smolnar82 opened a new pull request, #1275:
URL: https://github.com/apache/knox/pull/1275
[KNOX-3358](https://issues.apache.org/jira/browse/KNOX-3358) - Support
configurable bind credentials for the embedded Knox LDAP service
## What changes were proposed in this pull request?
The embedded Knox LDAP service (`KnoxLDAPService` /
`KnoxLDAPServerManager`) called
`directoryService.setAllowAnonymousAccess(true)` unconditionally, so any client
could query the server with no credentials:
```
$ ldapsearch -x -H ldap://localhost:33390 -b "" "(uid=admin)" cn mail
memberOf
```
succeeds with no `-D` / `-W`.
This PR lets operators put the embedded server behind a bind user:
- **`gateway.ldap.bind.user`** (new `gateway-site.xml` property) — the
full bind DN clients must authenticate as (e.g.
`uid=knox,ou=people,dc=hadoop,dc=apache,dc=org`).
- **`gateway.ldap.bind.password`** (credential store alias) — the bind
password, resolved from the gateway credential store via `AliasService` rather
than stored in plaintext.
Behavior:
- When a bind user is configured **and** the `gateway.ldap.bind.password`
alias resolves to a non-blank value, anonymous access is disabled and a bind
entry (`inetOrgPerson`) is created for the configured DN via the privileged
admin session. Clients **must** then bind with those credentials.
- Otherwise (the default), anonymous access remains enabled exactly as
before — fully backward compatible.
The bind DN's parent container must already exist: the server auto-creates
`ou=people,{base.dn}` and `ou=groups,{base.dn}` (and `ou=system` always
exists), so the bind DN must sit under one of those.
Changes:
- `GatewayConfig` / `GatewayConfigImpl` / `GatewayTestConfig`: new
`gateway.ldap.bind.user` property and `getLDAPBindUser()` getter.
- `KnoxLDAPService`: gains an `AliasService` dependency
(`setAliasService(...)`), injected by `LdapServiceFactory`, and passes it to
the server manager.
- `KnoxLDAPServerManager`: reads the bind user from config and the bind
password from the `gateway.ldap.bind.password` gateway alias; conditionally
disables anonymous access; new `createBindUser(...)` adds the bind entry.
- `LdapMessages`: new INFO log emitted when bind enforcement is enabled.
- Docs: `knox-site/docs/service_ldap_server.md` — new "Bind Credentials"
section (including the base DN ↔ bind DN relationship and a worked example)
plus an updated _Anonymous Access_ note.
## How was this patch tested?
- Added unit tests in `KnoxLDAPServerManagerTest` that start a real
embedded server and use `LdapNetworkConnection` (with a mocked `AliasService`
resolving the bind password) to verify:
- anonymous bind is rejected when bind credentials are configured;
- binding with the configured DN/password succeeds and can search;
- binding with a wrong password is rejected
(`LdapAuthenticationException`);
- anonymous access still works when no bind credentials are configured
(backward compat).
- Updated `KnoxLDAPServiceTest` for the new `AliasService` dependency and
the `getLDAPBindUser()` lookup.
- `mvn -pl gateway-server test
-Dtest=KnoxLDAPServerManagerTest,KnoxLDAPServiceTest` → BUILD SUCCESS, 25 tests
pass; Checkstyle and PMD clean.
- Manual end-to-end with `gateway.ldap.enabled=true`,
`gateway.ldap.port=33390`,
`gateway.ldap.base.dn=dc=hadoop,dc=apache,dc=org`,
`gateway.ldap.bind.user=uid=knox,ou=people,dc=hadoop,dc=apache,dc=org`,
and the
`gateway.ldap.bind.password` alias created via
`knoxcli.sh create-alias gateway.ldap.bind.password --value <password>`:
- `ldapsearch -x -H ldap://localhost:33390 -b "" "(uid=admin)" cn` →
fails (anonymous denied)
- `ldapsearch -x -H ldap://localhost:33390 -D
"uid=knox,ou=people,dc=hadoop,dc=apache,dc=org" -w <password> -b ""
"(uid=admin)" cn mail memberOf` → succeeds
## Integration Tests
No new workflow integration tests were added; the feature is covered by the
unit tests above, which exercise a real embedded LDAP server over a live socket
(bind + search).
## UI changes
N/A
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
