ARTEMIS-1974 document LDAP role expansion (cherry picked from commit 7b4be5008dfaca122d5a277b4010807a176a2992)
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/2c20fe47 Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/2c20fe47 Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/2c20fe47 Branch: refs/heads/2.6.x Commit: 2c20fe471bbfd18d5755a30410617db05717f68e Parents: f7637eb Author: Justin Bertram <jbert...@apache.org> Authored: Mon Jul 9 09:36:33 2018 -0500 Committer: Clebert Suconic <clebertsuco...@apache.org> Committed: Thu Aug 9 19:27:56 2018 -0400 ---------------------------------------------------------------------- .../spi/core/security/jaas/LDAPLoginModule.java | 6 ++++++ docs/user-manual/en/security.md | 13 +++++++++++++ 2 files changed, 19 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/2c20fe47/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java ---------------------------------------------------------------------- diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java index 19194fa..7d58a0b 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java @@ -480,6 +480,12 @@ public class LDAPLoginModule implements LoginModule { while (!pendingNameExpansion.isEmpty()) { String name = pendingNameExpansion.remove(); final String expandFilter = expandRolesMatchingFormat.format(new String[]{name}); + if (logger.isDebugEnabled()) { + logger.debug("Get 'expanded' user roles."); + logger.debug("Looking for the 'expanded' user roles in LDAP with "); + logger.debug(" base DN: " + getLDAPPropertyValue(ROLE_BASE)); + logger.debug(" filter: " + expandFilter); + } try { results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(ROLE_BASE), expandFilter, constraints)); } catch (PrivilegedActionException e) { http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/2c20fe47/docs/user-manual/en/security.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index 47fb228..63e49a6 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -690,6 +690,19 @@ system. It is implemented by - `referral` - specify how to handle referrals; valid values: `ignore`, `follow`, `throw`; default is `ignore`. +- `expandRoles` - boolean indicating whether to enable the role expansion + functionality or not; default false. If enabled, then roles within roles will + be found. For example, role `A` is in role `B`. User `X` is in role `A`, + which means user `X` is in role `B` by virtue of being in role `A`. + +- `expandRolesMatching` - specifies an LDAP search filter which is applied to + the subtree selected by `roleBase`. Before passing to the LDAP search operation, + the string value you provide here is subjected to string substitution, as + implemented by the `java.text.MessageFormat` class. Essentially, this means that + the special string, `{0}`, is substituted by the role name as extracted from the + previous role search. This option must always be set to enable role expansion + because it has no default value. Example value: `(member={0})`. + - `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it should be set to `false`, or omitted; default is `false`