Andre Araujo created RANGER-3574:
------------------------------------
Summary: Group-role mapping in Ranger Admin doesn't work
Key: RANGER-3574
URL: https://issues.apache.org/jira/browse/RANGER-3574
Project: Ranger
Issue Type: Bug
Components: admin
Reporter: Andre Araujo
The intent of the Ranger Admin properties {{{}ranger.ldap.group.searchbase{}}},
{{ranger.ldap.group.searchfilter}} and {{ranger.ldap.group.roleattribute}} is
to provide a mechanism to map the user's LDAP groups to Ranger roles
dynamically. For example, if the user belongs to the LDAP group
{{{}sys_admin{}}}, it will automatically be assigned to the {{ROLE_SYS_ADMIN}}
role in Ranger.
The
[{{RangerAuthenticationProvider.getLdapAuthentication()}}|https://github.com/apache/ranger/blob/e9b1e1d5f2009e90c6bbf912d5039bdafe319a5c/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java#L185]
and
[{{RangerAuthenticationProvider.getLdapBindAuthentication()}}|https://github.com/apache/ranger/blob/e9b1e1d5f2009e90c6bbf912d5039bdafe319a5c/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java#L512]
methods define the parameters above and use them to correctly configure a
{{{}DefaultLdapAuthoritiesPopulator{}}}.
The configured populator, though, is never used to fetch the
{{GrantedAuthorities}} from LDAP. The [{{getAuthorities()}}
method|https://github.com/apache/ranger/blob/e9b1e1d5f2009e90c6bbf912d5039bdafe319a5c/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java#L639-L646]
simply returns the roles assigned in Ranger and completely ignores the
populator configured previously.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
