This is an automated email from the ASF dual-hosted git repository.
nickallen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/metron.git
The following commit(s) were added to refs/heads/master by this push:
new cf7fcae METRON-2056 Support LDAP Bind Authentication (nickwallen)
closes apache/metron#1371
cf7fcae is described below
commit cf7fcaeb3cb22755cf732505a2d6fc62783d7af9
Author: nickwallen <[email protected]>
AuthorDate: Fri Apr 5 13:23:04 2019 -0400
METRON-2056 Support LDAP Bind Authentication (nickwallen) closes
apache/metron#1371
---
.../CURRENT/configuration/metron-security-env.xml | 21 +++++-----
.../metron/rest/config/WebSecurityConfig.java | 48 ++++++++++++++--------
2 files changed, 42 insertions(+), 27 deletions(-)
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
index 06c14ca..beb0451 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
@@ -44,7 +44,7 @@
<name>metron.ldap.url</name>
<display-name>LDAP URL</display-name>
<value>ldap://localhost:33389</value>
- <description>LDAP Server URL</description>
+ <description>The URL to the LDAP server in the form ldap://[host]:[port]
or ldaps://[host]:[port].</description>
<value-attributes>
<overridable>false</overridable>
</value-attributes>
@@ -54,7 +54,7 @@
<name>metron.ldap.user.dnpattern</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
<display-name>User dn pattern</display-name>
- <description>LDAP user DN</description>
+ <description>Pattern used to create a distinguished name (DN) from a
username. This pattern is used for creating a DN string for direct user
authentication. The pattern argument {0} will be replaced with the username at
runtime.</description>
<value-attributes>
<overridable>false</overridable>
</value-attributes>
@@ -64,7 +64,7 @@
<name>metron.ldap.user.searchbase</name>
<display-name>User Search Base</display-name>
<value>ou=people,dc=hadoop,dc=apache,dc=org</value>
- <description>LDAP user searchbase</description>
+ <description>The location from which the search starts for user
entries.</description>
<value-attributes>
<overridable>false</overridable>
<empty-value-valid>true</empty-value-valid>
@@ -75,7 +75,7 @@
<name>metron.ldap.group.searchbase</name>
<display-name>Group Search Base</display-name>
<value>ou=groups,dc=hadoop,dc=apache,dc=org</value>
- <description>LDAP group searchbase</description>
+ <description>The location from which the search starts for group
entries.</description>
<value-attributes>
<overridable>false</overridable>
<empty-value-valid>true</empty-value-valid>
@@ -86,7 +86,7 @@
<name>metron.ldap.group.searchfilter</name>
<display-name>Group Search Filter</display-name>
<value>member={0}</value>
- <description>LDAP group search filter</description>
+ <description>The search filter used to locate a group. The pattern
argument {0} will be replaced with the username at runtime.</description>
<value-attributes>
<overridable>false</overridable>
<empty-value-valid>true</empty-value-valid>
@@ -108,7 +108,7 @@
<name>metron.ldap.user.searchfilter</name>
<display-name>User Search Filter</display-name>
<value></value>
- <description>Search filter used for Bind Authentication</description>
+ <description>The search filter used to locate a user. The pattern argument
{0} will be replaced with the username at runtime.</description>
<value-attributes>
<overridable>false</overridable>
<empty-value-valid>true</empty-value-valid>
@@ -119,9 +119,10 @@
<name>metron.ldap.user.password</name>
<value>userPassword</value>
<display-name>User password attribute</display-name>
- <description>LDAP attribute for the user password</description>
+ <description>The name of an attribute containing the SHA-encoded user
password. This attribute is used to perform a remote compare operation to
authenticate the user. To use bind authentication, leave this field
blank.</description>
<value-attributes>
<overridable>false</overridable>
+ <empty-value-valid>true</empty-value-valid>
</value-attributes>
<on-ambari-upgrade add="true"/>
</property>
@@ -129,7 +130,7 @@
<name>metron.ldap.group.roleattribute</name>
<display-name>LDAP group role attribute</display-name>
<value>cn</value>
- <description>The LDAP group attribute to be used for determining
roles</description>
+ <description>The attribute of a group that defines the group
name.</description>
<value-attributes>
<overridable>false</overridable>
</value-attributes>
@@ -139,7 +140,7 @@
<name>metron.ldap.bind.dn</name>
<display-name>Bind User</display-name>
<value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value>
- <description>Full distinguished name (DN), of an LDAP user account that
has privileges to search for users. </description>
+ <description>The fully distinguished name (DN) of an LDAP user account
that has privileges to search for users. For example,
`uid=admin,ou=people,dc=hadoop,dc=apache,dc=org` or `[email protected]`.
</description>
<on-ambari-upgrade add="true"/>
<value-attributes>
<overridable>false</overridable>
@@ -151,7 +152,7 @@
<display-name>Bind User Password</display-name>
<value></value>
<property-type>PASSWORD</property-type>
- <description>Password for the account that can search for
users</description>
+ <description>Password for the bind user account.</description>
<value-attributes>
<overridable>false</overridable>
<empty-value-valid>true</empty-value-valid>
diff --git
a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java
b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java
index 3244e67..2513df0 100644
---
a/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java
+++
b/metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java
@@ -17,6 +17,7 @@
*/
package org.apache.metron.rest.config;
+import org.apache.commons.lang3.StringUtils;
import org.apache.metron.rest.MetronRestConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -27,6 +28,7 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.ldap.core.LdapTemplate;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import
org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer;
import
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -150,25 +152,36 @@ public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
// Note that we can switch profiles on the fly in Ambari.
List<String> activeProfiles =
Arrays.asList(environment.getActiveProfiles());
if (activeProfiles.contains(MetronRestConstants.LDAP_PROFILE)) {
- LOG.debug("Setting up LDAP authentication against {}.",
providerUrl);
- auth.ldapAuthentication()
- .authoritiesMapper(authoritiesMapper)
- .userDnPatterns(userDnPatterns)
- .userSearchBase(userSearchBase)
- .userSearchFilter(userSearchFilter)
- .groupRoleAttribute(groupRoleAttribute)
- .groupSearchFilter(groupSearchFilter)
- .groupSearchBase(groupSearchBase)
- .contextSource()
- .url(providerUrl)
- .managerDn(providerUserDn)
- .managerPassword(providerPassword)
- .and()
- .passwordCompare()
- .passwordEncoder(new LdapShaPasswordEncoder())
- .passwordAttribute(passwordAttribute);
+ LOG.info("Setting up LDAP authentication; url={}.", providerUrl);
+ LdapAuthenticationProviderConfigurer providerConf = auth
+ .ldapAuthentication()
+ .authoritiesMapper(authoritiesMapper)
+ .userDnPatterns(userDnPatterns)
+ .userSearchBase(userSearchBase)
+ .userSearchFilter(userSearchFilter)
+ .groupRoleAttribute(groupRoleAttribute)
+ .groupSearchFilter(groupSearchFilter)
+ .groupSearchBase(groupSearchBase)
+ .contextSource()
+ .url(providerUrl)
+ .managerDn(providerUserDn)
+ .managerPassword(providerPassword)
+ .and();
+ if(StringUtils.isNotBlank(passwordAttribute)) {
+ // if a password attribute is provided, use that for authentication
+ providerConf
+ .passwordCompare()
+ .passwordEncoder(new LdapShaPasswordEncoder())
+ .passwordAttribute(passwordAttribute);
+ } else {
+ // if no password attribute, set encoder to null which forces bind
authentication
+ providerConf
+ .passwordCompare()
+ .passwordEncoder(null);
+ }
} else if (activeProfiles.contains(MetronRestConstants.DEV_PROFILE) ||
activeProfiles.contains(MetronRestConstants.TEST_PROFILE)) {
+ LOG.info("Setting up JDBC authentication with dev/test profiles");
auth.jdbcAuthentication()
.dataSource(dataSource)
.withUser("user").password("password").roles(SECURITY_ROLE_USER).and()
@@ -176,6 +189,7 @@ public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
.withUser("user2").password("password").roles(SECURITY_ROLE_USER).and()
.withUser("admin").password("password").roles(SECURITY_ROLE_USER,
SECURITY_ROLE_ADMIN);
} else {
+ LOG.debug("Setting up JDBC authentication");
auth.jdbcAuthentication().dataSource(dataSource);
}
}
