Yair Zaslavsky has uploaded a new change for review. Change subject: aaa: Added mapper usage ......................................................................
aaa: Added mapper usage Added usage of mappers - mapping from auth record after authn before performing authz Change-Id: Ib5ac853e9011bb6118796a4cd14c0b7425308f3b topic: AAA Signed-off-by: Yair Zaslavsky <[email protected]> --- M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfile.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfileRepository.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java A backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapMapper.java M backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java M backend/manager/modules/builtin-extensions/src/main/resources/META-INF/services/org.ovirt.engine.api.extensions.Extension M backend/manager/modules/extensions-manager/src/main/java/org/ovirt/engine/core/extensions/mgr/ExtensionsManager.java 8 files changed, 118 insertions(+), 15 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/70/26970/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfile.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfile.java index a3198e6..6beee99 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfile.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfile.java @@ -19,18 +19,22 @@ private ExtensionProxy authz; + private ExtensionProxy mapper; + /** * Create a new authentication profile with the given name, authenticator and directory. * * @param authn the authenticator that will be used to check the credentials of the user * @param authz the directory that will be used to lookup the details of the user once it is successfully + * @param mapping the mappinng extension to map the post authn auth record * authenticated */ - public AuthenticationProfile(ExtensionProxy authn, ExtensionProxy authz) { + public AuthenticationProfile(ExtensionProxy authn, ExtensionProxy authz, ExtensionProxy mapper) { this.name = authn.getContext().<Properties> get(Base.ContextKeys.CONFIGURATION) .getProperty("ovirt.engine.aaa.authn.profile.name"); this.authn = authn; this.authz = authz; + this.mapper = mapper; } /** @@ -54,4 +58,8 @@ public ExtensionProxy getAuthz() { return authz; } + + public ExtensionProxy getMapper() { + return mapper; + } } diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfileRepository.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfileRepository.java index 30383fd..e29449d 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfileRepository.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationProfileRepository.java @@ -16,6 +16,7 @@ private static final String AUTHN_SERVICE = Authn.class.getName(); private static final String AUTHN_AUTHZ_PLUGIN = "ovirt.engine.aaa.authn.authz.plugin"; + private static final String AUTHN_MAPPING_PLUGIN = "ovirt.engine.aaa.authn.mapping.plugin"; private static volatile AuthenticationProfileRepository instance = null; @@ -83,9 +84,10 @@ new AuthenticationProfile( authnExtension, ExtensionsManager.getInstance().getExtensionByName( - authnExtension.getContext().<Properties>get(Base.ContextKeys.CONFIGURATION).getProperty( - AUTHN_AUTHZ_PLUGIN - ) + authnExtension.getContext().<Properties>get(Base.ContextKeys.CONFIGURATION).getProperty(AUTHN_AUTHZ_PLUGIN) + ), + ExtensionsManager.getInstance().getExtensionByName( + authnExtension.getContext().<Properties>get(Base.ContextKeys.CONFIGURATION).getProperty(AUTHN_MAPPING_PLUGIN) ) ) ); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java index a9d85b0..21aea4b 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java @@ -17,6 +17,7 @@ import org.ovirt.engine.api.extensions.Base; import org.ovirt.engine.api.extensions.aaa.Authn; import org.ovirt.engine.api.extensions.aaa.Authz; +import org.ovirt.engine.api.extensions.aaa.Mapping; import org.ovirt.engine.core.aaa.AuthenticationProfileRepository; import org.ovirt.engine.core.bll.dwh.DwhHeartBeat; import org.ovirt.engine.core.bll.gluster.GlusterJobsManager; @@ -171,6 +172,8 @@ "org.ovirt.engine.extensions.aaa.builtin.kerberosldap.KerberosLdapAuthn"); authConfig.put("ovirt.engine.aaa.authn.profile.name", domain); authConfig.put("ovirt.engine.aaa.authn.authz.plugin", domain); + String mapperName = String.format("builtin-authz-%1$s", domain); + authConfig.put("ovirt.engine.aaa.authn.mapping.plugin", mapperName); authConfig.put("config.change.password.url", blankIfNull(passwordChangeUrlPerDomain.get(domain))); authConfig.put("config.change.password.msg", blankIfNull(passwordChangeMsgPerDomain.get(domain))); ExtensionsManager.getInstance().load(authConfig); @@ -184,6 +187,17 @@ dirConfig.put("config.query.filter.size", Config.<Integer> getValue(ConfigValues.MaxLDAPQueryPartsNumber)); ExtensionsManager.getInstance().load(dirConfig); + + Properties mappingConfig = new Properties(); + mappingConfig.put(Base.ConfigKeys.NAME, mapperName); + mappingConfig.put(Base.ConfigKeys.PROVIDES, Mapping.class.getName()); + mappingConfig.put(Base.ConfigKeys.ENABLED, "true"); + mappingConfig.put(Base.ConfigKeys.MODULE, "org.ovirt.engine.extensions.builtin"); + mappingConfig.put(Base.ConfigKeys.CLASS, + "org.ovirt.engine.extensions.aaa.builtin.kerberosldap.KerberosLdapMapper"); + mappingConfig.put("org.ovirt.engine.config.authz.name", domain); + ExtensionsManager.getInstance().load(mappingConfig); + } } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java index 202dee7..5d032de 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java @@ -9,6 +9,7 @@ import org.ovirt.engine.api.extensions.Base; import org.ovirt.engine.api.extensions.ExtMap; import org.ovirt.engine.api.extensions.aaa.Authn; +import org.ovirt.engine.api.extensions.aaa.Mapping; import org.ovirt.engine.core.aaa.AuthenticationProfile; import org.ovirt.engine.core.aaa.AuthenticationProfileRepository; import org.ovirt.engine.core.aaa.AuthzUtils; @@ -55,6 +56,8 @@ } private ExtensionProxy authnExtension; + + private AuthenticationProfile profile; public LoginBaseCommand(T parameters) { super(parameters); @@ -143,7 +146,7 @@ } // Check that the authentication profile exists: - AuthenticationProfile profile = AuthenticationProfileRepository.getInstance().getProfile(profileName); + profile = AuthenticationProfileRepository.getInstance().getProfile(profileName); if (profile == null) { log.errorFormat( "Can't login user \"{0}\" because authentication profile \"{1}\" doesn't exist.", @@ -333,7 +336,21 @@ } result = null; } else { + ExtensionProxy mapper = profile.getMapper(); + if (mapper != null) { + outputMap.put(Authn.InvokeKeys.AUTH_RECORD, + mapper.invoke(new ExtMap().mput( + Base.InvokeKeys.COMMAND, + Mapping.InvokeCommands.MAP_AUTH_RECORD + ).mput( + Authn.InvokeKeys.AUTH_RECORD, + outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD) + ) + ) + ); + } result = outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD); + } return result; } diff --git a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapMapper.java b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapMapper.java new file mode 100644 index 0000000..3fa7d48 --- /dev/null +++ b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapMapper.java @@ -0,0 +1,70 @@ +package org.ovirt.engine.extensions.aaa.builtin.kerberosldap; + +import java.util.Properties; + +import org.ovirt.engine.api.extensions.Base; +import org.ovirt.engine.api.extensions.ExtMap; +import org.ovirt.engine.api.extensions.Extension; +import org.ovirt.engine.api.extensions.aaa.Authn; +import org.ovirt.engine.api.extensions.aaa.Mapping; + +public class KerberosLdapMapper implements Extension { + + private ExtMap context; + private Properties config; + private Object authzName; + + @Override + public void invoke(ExtMap input, ExtMap output) { + try { + if (input.get(Base.InvokeKeys.COMMAND).equals(Base.InvokeCommands.INITIALIZE)) { + doInit(input, output); + } else if (input.get(Base.InvokeKeys.COMMAND).equals(Mapping.InvokeCommands.MAP_AUTH_RECORD)) { + doMapping(input, output); + } + output.putIfAbsent(Base.InvokeKeys.RESULT, Base.InvokeResult.SUCCESS); + } catch (Exception ex) { + output.mput(Base.InvokeKeys.RESULT, Base.InvokeResult.FAILED). + mput(Base.InvokeKeys.MESSAGE, ex.getMessage()); + } + } + + private void doInit(ExtMap input, ExtMap output) { + context = input.<ExtMap> get(Base.InvokeKeys.CONTEXT); + context.mput( + Base.ContextKeys.AUTHOR, + "The oVirt Project" + ).mput( + Base.ContextKeys.EXTENSION_NAME, + "Kerberos-Ldap-Mapping Mapping (Built-in)" + ).mput( + Base.ContextKeys.LICENSE, + "ASL 2.0" + ).mput( + Base.ContextKeys.HOME_URL, + "http://www.ovirt.org"; + ).mput( + Base.ContextKeys.VERSION, + "N/A" + ); + config = context.<Properties> get(Base.ContextKeys.CONFIGURATION); + authzName = config.get("org.ovirt.engine.config.authz.name"); + } + + private void doMapping(ExtMap input, ExtMap output) { + ExtMap authRecord = input.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD); + ExtMap outRecord = (ExtMap) authRecord.clone(); + if (!authRecord.<String> get(Authn.AuthRecord.PRINCIPAL).contains("@")) { + outRecord.put(Authn.AuthRecord.PRINCIPAL, authRecord.<String> get(Authn.AuthRecord.PRINCIPAL) + "@" + + authzName); + + } + output.put(Authn.InvokeKeys.AUTH_RECORD, outRecord); + + + + + } + + +} diff --git a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java index 92b6ca7..fb8fe90 100644 --- a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java +++ b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java @@ -38,12 +38,6 @@ queryData.setDomain(domain); setDomain(domain); setAuthenticationDomain(domain); - } else { - // the user name is NT format use 'SAM Account Name' search - setAuthenticationDomain(getDomain()); - queryData.setDomain(getDomain()); - queryData.setLdapQueryType(LdapQueryType.getUserByName); - queryData.setFilterParameters(new Object[] { getLoginName() }); } Object searchResult = directorySearcher.findOne(queryData); diff --git a/backend/manager/modules/builtin-extensions/src/main/resources/META-INF/services/org.ovirt.engine.api.extensions.Extension b/backend/manager/modules/builtin-extensions/src/main/resources/META-INF/services/org.ovirt.engine.api.extensions.Extension index 7f42cd5..ca14ac0 100644 --- a/backend/manager/modules/builtin-extensions/src/main/resources/META-INF/services/org.ovirt.engine.api.extensions.Extension +++ b/backend/manager/modules/builtin-extensions/src/main/resources/META-INF/services/org.ovirt.engine.api.extensions.Extension @@ -3,3 +3,4 @@ org.ovirt.engine.extensions.aaa.builtin.kerberosldap.KerberosLdapAuthz org.ovirt.engine.extensions.aaa.builtin.kerberosldap.KerberosLdapAuthn org.ovirt.engine.extensions.aaa.builtin.header.HeaderAuthn +org.ovirt.engine.extensions.aaa.builtin.kerberosldap.KerberosLdapMapping diff --git a/backend/manager/modules/extensions-manager/src/main/java/org/ovirt/engine/core/extensions/mgr/ExtensionsManager.java b/backend/manager/modules/extensions-manager/src/main/java/org/ovirt/engine/core/extensions/mgr/ExtensionsManager.java index d8919b2..e32ca35 100644 --- a/backend/manager/modules/extensions-manager/src/main/java/org/ovirt/engine/core/extensions/mgr/ExtensionsManager.java +++ b/backend/manager/modules/extensions-manager/src/main/java/org/ovirt/engine/core/extensions/mgr/ExtensionsManager.java @@ -91,10 +91,7 @@ public ExtensionProxy getExtensionByName(String name) throws ConfigurationException { ExtensionEntry entry = loadedEntries.get(name); if (entry == null) { - throw new ConfigurationException(String.format( - "No configuration was found for extension named '%1$s'", - name) - ); + return null; } if (!entry.activated) { -- To view, visit http://gerrit.ovirt.org/26970 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib5ac853e9011bb6118796a4cd14c0b7425308f3b Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
