Repository: incubator-ranger Updated Branches: refs/heads/master 8f30ebd35 -> 51184bb89
RANGER-457 : Active Directory Authentication should authenticate on sAMAccountName attribute Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/51184bb8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/51184bb8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/51184bb8 Branch: refs/heads/master Commit: 51184bb89d72fc51a96702d3c22b66f03ffe13cb Parents: 8f30ebd Author: Gautam Borad <[email protected]> Authored: Wed May 6 10:26:01 2015 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Wed May 6 01:53:25 2015 -0400 ---------------------------------------------------------------------- security-admin/scripts/install.properties | 14 +- security-admin/scripts/setup.sh | 104 ++++++++ .../apache/ranger/common/PropertiesUtil.java | 38 +++ .../handler/RangerAuthenticationProvider.java | 248 ++++++++++++++----- .../conf.dist/ranger-admin-default-site.xml | 12 +- .../resources/conf.dist/ranger-admin-site.xml | 33 ++- 6 files changed, 381 insertions(+), 68 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51184bb8/security-admin/scripts/install.properties ---------------------------------------------------------------------- diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 5dd1f41..a7bc120 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -130,23 +130,33 @@ authServicePort=5151 #xa_ldap_groupSearchBase="ou=groups,dc=xasecure,dc=net" #xa_ldap_groupSearchFilter="(member=uid={0},ou=users,dc=xasecure,dc=net)" #xa_ldap_groupRoleAttribute="cn" +#xa_ldap_base_dn="dc=xasecure,dc=net" +#xa_ldap_bind_dn="cn=admin,ou=users,dc=xasecure,dc=net" +#xa_ldap_bind_password= xa_ldap_url= xa_ldap_userDNpattern= xa_ldap_groupSearchBase= xa_ldap_groupSearchFilter= xa_ldap_groupRoleAttribute= - +xa_ldap_base_dn= +xa_ldap_bind_dn= +xa_ldap_bind_password= ####ACTIVE_DIRECTORY settings - Required only if have selected AD authentication #### # # Sample Settings # #xa_ldap_ad_domain="xasecure.net" #xa_ldap_ad_url="ldap://127.0.0.1:389"; +#xa_ldap_ad_base_dn="dc=xasecure,dc=net" +#xa_ldap_ad_bind_dn="cn=administrator,ou=users,dc=xasecure,dc=net" +#xa_ldap_ad_bind_password= xa_ldap_ad_domain= xa_ldap_ad_url= -# +xa_ldap_ad_base_dn= +xa_ldap_ad_bind_dn= +xa_ldap_ad_bind_password= # ----------------------------------------------------------- # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51184bb8/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 77ca819..e8f4d9e 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1223,6 +1223,58 @@ do_authentication_setup(){ propertyName=ranger.authentication.method newPropertyValue="${authentication_method}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + + if [ "${xa_ldap_base_dn}" != "" ] && [ "${xa_ldap_bind_dn}" != "" ] && [ "${xa_ldap_bind_password}" != "" ] + then + propertyName=ranger.ldap.base.dn + newPropertyValue="${xa_ldap_base_dn}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + + propertyName=ranger.ldap.bind.dn + newPropertyValue="${xa_ldap_bind_dn}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + + keystore="${cred_keystore_filename}" + + if [ "${keystore}" != "" ] + then + mkdir -p `dirname "${keystore}"` + + ldap_password_alias=ranger.ldap.binddn.password + $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore + + to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml + + if test -f $to_file_default; then + propertyName=ranger.credential.provider.path + newPropertyValue="${keystore}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.ldap.binddn.credential.alias + newPropertyValue="${ldap_password_alias}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.ldap.bind.password + newPropertyValue="_" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + else + log "[E] $to_file_default does not exists" ; exit 1; + fi + else + propertyName=ranger.ldap.bind.password + newPropertyValue="${xa_ldap_bind_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi + if test -f $keystore; then + #echo "$keystore found." + chown -R ${unix_user}:${unix_group} ${keystore} + chmod 640 ${keystore} + else + propertyName=ranger.ldap.bind.password + newPropertyValue="${xa_ldap_bind_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi + fi else log "[E] $ldap_file does not exists" ; exit 1; @@ -1248,6 +1300,58 @@ do_authentication_setup(){ propertyName=ranger.authentication.method newPropertyValue="${authentication_method}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + + if [ "${xa_ldap_ad_base_dn}" != "" ] && [ "${xa_ldap_ad_bind_dn}" != "" ] && [ "${xa_ldap_ad_bind_password}" != "" ] + then + propertyName=ranger.ldap.ad.base.dn + newPropertyValue="${xa_ldap_ad_base_dn}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + + propertyName=ranger.ldap.ad.bind.dn + newPropertyValue="${xa_ldap_ad_bind_dn}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + + keystore="${cred_keystore_filename}" + + if [ "${keystore}" != "" ] + then + mkdir -p `dirname "${keystore}"` + + ad_password_alias=ranger.ad.binddn.password + $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore + + to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml + + if test -f $to_file_default; then + propertyName=ranger.credential.provider.path + newPropertyValue="${keystore}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.ldap.ad.binddn.credential.alias + newPropertyValue="${ad_password_alias}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.ldap.ad.bind.password + newPropertyValue="_" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + else + log "[E] $to_file_default does not exists" ; exit 1; + fi + else + propertyName=ranger.ldap.ad.bind.password + newPropertyValue="${xa_ldap_ad_bind_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi + if test -f $keystore; then + #echo "$keystore found." + chown -R ${unix_user}:${unix_group} ${keystore} + chmod 640 ${keystore} + else + propertyName=ranger.ldap.ad.bind.password + newPropertyValue="${xa_ldap_ad_bind_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi + fi else log "[E] $ldap_file does not exists" ; exit 1; fi http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51184bb8/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java index 1a270a7..5549578 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java @@ -95,6 +95,44 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { } } } + if(propertiesMap!=null && propertiesMap.containsKey("ranger.authentication.method")){ + String authenticationMethod=propertiesMap.get("ranger.authentication.method"); + if(authenticationMethod!=null && (authenticationMethod.equalsIgnoreCase("ACTIVE_DIRECTORY")||authenticationMethod.equalsIgnoreCase("AD"))){ + if(propertiesMap!=null && propertiesMap.containsKey("ranger.credential.provider.path") && propertiesMap.containsKey("ranger.ldap.ad.binddn.credential.alias")){ + String path=propertiesMap.get("ranger.credential.provider.path"); + String alias=propertiesMap.get("ranger.ldap.ad.binddn.credential.alias"); + if(path!=null && alias!=null){ + String bindDNPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim()); + if(bindDNPassword!=null&& !bindDNPassword.trim().isEmpty() && + !bindDNPassword.trim().equalsIgnoreCase("none")){ + propertiesMap.put("ranger.ldap.ad.bind.password", bindDNPassword); + props.put("ranger.ldap.ad.bind.password", bindDNPassword); + }else{ + logger.info("Credential keystore password not applied for AD Bind DN; clear text password shall be applicable"); + } + } + } + } + } + if(propertiesMap!=null && propertiesMap.containsKey("ranger.authentication.method")){ + String authenticationMethod=propertiesMap.get("ranger.authentication.method"); + if(authenticationMethod!=null && (authenticationMethod.equalsIgnoreCase("LDAP"))){ + if(propertiesMap!=null && propertiesMap.containsKey("ranger.credential.provider.path") && propertiesMap.containsKey("ranger.ldap.binddn.credential.alias")){ + String path=propertiesMap.get("ranger.credential.provider.path"); + String alias=propertiesMap.get("ranger.ldap.binddn.credential.alias"); + if(path!=null && alias!=null){ + String bindDNPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim()); + if(bindDNPassword!=null&& !bindDNPassword.trim().isEmpty() && + !bindDNPassword.trim().equalsIgnoreCase("none")){ + propertiesMap.put("ranger.ldap.bind.password", bindDNPassword); + props.put("ranger.ldap.bind.password", bindDNPassword); + }else{ + logger.info("Credential keystore password not applied for LDAP Bind DN; clear text password shall be applicable"); + } + } + } + } + } super.processProperties(beanFactory, props); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51184bb8/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index 5101051..8dae0c7 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -9,7 +9,7 @@ import java.util.HashMap; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; import javax.security.auth.login.Configuration; - +import org.apache.log4j.Logger; import org.apache.ranger.authentication.unix.jaas.RoleUserAuthorityGranter; import org.apache.ranger.common.PropertiesUtil; import org.springframework.ldap.core.support.LdapContextSource; @@ -29,11 +29,12 @@ import org.springframework.security.ldap.authentication.LdapAuthenticationProvid import org.springframework.security.ldap.authentication.LdapAuthenticator; import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator; +import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; public class RangerAuthenticationProvider implements AuthenticationProvider { - + private static Logger logger = Logger.getLogger(RangerAuthenticationProvider.class); private String rangerAuthenticationMethod; private LdapAuthenticator authenticator; @@ -42,21 +43,38 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { } - public Authentication initializeAuthenticationHandler( - Authentication authentication) { - if (rangerAuthenticationMethod.equalsIgnoreCase("LDAP")) { - return getLdapAuthentication(authentication); - } - if (rangerAuthenticationMethod.equalsIgnoreCase("ACTIVE_DIRECTORY") - || rangerAuthenticationMethod.equalsIgnoreCase("AD")) { - return getADAuthentication(authentication); - } - if (rangerAuthenticationMethod.equalsIgnoreCase("UNIX")) { - return getUnixAuthentication(authentication); + @Override + public Authentication authenticate(Authentication authentication) + throws AuthenticationException { + if (authentication != null && rangerAuthenticationMethod!=null) { + if (rangerAuthenticationMethod.equalsIgnoreCase("LDAP")) { + authentication=getLdapAuthentication(authentication); + if(authentication!=null && authentication.isAuthenticated()){ + return authentication; + }else{ + authentication=getLdapBindAuthentication(authentication); + if(authentication!=null && authentication.isAuthenticated()){ + return authentication; + } + } + } + if (rangerAuthenticationMethod.equalsIgnoreCase("ACTIVE_DIRECTORY")) { + authentication=getADBindAuthentication(authentication); + if(authentication!=null && authentication.isAuthenticated()){ + return authentication; + }else{ + authentication=getADAuthentication(authentication); + if(authentication!=null && authentication.isAuthenticated()){ + return authentication; + } + } + } + if (rangerAuthenticationMethod.equalsIgnoreCase("UNIX")) { + return getUnixAuthentication(authentication); + } + return null; } - return null; - } private Authentication getLdapAuthentication(Authentication authentication) { @@ -74,7 +92,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { String rangerLdapGroupRoleAttribute = PropertiesUtil.getProperty( "ranger.ldap.group.roleattribute", ""); String rangerLdapDefaultRole = PropertiesUtil.getProperty( - "ranger.ldap.default.role", ""); + "ranger.ldap.default.role", "ROLE_USER"); // taking the user-name and password from the authentication // object. @@ -136,55 +154,58 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { return null; } } catch (Exception e) { - e.printStackTrace(); + logger.error("LDAP Authentication Failed:"+e.getMessage()); } return null; } public Authentication getADAuthentication(Authentication authentication) { + try{ + String rangerADURL = PropertiesUtil.getProperty("ranger.ldap.ad.url", + ""); + String rangerADDomain = PropertiesUtil.getProperty( + "ranger.ldap.ad.domain", ""); + String rangerLdapDefaultRole = PropertiesUtil.getProperty( + "ranger.ldap.default.role", "ROLE_USER"); - String rangerADURL = PropertiesUtil.getProperty("ranger.ldap.ad.url", - ""); - String rangerADDomain = PropertiesUtil.getProperty( - "ranger.ldap.ad.domain", ""); - String rangerLdapDefaultRole = PropertiesUtil.getProperty( - "ranger.ldap.default.role", ""); - - ActiveDirectoryLdapAuthenticationProvider adAuthenticationProvider = new ActiveDirectoryLdapAuthenticationProvider( - rangerADDomain, rangerADURL); - adAuthenticationProvider.setConvertSubErrorCodesToExceptions(true); - adAuthenticationProvider.setUseAuthenticationRequestCredentials(true); - - // Grab the user-name and password out of the authentication object. - String userName = authentication.getName(); - String userPassword = ""; - if (authentication.getCredentials() != null) { - userPassword = authentication.getCredentials().toString(); - } + ActiveDirectoryLdapAuthenticationProvider adAuthenticationProvider = new ActiveDirectoryLdapAuthenticationProvider( + rangerADDomain, rangerADURL); + adAuthenticationProvider.setConvertSubErrorCodesToExceptions(true); + adAuthenticationProvider.setUseAuthenticationRequestCredentials(true); - // getting user authenticated - if (userName != null && userPassword != null - && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) { - final List<GrantedAuthority> grantedAuths = new ArrayList<>(); - grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); - final UserDetails principal = new User(userName, userPassword, - grantedAuths); - final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken( - principal, userPassword, grantedAuths); - authentication = adAuthenticationProvider - .authenticate(finalAuthentication); - return authentication; - } else { - return null; - } + // Grab the user-name and password out of the authentication object. + String userName = authentication.getName(); + String userPassword = ""; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + // getting user authenticated + if (userName != null && userPassword != null + && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) { + final List<GrantedAuthority> grantedAuths = new ArrayList<>(); + grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); + final UserDetails principal = new User(userName, userPassword, + grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken( + principal, userPassword, grantedAuths); + authentication = adAuthenticationProvider + .authenticate(finalAuthentication); + return authentication; + } else { + return null; + } + }catch (Exception e) { + logger.error("AD Authentication Failed:"+e.getMessage()); + } + return authentication; } public Authentication getUnixAuthentication(Authentication authentication) { try { String rangerLdapDefaultRole = PropertiesUtil.getProperty( - "ranger.ldap.default.role", ""); + "ranger.ldap.default.role", "ROLE_USER"); DefaultJaasAuthenticationProvider jaasAuthenticationProvider = new DefaultJaasAuthenticationProvider(); String loginModuleName = "org.apache.ranger.authentication.unix.jaas.RemoteUnixLoginModule"; LoginModuleControlFlag controlFlag = LoginModuleControlFlag.REQUIRED; @@ -233,23 +254,13 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { return null; } } catch (Exception e) { - e.printStackTrace(); + logger.error("Unix Authentication Failed:"+e.getMessage()); } return authentication; } @Override - public Authentication authenticate(Authentication authentication) - throws AuthenticationException { - if (authentication != null) { - return initializeAuthenticationHandler(authentication); - } - - return null; - } - - @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); } @@ -269,4 +280,115 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { public void setAuthenticator(LdapAuthenticator authenticator) { this.authenticator = authenticator; } -} + + private Authentication getADBindAuthentication(Authentication authentication) { + try { + String rangerADURL = PropertiesUtil.getProperty("ranger.ldap.ad.url", ""); + String rangerLdapADBase = PropertiesUtil.getProperty("ranger.ldap.ad.base.dn", ""); + String rangerADBindDN = PropertiesUtil.getProperty("ranger.ldap.ad.bind.dn", ""); + String rangerADBindPassword = PropertiesUtil.getProperty("ranger.ldap.ad.bind.password", ""); + String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); + + String userName = authentication.getName(); + String userPassword = ""; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + + LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(rangerADURL); + ldapContextSource.setUserDn(rangerADBindDN); + ldapContextSource.setPassword(rangerADBindPassword); + ldapContextSource.setReferral("follow"); + ldapContextSource.setCacheEnvironmentProperties(true); + ldapContextSource.setAnonymousReadOnly(false); + ldapContextSource.setPooled(true); + ldapContextSource.afterPropertiesSet(); + + String searchFilter="(sAMAccountName={0})"; + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, searchFilter,ldapContextSource); + userSearch.setSearchSubtree(true); + + BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); + bindAuthenticator.setUserSearch(userSearch); + bindAuthenticator.afterPropertiesSet(); + + LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator); + + if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) { + final List<GrantedAuthority> grantedAuths = new ArrayList<>(); + grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); + final UserDetails principal = new User(userName, userPassword,grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); + + authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + return authentication; + } else { + return null; + } + } catch (Exception e) { + logger.error("AD Authentication Failed:"+e.getMessage()); + } + return authentication; + } + + private Authentication getLdapBindAuthentication(Authentication authentication) { + try { + String rangerLdapURL = PropertiesUtil.getProperty("ranger.ldap.url", ""); + String rangerLdapUserDNPattern = PropertiesUtil.getProperty("ranger.ldap.user.dnpattern", ""); + String rangerLdapGroupSearchBase = PropertiesUtil.getProperty("ranger.ldap.group.searchbase", ""); + String rangerLdapGroupSearchFilter = PropertiesUtil.getProperty("ranger.ldap.group.searchfilter", ""); + String rangerLdapGroupRoleAttribute = PropertiesUtil.getProperty("ranger.ldap.group.roleattribute", ""); + String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); + String rangerLdapBase = PropertiesUtil.getProperty("ranger.ldap.base.dn", ""); + String rangerLdapBindDN = PropertiesUtil.getProperty("ranger.ldap.bind.dn", ""); + String rangerLdapBindPassword = PropertiesUtil.getProperty("ranger.ldap.bind.password", ""); + + String userName = authentication.getName(); + String userPassword = ""; + if (authentication.getCredentials() != null) { + userPassword = authentication.getCredentials().toString(); + } + + LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(rangerLdapURL); + ldapContextSource.setUserDn(rangerLdapBindDN); + ldapContextSource.setPassword(rangerLdapBindPassword); + ldapContextSource.setReferral("follow"); + ldapContextSource.setCacheEnvironmentProperties(false); + ldapContextSource.setAnonymousReadOnly(true); + ldapContextSource.setPooled(true); + ldapContextSource.afterPropertiesSet(); + + DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, rangerLdapGroupSearchBase); + defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(rangerLdapGroupRoleAttribute); + defaultLdapAuthoritiesPopulator.setGroupSearchFilter(rangerLdapGroupSearchFilter); + defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); + + String searchFilter="(uid={0})"; + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, searchFilter,ldapContextSource); + userSearch.setSearchSubtree(true); + + BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); + bindAuthenticator.setUserSearch(userSearch); + String[] userDnPatterns = new String[] { rangerLdapUserDNPattern }; + bindAuthenticator.setUserDnPatterns(userDnPatterns); + bindAuthenticator.afterPropertiesSet(); + + LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator,defaultLdapAuthoritiesPopulator); + + if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) { + final List<GrantedAuthority> grantedAuths = new ArrayList<>(); + grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); + final UserDetails principal = new User(userName, userPassword,grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); + + authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + return authentication; + } else { + return null; + } + } catch (Exception e) { + logger.error("LDAP Authentication Failed:"+e.getMessage()); + } + return authentication; + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51184bb8/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml index 7587076..571d2a1 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml @@ -395,6 +395,14 @@ <value>ranger.auditdb.password</value> <description></description> </property> - - + <property> + <name>ranger.ldap.binddn.credential.alias</name> + <value>ranger.ldap.binddn.password</value> + <description></description> + </property> + <property> + <name>ranger.ldap.ad.binddn.credential.alias</name> + <value>ranger.ad.binddn.password</value> + <description></description> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51184bb8/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index c55cf47..dab2067 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -113,12 +113,27 @@ <description></description> </property> <property> + <name>ranger.ldap.base.dn</name> + <value></value> + <description>LDAP base dn or search base</description> + </property> + <property> + <name>ranger.ldap.bind.dn</name> + <value></value> + <description>LDAP bind dn or manager dn</description> + </property> + <property> + <name>ranger.ldap.bind.password</name> + <value></value> + <description>LDAP bind password</description> + </property> + <property> <name>ranger.ldap.default.role</name> <value>ROLE_USER</value> </property> <property> <name>ranger.ldap.ad.domain</name> - <value>freestone.local</value> + <value>example.com</value> <description></description> </property> <property> @@ -128,6 +143,22 @@ </property> <property> + <name>ranger.ldap.ad.base.dn</name> + <value>dc=example,dc=com</value> + <description>AD base dn or search base</description> + </property> + <property> + <name>ranger.ldap.ad.bind.dn</name> + <value>cn=administrator,ou=users,dc=example,dc=com</value> + <description>AD bind dn or manager dn</description> + </property> + <property> + <name>ranger.ldap.ad.bind.password</name> + <value></value> + <description>AD bind password</description> + </property> + + <property> <name>ranger.service.https.attrib.ssl.enabled</name> <value>false</value> </property>
