RANGER-628 : Make filters for ranger-admin search binds configurable Signed-off-by: Velmurugan Periasamy <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/af8510a8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/af8510a8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/af8510a8 Branch: refs/heads/HDP-2.3.2-groupid Commit: af8510a87cce9245f7c3b57e74fc06221be0a74f Parents: af8ae45 Author: Gautam Borad <[email protected]> Authored: Mon Aug 31 15:34:09 2015 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Sun Sep 6 23:48:19 2015 -0400 ---------------------------------------------------------------------- security-admin/scripts/install.properties | 6 +++++- security-admin/scripts/setup.sh | 8 ++++++++ .../handler/RangerAuthenticationProvider.java | 18 +++++++++++++----- .../resources/conf.dist/ranger-admin-site.xml | 10 ++++++++++ 4 files changed, 36 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/af8510a8/security-admin/scripts/install.properties ---------------------------------------------------------------------- diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 4618ee3..eb0c7ec 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -47,7 +47,7 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # DB password for the DB admin user-id # ************************************************************************** # ** If the password is left empty or not-defined here, -# ** it will be prompted to enter the password during installation process +# ** it will try with blank password during installation process # ************************************************************************** # #db_root_user=root|SYS|postgres|sa|dba @@ -138,6 +138,7 @@ authServicePort=5151 #xa_ldap_bind_dn="cn=admin,ou=users,dc=xasecure,dc=net" #xa_ldap_bind_password= #xa_ldap_referral=follow|ignore +#xa_ldap_userSearchFilter="(uid={0})" xa_ldap_url= xa_ldap_userDNpattern= @@ -148,6 +149,7 @@ xa_ldap_base_dn= xa_ldap_bind_dn= xa_ldap_bind_password= xa_ldap_referral= +xa_ldap_userSearchFilter= ####ACTIVE_DIRECTORY settings - Required only if have selected AD authentication #### # # Sample Settings @@ -158,6 +160,7 @@ xa_ldap_referral= #xa_ldap_ad_bind_dn="cn=administrator,ou=users,dc=xasecure,dc=net" #xa_ldap_ad_bind_password= #xa_ldap_ad_referral=follow|ignore +#xa_ldap_ad_userSearchFilter="(sAMAccountName={0})" xa_ldap_ad_domain= xa_ldap_ad_url= @@ -165,6 +168,7 @@ xa_ldap_ad_base_dn= xa_ldap_ad_bind_dn= xa_ldap_ad_bind_password= xa_ldap_ad_referral= +xa_ldap_ad_userSearchFilter= # ----------------------------------------------------------- # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/af8510a8/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index e0b14c5..bae6298 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1330,6 +1330,10 @@ do_authentication_setup(){ newPropertyValue="${xa_ldap_referral}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.ldap.user.searchfilter + newPropertyValue="${xa_ldap_userSearchFilter}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + keystore="${cred_keystore_filename}" if [ "${keystore}" != "" ] @@ -1411,6 +1415,10 @@ do_authentication_setup(){ newPropertyValue="${xa_ldap_ad_referral}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.ldap.ad.user.searchfilter + newPropertyValue="${xa_ldap_ad_userSearchFilter}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + keystore="${cred_keystore_filename}" if [ "${keystore}" != "" ] http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/af8510a8/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index 1f1d957..abf4db4 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -363,6 +363,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { String rangerADBindPassword = PropertiesUtil.getProperty("ranger.ldap.ad.bind.password", ""); String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); String rangerLdapReferral = PropertiesUtil.getProperty("ranger.ldap.ad.referral", "follow"); + String rangerLdapUserSearchFilter = PropertiesUtil.getProperty("ranger.ldap.ad.user.searchfilter", "(sAMAccountName={0})"); String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -378,8 +379,11 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { ldapContextSource.setPooled(true); ldapContextSource.afterPropertiesSet(); - String searchFilter="(sAMAccountName={0})"; - FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, searchFilter,ldapContextSource); + //String searchFilter="(sAMAccountName={0})"; + if(rangerLdapUserSearchFilter==null||rangerLdapUserSearchFilter.trim().isEmpty()){ + rangerLdapUserSearchFilter="(sAMAccountName={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, rangerLdapUserSearchFilter,ldapContextSource); userSearch.setSearchSubtree(true); BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); @@ -417,6 +421,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { String rangerLdapBindDN = PropertiesUtil.getProperty("ranger.ldap.bind.dn", ""); String rangerLdapBindPassword = PropertiesUtil.getProperty("ranger.ldap.bind.password", ""); String rangerLdapReferral = PropertiesUtil.getProperty("ranger.ldap.referral", "follow"); + String rangerLdapUserSearchFilter = PropertiesUtil.getProperty("ranger.ldap.user.searchfilter", "(uid={0})"); String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -428,7 +433,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { ldapContextSource.setPassword(rangerLdapBindPassword); ldapContextSource.setReferral(rangerLdapReferral); ldapContextSource.setCacheEnvironmentProperties(false); - ldapContextSource.setAnonymousReadOnly(true); + ldapContextSource.setAnonymousReadOnly(false); ldapContextSource.setPooled(true); ldapContextSource.afterPropertiesSet(); @@ -437,8 +442,11 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { defaultLdapAuthoritiesPopulator.setGroupSearchFilter(rangerLdapGroupSearchFilter); defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); - String searchFilter="(uid={0})"; - FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, searchFilter,ldapContextSource); + //String searchFilter="(uid={0})"; + if(rangerLdapUserSearchFilter==null||rangerLdapUserSearchFilter.trim().isEmpty()){ + rangerLdapUserSearchFilter="(uid={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, rangerLdapUserSearchFilter,ldapContextSource); userSearch.setSearchSubtree(true); BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/af8510a8/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index 822a507..6009693 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -217,4 +217,14 @@ <value></value> <description></description> </property> + <property> + <name>ranger.ldap.user.searchfilter</name> + <value>(uid={0})</value> + <description></description> + </property> + <property> + <name>ranger.ldap.ad.user.searchfilter</name> + <value>(sAMAccountName={0})</value> + <description></description> + </property> </configuration>
