This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 4487562 AMBARI-24533. Let end users disable endpoint identification
during SSL handshake with the LDAP server (#2165)
4487562 is described below
commit 448756230b4679644425af34728a41af6987e4c0
Author: Sandor Molnar <[email protected]>
AuthorDate: Mon Aug 27 19:49:54 2018 +0200
AMBARI-24533. Let end users disable endpoint identification during SSL
handshake with the LDAP server (#2165)
---
.../configuration/AmbariServerConfigurationKey.java | 1 +
.../server/ldap/domain/AmbariLdapConfiguration.java | 5 +++++
.../security/authorization/LdapServerProperties.java | 9 +++++++++
.../server/security/ldap/AmbariLdapDataPopulator.java | 16 ++++++++++++----
ambari-server/src/main/python/ambari-server.py | 1 +
.../src/main/python/ambari_server/setupSecurity.py | 6 ++++++
ambari-server/src/test/python/TestAmbariServer.py | 1 +
7 files changed, 35 insertions(+), 4 deletions(-)
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
index 2945c74..ccdb2ab 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
@@ -73,6 +73,7 @@ public enum AmbariServerConfigurationKey {
REFERRAL_HANDLING(AmbariServerConfigurationCategory.LDAP_CONFIGURATION,
"ambari.ldap.advanced.referrals", PLAINTEXT, "follow", "Determines whether to
follow LDAP referrals to other URLs when the LDAP controller doesn't have the
requested object."),
PAGINATION_ENABLED(AmbariServerConfigurationCategory.LDAP_CONFIGURATION,
"ambari.ldap.advanced.pagination_enabled", PLAINTEXT, "true", "Determines
whether results from LDAP are paginated when requested."),
COLLISION_BEHAVIOR(AmbariServerConfigurationCategory.LDAP_CONFIGURATION,
"ambari.ldap.advance.collision_behavior", PLAINTEXT, "convert", "Determines how
to handle username collision while updating from LDAP."),
+
DISABLE_ENDPOINT_IDENTIFICATION(AmbariServerConfigurationCategory.LDAP_CONFIGURATION,
"ambari.ldap.advanced.disable_endpoint_identification", PLAINTEXT, "false",
"Determines whether to disable endpoint identification (hostname verification)
during SSL handshake while updating from LDAP."),
/* ********************************************************
* SSO Configuration Keys
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
b/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
index 370ef3d..b8216b1 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
@@ -204,6 +204,10 @@ public class AmbariLdapConfiguration {
return configValue(AmbariServerConfigurationKey.REFERRAL_HANDLING);
}
+ public boolean disableEndpointIdentification() {
+ return
Boolean.valueOf(configValue(AmbariServerConfigurationKey.DISABLE_ENDPOINT_IDENTIFICATION));
+ }
+
public Map<String, String> toMap() {
return (configurationMap == null) ? Collections.emptyMap() : new
HashMap<>(configurationMap);
}
@@ -269,6 +273,7 @@ public class AmbariLdapConfiguration {
ldapServerProperties.setSyncUserMemberFilter(configValue(AmbariServerConfigurationKey.USER_MEMBER_FILTER));
ldapServerProperties.setSyncGroupMemberFilter(configValue(AmbariServerConfigurationKey.GROUP_MEMBER_FILTER));
ldapServerProperties.setPaginationEnabled(parseBoolean(configValue(AmbariServerConfigurationKey.PAGINATION_ENABLED)));
+
ldapServerProperties.setDisableEndpointIdentification(disableEndpointIdentification());
if (hasAnyValueWithKey(AmbariServerConfigurationKey.GROUP_BASE,
AmbariServerConfigurationKey.GROUP_OBJECT_CLASS,
AmbariServerConfigurationKey.GROUP_MEMBER_ATTRIBUTE,
AmbariServerConfigurationKey.GROUP_NAME_ATTRIBUTE,
AmbariServerConfigurationKey.GROUP_MAPPING_RULES,
AmbariServerConfigurationKey.GROUP_SEARCH_FILTER)) {
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
index 7937607..6ce3dc1 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
@@ -65,6 +65,7 @@ public class LdapServerProperties {
private String syncUserMemberFilter = "";
private String syncGroupMemberFilter = "";
+ private boolean disableEndpointIdentification = false;
//LDAP pagination properties
private boolean paginationEnabled = true;
private String adminGroupMappingMemberAttr = ""; // custom group search
filter for admin mappings
@@ -296,6 +297,14 @@ public class LdapServerProperties {
return referralMethod;
}
+ public boolean isDisableEndpointIdentification() {
+ return disableEndpointIdentification;
+ }
+
+ public void setDisableEndpointIdentification(boolean
disableEndpointIdentification) {
+ this.disableEndpointIdentification = disableEndpointIdentification;
+ }
+
public boolean isPaginationEnabled() {
return paginationEnabled;
}
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
index 121e7a6..c4a25ce 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
@@ -95,6 +95,7 @@ public class AmbariLdapDataPopulator {
private static final String UID_ATTRIBUTE = "uid";
private static final String OBJECT_CLASS_ATTRIBUTE = "objectClass";
private static final int USERS_PAGE_SIZE = 500;
+ private static final String SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION
= "com.sun.jndi.ldap.object.disableEndpointIdentification";
// REGEXP to check member attribute starts with "cn=" or "uid=" - case
insensitive
private static final String IS_MEMBER_DN_REGEXP = "^(?i)(uid|cn|%s|%s)=.*$";
@@ -760,9 +761,8 @@ public class AmbariLdapDataPopulator {
* @return LdapTemplate instance
*/
protected LdapTemplate loadLdapTemplate() {
- LdapServerProperties ldapServerProperties = getLdapProperties();
final LdapServerProperties properties =
getConfiguration().getLdapServerProperties();
- if (ldapTemplate == null || !properties.equals(ldapServerProperties)) {
+ if (ldapTemplate == null || !properties.equals(getLdapProperties())) {
LOG.info("Reloading properties");
ldapServerProperties = properties;
@@ -780,6 +780,16 @@ public class AmbariLdapDataPopulator {
ldapContextSource.setPassword(ldapServerProperties.getManagerPassword());
}
+ if (ldapServerProperties.isUseSsl() &&
ldapServerProperties.isDisableEndpointIdentification()) {
+ System.setProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION,
"true");
+ LOG.info("Disabled endpoint identification");
+ } else {
+ System.clearProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION);
+ LOG.info("Removed endpoint identification disabling");
+ }
+
+ ldapContextSource.setReferral(ldapServerProperties.getReferralMethod());
+
try {
ldapContextSource.afterPropertiesSet();
} catch (Exception e) {
@@ -787,8 +797,6 @@ public class AmbariLdapDataPopulator {
throw new UsernameNotFoundException("LDAP Context Source not loaded",
e);
}
- ldapContextSource.setReferral(ldapServerProperties.getReferralMethod());
-
ldapTemplate = createLdapTemplate(ldapContextSource);
ldapTemplate.setIgnorePartialResultException(true);
diff --git a/ambari-server/src/main/python/ambari-server.py
b/ambari-server/src/main/python/ambari-server.py
index 09019f3..6a05013 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -565,6 +565,7 @@ def init_ldap_setup_parser_options(parser):
parser.add_option('--ldap-referral', default=None, help="Referral method
[follow/ignore] for LDAP", dest="ldap_referral")
parser.add_option('--ldap-bind-anonym', default=None, help="Bind anonymously
[true/false] for LDAP", dest="ldap_bind_anonym")
parser.add_option('--ldap-sync-username-collisions-behavior', default=None,
help="Handling behavior for username collisions [convert/skip] for LDAP sync",
dest="ldap_sync_username_collisions_behavior")
+ parser.add_option('--ldap-sync-disable-endpoint-identification',
default=None, help="Determines whether to disable endpoint identification
(hostname verification) during SSL handshake for LDAP sync. This option takes
effect only if --ldap-ssl is set to 'true'",
dest="ldap_sync_disable_endpoint_identification")
parser.add_option('--ldap-force-lowercase-usernames', default=None,
help="Declares whether to force the ldap user name to be lowercase or leave
as-is", dest="ldap_force_lowercase_usernames")
parser.add_option('--ldap-pagination-enabled', default=None,
help="Determines whether results from LDAP are paginated when requested",
dest="ldap_pagination_enabled")
parser.add_option('--ldap-force-setup', action="store_true", default=False,
help="Forces the use of LDAP even if other (i.e. PAM) authentication method is
configured already or if there is no authentication method configured at all",
dest="ldap_force_setup")
diff --git a/ambari-server/src/main/python/ambari_server/setupSecurity.py
b/ambari-server/src/main/python/ambari_server/setupSecurity.py
index ac0c4d4..9eacd1f 100644
--- a/ambari-server/src/main/python/ambari_server/setupSecurity.py
+++ b/ambari-server/src/main/python/ambari_server/setupSecurity.py
@@ -93,6 +93,7 @@ LDAP_MGR_USERNAME_PROPERTY =
"ambari.ldap.connectivity.bind_dn"
LDAP_MGR_PASSWORD_FILENAME = "ldap-password.dat"
LDAP_ANONYMOUS_BIND="ambari.ldap.connectivity.anonymous_bind"
LDAP_USE_SSL="ambari.ldap.connectivity.use_ssl"
+LDAP_DISABLE_ENDPOINT_IDENTIFICATION =
"ambari.ldap.advanced.disable_endpoint_identification"
NO_AUTH_METHOD_CONFIGURED = "no auth method"
def read_master_key(isReset=False, options = None):
@@ -750,6 +751,7 @@ def setup_ldap(options):
ldap_property_list_opt = [LDAP_MGR_USERNAME_PROPERTY,
LDAP_MGR_PASSWORD_PROPERTY,
+ LDAP_DISABLE_ENDPOINT_IDENTIFICATION,
SSL_TRUSTSTORE_TYPE_PROPERTY,
SSL_TRUSTSTORE_PATH_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
@@ -790,6 +792,10 @@ def setup_ldap(options):
ts_password = None
if ldaps:
+ disable_endpoint_identification = get_validated_string_input("Disable
endpoint identification during SSL handshake [true/false] (false): ", "false",
+
REGEX_TRUE_FALSE, "Invalid characters in the input!", False, allowEmpty=True,
answer=options.ldap_sync_disable_endpoint_identification)
+ ldap_property_value_map[LDAP_DISABLE_ENDPOINT_IDENTIFICATION] =
disable_endpoint_identification
+
truststore_default = "n"
truststore_set = bool(SSL_TRUSTSTORE_PATH_DEFAULT)
if truststore_set:
diff --git a/ambari-server/src/test/python/TestAmbariServer.py
b/ambari-server/src/test/python/TestAmbariServer.py
index ca17ea7..6058ca1 100644
--- a/ambari-server/src/test/python/TestAmbariServer.py
+++ b/ambari-server/src/test/python/TestAmbariServer.py
@@ -8711,6 +8711,7 @@ class TestAmbariServer(TestCase):
options.ambari_admin_password = None
options.ldap_sync_admin_name = None
options.ldap_sync_username_collisions_behavior = None
+ options.ldap_sync_disable_endpoint_identification = None
options.ldap_force_lowercase_usernames = None
options.ldap_pagination_enabled = None
options.ldap_sync_admin_password = None
