This is an automated email from the ASF dual-hosted git repository.
wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 6f7c4b3958 AMBARI-25382: Issues with Views in ambari when User Logs In
from KNOX/LDAP and the username has spaces and Camel Case Letters (#3494)
6f7c4b3958 is described below
commit 6f7c4b3958d8600172bed576d24f69c24f1041cb
Author: Zhiguo Wu <[email protected]>
AuthorDate: Tue Nov 15 00:38:24 2022 +0800
AMBARI-25382: Issues with Views in ambari when User Logs In from KNOX/LDAP
and the username has spaces and Camel Case Letters (#3494)
---
.../org/apache/ambari/server/orm/entities/ViewInstanceEntity.java | 3 ++-
.../authentication/jwt/AmbariJwtAuthenticationProvider.java | 7 +++++++
.../server/security/authorization/AmbariLdapBindAuthenticator.java | 7 ++++---
.../ambari/server/security/authorization/AuthorizationHelper.java | 4 +++-
.../authentication/jwt/AmbariJwtAuthenticationFilterTest.java | 1 +
.../security/authorization/AmbariLdapBindAuthenticatorTest.java | 4 ++++
6 files changed, 21 insertions(+), 5 deletions(-)
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
index 7d458492d0..e7714e9eb1 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
@@ -49,6 +49,7 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.security.SecurityHelper;
import org.apache.ambari.server.security.SecurityHelperImpl;
import
org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.view.ViewContextImpl;
import org.apache.ambari.server.view.ViewRegistry;
import org.apache.ambari.server.view.configuration.InstanceConfig;
@@ -811,7 +812,7 @@ public class ViewInstanceEntity implements
ViewInstanceDefinition {
* @return the current user name; empty String if user is not known
*/
public String getUsername() {
- return securityHelper.getCurrentUserName();
+ return
AuthorizationHelper.resolveLoginAliasToUserName(securityHelper.getCurrentUserName());
}
/**
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
index 076e1b7ba2..a3ea7f9149 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
@@ -29,6 +29,7 @@ import
org.apache.ambari.server.security.authentication.AmbariUserDetails;
import org.apache.ambari.server.security.authentication.AmbariUserDetailsImpl;
import
org.apache.ambari.server.security.authentication.TooManyLoginFailuresException;
import org.apache.ambari.server.security.authentication.UserNotFoundException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.security.authorization.UserAuthenticationType;
import org.apache.ambari.server.security.authorization.Users;
import org.slf4j.Logger;
@@ -120,6 +121,12 @@ public class AmbariJwtAuthenticationProvider extends
AmbariAuthenticationProvide
}
AmbariUserDetails userDetails = new
AmbariUserDetailsImpl(users.getUser(userEntity), null,
users.getUserAuthorities(userEntity));
+
+ String jwtTokenName = userDetails.getUsername().trim();
+ //If JwtToken Provided Username and authenticatedUsername is different
Add it to Alias
+ if(!userName.equals(jwtTokenName)){
+ AuthorizationHelper.addLoginNameAlias(userName,jwtTokenName);
+ }
return new
AmbariUserAuthentication(authentication.getCredentials().toString(),
userDetails, true);
} else {
// The user was not authenticated, fail
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
index 4adbd2b814..b6c5de397e 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
@@ -85,7 +85,7 @@ public class AmbariLdapBindAuthenticator extends
AbstractLdapAuthenticator {
LOG.warn("The user data does not contain a value for {}.",
ldapServerProperties.getUsernameAttribute());
} else if (ldapUserName.isEmpty()) {
LOG.warn("The user data contains an empty value for {}.",
ldapServerProperties.getUsernameAttribute());
- } else if (!ldapUserName.equals(loginName)) {
+ } else {
// if authenticated user name is different from ldap user name than user
has logged in
// with a login name that is different (e.g. user principal name) from
the ambari user name stored in
// ambari db. In this case add the user login name as login alias for
ambari user name.
@@ -100,8 +100,9 @@ public class AmbariLdapBindAuthenticator extends
AbstractLdapAuthenticator {
} else {
processedLdapUserName = ldapUserName;
}
-
- AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName);
+ if (!processedLdapUserName.equals(loginName.toLowerCase())) {
+ AuthorizationHelper.addLoginNameAlias(processedLdapUserName,
loginName.toLowerCase());
+ }
}
return user;
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index d92fc44b65..c5d22fbcfb 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -325,13 +325,15 @@ public class AuthorizationHelper {
* of alias user name to local ambari user name to make possible resolving
* login alias to ambari user name.
* @param ambariUserName ambari user name for which the alias is to be
stored in the session
- * @param loginAlias the alias for the ambari user name.
+ * @param loginAlias The Name with which user logged in Ambari UI.
*/
public static void addLoginNameAlias(String ambariUserName, String
loginAlias) {
ServletRequestAttributes attr = (ServletRequestAttributes)
RequestContextHolder.getRequestAttributes();
if (attr != null) {
LOG.info("Adding login alias '{}' for user name '{}'", loginAlias,
ambariUserName);
attr.setAttribute(loginAlias, ambariUserName,
RequestAttributes.SCOPE_SESSION);
+ //save Vice Versa Too
+ attr.setAttribute(ambariUserName, loginAlias,
RequestAttributes.SCOPE_SESSION);
}
}
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
index e8687c5521..4e35a5eb61 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
@@ -414,6 +414,7 @@ public class AmbariJwtAuthenticationFilterTest extends
EasyMockSupport {
Users users = createMock(Users.class);
expect(users.getUserEntity("test-user")).andReturn(userEntity).once();
expect(users.getUser(userEntity)).andReturn(user).once();
+ expect(user.getUserName()).andReturn("test-user").atLeastOnce();
expect(users.getUserAuthorities(userEntity)).andReturn(Collections.emptyList()).once();
users.validateLogin(userEntity, "test-user");
expectLastCall().once();
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
index 335ad70972..3ebb4763ec 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
@@ -179,6 +179,8 @@ public class AmbariLdapBindAuthenticatorTest extends
EasyMockSupport {
if (!StringUtils.isEmpty(ldapUsername) &&
!ambariUsername.equals(ldapUsername)) {
servletRequestAttributes.setAttribute(eq(ambariUsername),
eq(forceUsernameToLower ? ldapUsername.toLowerCase() : ldapUsername),
eq(RequestAttributes.SCOPE_SESSION));
expectLastCall().once();
+ servletRequestAttributes.setAttribute(eq(forceUsernameToLower ?
ldapUsername.toLowerCase() : ldapUsername),eq(ambariUsername),
eq(RequestAttributes.SCOPE_SESSION));
+ expectLastCall().once();
}
setupDatabaseConfigurationExpectations(true, forceUsernameToLower);
@@ -186,6 +188,8 @@ public class AmbariLdapBindAuthenticatorTest extends
EasyMockSupport {
replayAll();
RequestContextHolder.setRequestAttributes(servletRequestAttributes);
+// servletRequestAttributes.setAttribute(ambariUsername,ldapUsername,
RequestAttributes.SCOPE_SESSION);
+// expectLastCall().anyTimes();
AmbariLdapBindAuthenticator bindAuthenticator = new
AmbariLdapBindAuthenticator(ldapCtxSource, ldapConfiguration);
bindAuthenticator.setUserSearch(userSearch);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
