setUrls(ldapUrls.toArray(new String[ldapUrls.size()])); @@ -90,7 +105,7 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider try { springSecurityContextSource.afterPropertiesSet(); } catch (Exception e) { - log.error("LDAP Context Source not loaded ", e); + LOG.error("LDAP Context Source not loaded ", e); throw new UsernameNotFoundException("LDAP Context Source not loaded", e); } @@ -116,7 +131,7 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider * Check if LDAP authentication is enabled in server properties * @return true if enabled */ - private boolean isLdapEnabled() { + boolean isLdapEnabled() { return configuration.getClientSecurityType() == ClientSecurityType.LDAP; } @@ -128,7 +143,7 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider private boolean reloadLdapServerProperties() { LdapServerProperties properties = configuration.getLdapServerProperties(); if (!properties.equals(ldapServerProperties.get())) { - log.info("Reloading properties"); + LOG.info("Reloading properties"); ldapServerProperties.set(properties); return true; } http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/59b24e51/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java index 91d778b..4052731 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java @@ -22,27 +22,29 @@ import junit.framework.Assert; import com.google.inject.Guice; import com.google.inject.Inject; import com.google.inject.Injector; -import com.google.inject.persist.jpa.JpaPersistModule; import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.orm.GuiceJpaInitializer; -import org.apache.ambari.server.orm.InMemoryDefaultTestModule; import org.apache.ambari.server.orm.dao.RoleDAO; import org.apache.ambari.server.orm.dao.UserDAO; import org.apache.ambari.server.orm.entities.RoleEntity; import org.apache.ambari.server.orm.entities.UserEntity; import org.apache.ambari.server.security.ClientSecurityType; +import org.easymock.EasyMockSupport; +import org.easymock.IAnswer; import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; +import org.slf4j.Logger; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.ldap.server.ApacheDSContainer; +import static org.easymock.EasyMock.*; import static org.junit.Assert.*; -public class AmbariLdapAuthenticationProviderTest{ +public class AmbariLdapAuthenticationProviderTest extends EasyMockSupport { private static ApacheDSContainer apacheDSContainer; private static Injector injector; @@ -78,6 +80,76 @@ public class AmbariLdapAuthenticationProviderTest{ authenticationProvider.authenticate(authentication); } + + @Test + public void testGoodManagerCredentials() throws Exception { + AmbariLdapAuthoritiesPopulator authoritiesPopulator = createMock(AmbariLdapAuthoritiesPopulator.class); + AmbariLdapAuthenticationProvider provider = createMockBuilder(AmbariLdapAuthenticationProvider.class) + .addMockedMethod("loadLdapAuthenticationProvider") + .addMockedMethod("isLdapEnabled") + .withConstructor(configuration, authoritiesPopulator).createMock(); + // Create the last thrown exception + org.springframework.security.core.AuthenticationException exception = + createNiceMock(org.springframework.security.core.AuthenticationException.class); + expect(exception.getCause()).andReturn(exception).atLeastOnce(); + + expect(provider.isLdapEnabled()).andReturn(true); + expect(provider.loadLdapAuthenticationProvider()).andThrow(exception); + // Logging call + Logger log = createNiceMock(Logger.class); + provider.LOG = log; + log.warn(find("LDAP manager credentials"), (Throwable) anyObject()); + expectLastCall().andAnswer(new IAnswer<Object>() { + @Override + public Object answer() throws Throwable { + fail("Should not print warning when LDAP manager credentials are not wrong"); + return null; + } + }).anyTimes(); + replayAll(); + Authentication authentication = new UsernamePasswordAuthenticationToken("notFound", "wrong"); + try { + provider.authenticate(authentication); + fail("Should throw exception"); + } catch(org.springframework.security.core.AuthenticationException e) { + // expected + } + verifyAll(); + } + + @Test + public void testBadManagerCredentials() throws Exception { + AmbariLdapAuthoritiesPopulator authoritiesPopulator = createMock(AmbariLdapAuthoritiesPopulator.class); + AmbariLdapAuthenticationProvider provider = createMockBuilder(AmbariLdapAuthenticationProvider.class) + .addMockedMethod("loadLdapAuthenticationProvider") + .addMockedMethod("isLdapEnabled") + .withConstructor(configuration, authoritiesPopulator).createMock(); + // Create the cause + org.springframework.ldap.AuthenticationException cause = + createNiceMock(org.springframework.ldap.AuthenticationException.class); + // Create the last thrown exception + org.springframework.security.core.AuthenticationException exception = + createNiceMock(org.springframework.security.core.AuthenticationException.class); + expect(exception.getCause()).andReturn(cause).atLeastOnce(); + + expect(provider.isLdapEnabled()).andReturn(true); + expect(provider.loadLdapAuthenticationProvider()).andThrow(exception); + // Logging call + Logger log = createNiceMock(Logger.class); + provider.LOG = log; + log.warn(find("LDAP manager credentials"), (Throwable) anyObject()); + expectLastCall().atLeastOnce(); + replayAll(); + Authentication authentication = new UsernamePasswordAuthenticationToken("notFound", "wrong"); + try { + provider.authenticate(authentication); + fail("Should throw exception"); + } catch(org.springframework.security.core.AuthenticationException e) { + // expected + } + verifyAll(); + } + @Test public void testAuthenticate() throws Exception { assertNull("User alread exists in DB", userDAO.findLdapUserByName("allowedUser"));
