docherak opened a new issue, #17797: URL: https://github.com/apache/dolphinscheduler/issues/17797
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar issues. ### What happened I encountered issues when setting up LDAP connection via the `security` section of the `values.yaml` while using Helm deployment. There is a mismatch between the environment variables generated by `_helpers.tpl` and the properties expected by `LdapService.java`. Because of this, the LDAP configuration is ignored / fails to bind correctly. Specifically there are two issues: 1. Incorrect Variable Names: The Helm chart generates environment variables that the application does not read. 2. Missing Configuration: There is no way to configure the `adminUserFilter` via `values.yaml`. Detailed Mismatch: | Config Item | Current Helm Output (`_helpers.tpl`) | Expected by App (`LdapService.java`) | Status | | :--- | :--- | :--- | :--- | | **LDAP URL** | `SECURITY_AUTHENTICATION_LDAP_URLS` | `SECURITY_AUTHENTICATION_LDAP_URL` | **Broken** (Key mismatch) | | **Admin User** | `SECURITY_AUTHENTICATION_LDAP_USER_ADMIN` | `SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USERNAME` | **Broken** (Key mismatch) | | **Admin Filter** | *(Missing)* | `SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USER_FILTER` | **Missing** | Snippet from current `values.yaml`: ``` security: authentication: # -- Authentication types (supported types: PASSWORD,LDAP,CASDOOR_SSO) type: PASSWORD # IF you set type `LDAP`, below config will be effective ldap: # -- LDAP urls urls: ldap://ldap.forumsys.com:389/ # -- LDAP base dn basedn: dc=example,dc=com # -- LDAP username username: cn=read-only-admin,dc=example,dc=com # -- LDAP password password: password user: # -- Admin user account when you log-in with LDAP admin: read-only-admin # -- LDAP user identity attribute identityattribute: uid # -- LDAP user email attribute emailattribute: mail # -- action when ldap user is not exist,default value: CREATE. Optional values include(CREATE,DENY) notexistaction: CREATE ssl: # -- LDAP ssl switch enable: false # -- LDAP jks file absolute path, do not change this value truststore: "/opt/ldapkeystore.jks" # -- LDAP jks file base64 content. # If you use macOS, please run `base64 -b 0 -i /path/to/your.jks`. # If you use Linux, please run `base64 -w 0 /path/to/your.jks`. # If you use Windows, please run `certutil -f -encode /path/to/your.jks`. # Then copy the base64 content to below field in one line jksbase64content: "" # -- LDAP jks password truststorepassword: "" ``` Snippet from current `_helpers.tpl` (bug source): ``` {{/* Create a security environment variables. */}} {{- define "dolphinscheduler.security.env_vars" -}} - name: SECURITY_AUTHENTICATION_TYPE value: {{ .Values.security.authentication.type | quote }} {{- if eq .Values.security.authentication.type "LDAP" }} - name: SECURITY_AUTHENTICATION_LDAP_URLS value: {{ .Values.security.authentication.ldap.urls | quote }} - name: SECURITY_AUTHENTICATION_LDAP_BASE_DN value: {{ .Values.security.authentication.ldap.basedn | quote }} - name: SECURITY_AUTHENTICATION_LDAP_USERNAME value: {{ .Values.security.authentication.ldap.username | quote }} - name: SECURITY_AUTHENTICATION_LDAP_PASSWORD value: {{ .Values.security.authentication.ldap.password | quote }} - name: SECURITY_AUTHENTICATION_LDAP_USER_ADMIN value: {{ .Values.security.authentication.ldap.user.admin | quote }} - name: SECURITY_AUTHENTICATION_LDAP_USER_IDENTITY_ATTRIBUTE value: {{ .Values.security.authentication.ldap.user.identityattribute | quote }} - name: SECURITY_AUTHENTICATION_LDAP_USER_EMAIL_ATTRIBUTE value: {{ .Values.security.authentication.ldap.user.emailattribute | quote }} - name: SECURITY_AUTHENTICATION_LDAP_USER_NOT_EXIST_ACTION value: {{ .Values.security.authentication.ldap.user.notexistaction | quote }} - name: SECURITY_AUTHENTICATION_LDAP_SSL_ENABLE value: {{ .Values.security.authentication.ldap.ssl.enable | quote }} - name: SECURITY_AUTHENTICATION_LDAP_SSL_TRUST_STORE value: {{ .Values.security.authentication.ldap.ssl.truststore | quote }} - name: SECURITY_AUTHENTICATION_LDAP_SSL_TRUST_STORE_PASSWORD value: {{ .Values.security.authentication.ldap.ssl.truststorepassword | quote }} {{- end }} {{- end -}} ``` Snippet from `LdapService.java`: ``` public class LdapService { @Value("${security.authentication.ldap.user.admin-username:#{null}}") private String ldapAdminUserName; @Value("${security.authentication.ldap.user.admin-user-filter:#{null}}") private String ldapAdminUserFilter; @Value("${security.authentication.ldap.url:#{null}}") private String ldapUrl; ``` ### What you expected to happen Setting `security.authentication.ldap.urls` in `values.yaml` should preferably be `security.authentication.ldap.url` and should correctly populate `SECURITY_AUTHENTICATION_LDAP_URL`. Since this is not the case the LDAP service defaults to `ldap://ldap.forumsys.com:389/`. Setting `security.authentication.ldap.user.admin` should preferably be `security.authentication.ldap.user.adminusername` and should correctly populate `SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USERNAME`. There should be a new option in `values.yaml` to populate `SECURITY_AUTHENTICATION_LDAP_USER_ADMIN_USER_FILTER`. ### How to reproduce 1. Configure `values.yaml` with `security.authentication.type: LDAP`. 2. Run `helm template` or `helm install`. 3. Observe the generated Pod environment variables - they do not match the keys required by the DolphinScheduler application code. 4. Consequently, LDAP login fails or defaults to ldap.forumsys.com because the custom URL env var is ignored. ### Anything else I have a fix ready for this locally. I can update `values.yaml` and `_helpers.tpl` to correct the variable names and add the missing filter option. ### Version 3.3.2 ### Are you willing to submit PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
