This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 156628cf7 [KYUUBI #5083] [DOC] Add LDAP document
156628cf7 is described below
commit 156628cf72bfddbb786d2757ca37ebe5d323f4e0
Author: hezhao2 <[email protected]>
AuthorDate: Mon Jul 31 20:32:16 2023 +0800
[KYUUBI #5083] [DOC] Add LDAP document
### _Why are the changes needed?_
I'd like to update LDAP doc to guide users for setup LDAP authentication in
Kyuubi.
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including
negative and positive cases if possible
- [x] Add screenshots for manual tests if appropriate
<img width="1395" alt="image"
src="https://github.com/apache/kyuubi/assets/26535726/6925a8e3-dfaf-48ad-a442-bb635fe75830";>
- [ ] [Run
test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests)
locally before make a pull request
Closes #5083 from zhaohehuhu/Improvement-0721.
Closes #5083
8c0e149dd [Cheng Pan] polish
22f8d3aa6 [Cheng Pan] nit
822fa66b3 [hezhao2] sync
78ae12345 [hezhao2] further explanation for LDAP filters
7ebc61acf [Cheng Pan] Update docs/security/ldap.md
bb06810f7 [Cheng Pan] Update docs/security/ldap.md
8d19fdf31 [Cheng Pan] Update docs/security/ldap.md
c2fa2806e [Cheng Pan] Update docs/security/ldap.md
2acbb87db [hezhao2] update LDAP doc
22027e1f2 [hezhao2] update LDAP doc
Lead-authored-by: hezhao2 <[email protected]>
Co-authored-by: Cheng Pan <[email protected]>
Co-authored-by: Cheng Pan <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
docs/security/ldap.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++
docs/security/ldap.rst | 21 ------------------
2 files changed, 60 insertions(+), 21 deletions(-)
diff --git a/docs/security/ldap.md b/docs/security/ldap.md
new file mode 100644
index 000000000..f668ad0c9
--- /dev/null
+++ b/docs/security/ldap.md
@@ -0,0 +1,60 @@
+<!--
+- Licensed to the Apache Software Foundation (ASF) under one or more
+- contributor license agreements. See the NOTICE file distributed with
+- this work for additional information regarding copyright ownership.
+- The ASF licenses this file to You under the Apache License, Version 2.0
+- (the "License"); you may not use this file except in compliance with
+- the License. You may obtain a copy of the License at
+-
+- http://www.apache.org/licenses/LICENSE-2.0
+-
+- Unless required by applicable law or agreed to in writing, software
+- distributed under the License is distributed on an "AS IS" BASIS,
+- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+- See the License for the specific language governing permissions and
+- limitations under the License.
+-->
+
+# Configure Kyuubi to use LDAP Authentication
+
+Kyuubi can be configured to enable frontend LDAP authentication for clients,
such as the BeeLine, or the JDBC and ODBC drivers.
+At present, only simple LDAP authentication mechanism involving username and
password is supported. The client sends
+a username and password to the Kyuubi server, and the Kyuubi server validates
these credentials using an external LDAP service.
+
+## Enable LDAP Authentication
+
+To enable LDAP authentication for Kyuubi, LDAP-related configurations is
required to be configured in
+`$KYUUBI_HOME/conf/kyuubi-defaults.conf` on each node where Kyuubi server is
installed.
+
+For example,
+
+```properties example
+kyuubi.authentication=LDAP
+kyuubi.authentication.ldap.baseDN=dc=org
+kyuubi.authentication.ldap.domain=apache.org
+kyuubi.authentication.ldap.binddn=uid=kyuubi,OU=Users,DC=apache,DC=org
+kyuubi.authentication.ldap.bindpw=kyuubi123123
+kyuubi.authentication.ldap.url=ldap://hostname.com:389/
+```
+
+## User and Group Filter in LDAP
+
+Kyuubi also supports complex LDAP cases as [Apache
Hive](https://cwiki.apache.org/confluence/display/Hive/User+and+Group+Filter+Support+with+LDAP+Atn+Provider+in+HiveServer2#UserandGroupFilterSupportwithLDAPAtnProviderinHiveServer2-UserandGroupFilterSupportwithLDAP)
does.
+
+For example,
+
+```properties example
+# Group Membership
+kyuubi.authentication.ldap.groupClassKey=groupOfNames
+kyuubi.authentication.ldap.groupDNPattern=CN=%s,OU=Groups,DC=apache,DC=org
+kyuubi.authentication.ldap.groupFilter=group1,group2
+kyuubi.authentication.ldap.groupMembershipKey=memberUid
+# User Search List
+kyuubi.authentication.ldap.userDNPattern=CN=%s,CN=Users,DC=apache,DC=org
+kyuubi.authentication.ldap.userFilter=hive-admin,hive,hive-test,hive-user
+# Custom Query
+kyuubi.authentication.ldap.customLDAPQuery=(&(objectClass=group)(objectClass=top)(instanceType=4)(cn=Domain*)),
(&(objectClass=person)(|(sAMAccountName=admin)(|(memberOf=CN=Domain
Admins,CN=Users,DC=domain,DC=com)(memberOf=CN=Administrators,CN=Builtin,DC=domain,DC=com))))
+```
+
+Please refer to [Settings for LDAP authentication in
Kyuubi](../deployment/settings.html?highlight=LDAP#authentication)
+for all configurations.
diff --git a/docs/security/ldap.rst b/docs/security/ldap.rst
deleted file mode 100644
index 35cfcd6de..000000000
--- a/docs/security/ldap.rst
+++ /dev/null
@@ -1,21 +0,0 @@
-.. Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
-.. http://www.apache.org/licenses/LICENSE-2.0
-
-.. Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-
-Configure Kyuubi to use LDAP Authentication
-===============================================
-
-.. warning::
- the page is still in-progress.
