[
https://issues.apache.org/jira/browse/RANGER-1615?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rob Vesse updated RANGER-1615:
------------------------------
Description:
The {{LdapDeltaUserGroupBuilder}} constructs the LDAP filter in a way that is
inconsistent with {{LdapUserGroupBuilder}} and generates a potentially invalid
filter:
{noformat}
extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" +
groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
{noformat}
Resulting in the following in the logs:
{noformat}
25 May 2017 04:23:11 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder initialization completed with --
groupSearchEnabled: true, groupSearchBase: [dc=local], groupSearchScope: 2,
groupObjectClass: posixGroup, groupSearchFilter: , extendedGroupSearchFilter:
(&null(|(memberUid={0})(memberUid={1}))), extendedAllGroupsSearchFilter: null,
groupMemberAttributeName: memberUid, groupNameAttribute: cn,
groupSearchAttributes: [uSNChanged, memberUid, cn, modifytimestamp],
groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false,
userSearchEnabled: false, ldapReferral: ignore
{noformat}
NB - Various bits of the log line deleted for security purposes
Note the {{&null}} present in the filter
If you compare with how {{LdapUserGroupBuilder}} builds the filter it does the
following first:
{noformat}
extendedGroupSearchFilter = "(objectclass=" + groupObjectClass
+ ")";
if (groupSearchFilter != null &&
!groupSearchFilter.trim().isEmpty()) {
String customFilter = groupSearchFilter.trim();
if (!customFilter.startsWith("(")) {
customFilter = "(" + customFilter + ")";
}
extendedGroupSearchFilter = extendedGroupSearchFilter +
customFilter;
}
extendedAllGroupsSearchFilter = "(&" +
extendedGroupSearchFilter + ")";
if (!groupSearchFirstEnabled) {
extendedGroupSearchFilter = "(&" +
extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" +
groupMemberAttributeName + "={1})))";
}
{noformat}
was:
The {{LdapDeltaUserGroupBuilder}} constructs the LDAP filter in a way that is
inconsistent with {{LdapUserGroupBuilder}} and generates a potentially invalid
filter:
{noformat}
extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" +
groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
{noformat}
Resulting in the following in the logs:
{noformat}
25 May 2017 04:23:11 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder initialization completed with --
groupSearchEnabled: true, groupSearchBase: [dc=local], groupSearchScope: 2,
groupObjectClass: posixGroup, groupSearchFilter: , extendedGroupSearchFilter:
(&null(|(memberUid={0})(memberUid={1}))), extendedAllGroupsSearchFilter: null,
groupMemberAttributeName: memberUid, groupNameAttribute: cn,
groupSearchAttributes: [uSNChanged, memberUid, cn, modifytimestamp],
groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false,
userSearchEnabled: false, ldapReferral: ignore
{noformat}
NB - Various bits of the log line deleted for security purposes
Note the {{&null}} present in the filter
> LdapUserGroupBuilder and LdapDeltaUserGroupBuilder build LDAP group filter
> inconsistently
> -----------------------------------------------------------------------------------------
>
> Key: RANGER-1615
> URL: https://issues.apache.org/jira/browse/RANGER-1615
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: master
> Reporter: Rob Vesse
>
> The {{LdapDeltaUserGroupBuilder}} constructs the LDAP filter in a way that is
> inconsistent with {{LdapUserGroupBuilder}} and generates a potentially
> invalid filter:
> {noformat}
> extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" +
> groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
> {noformat}
> Resulting in the following in the logs:
> {noformat}
> 25 May 2017 04:23:11 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> LdapDeltaUserGroupBuilder initialization completed with --
> groupSearchEnabled: true, groupSearchBase: [dc=local], groupSearchScope: 2,
> groupObjectClass: posixGroup, groupSearchFilter: ,
> extendedGroupSearchFilter: (&null(|(memberUid={0})(memberUid={1}))),
> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: memberUid,
> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, memberUid, cn,
> modifytimestamp], groupUserMapSyncEnabled: false, groupSearchFirstEnabled:
> false, userSearchEnabled: false, ldapReferral: ignore
> {noformat}
> NB - Various bits of the log line deleted for security purposes
> Note the {{&null}} present in the filter
> If you compare with how {{LdapUserGroupBuilder}} builds the filter it does
> the following first:
> {noformat}
> extendedGroupSearchFilter = "(objectclass=" +
> groupObjectClass + ")";
> if (groupSearchFilter != null &&
> !groupSearchFilter.trim().isEmpty()) {
> String customFilter = groupSearchFilter.trim();
> if (!customFilter.startsWith("(")) {
> customFilter = "(" + customFilter + ")";
> }
> extendedGroupSearchFilter = extendedGroupSearchFilter +
> customFilter;
> }
> extendedAllGroupsSearchFilter = "(&" +
> extendedGroupSearchFilter + ")";
> if (!groupSearchFirstEnabled) {
> extendedGroupSearchFilter = "(&" +
> extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" +
> groupMemberAttributeName + "={1})))";
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
