[
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220195#comment-16220195
]
peng.jianhua edited comment on KYLIN-2960 at 10/26/17 9:19 AM:
---------------------------------------------------------------
hi [~Aron.tao], thanks for your suggestion, but i have two questions, as follow:
1. AuthoritiesPopulator.java is only configured under profile 'saml' in
kylinSecurity.xml, so when i open the ldap switch, i cannot fetch this bean,
unless i move the AuthoritiesPopulator.java configuration from profile 'saml'
to 'ldap,saml'.
2. If I have done the first step, I indeed fetch the group role by
‘AuthoritiesPopulator.getGroupMembershipRoles(String userDn, String username)'
list just like '[ROLE_WKHGROUP1, ROLE_WKHGROUP, ROLE_WKHGROUP2]', then you can
find the groups are all converted to uppercase, which is not suitable for the
real ones, in fact, the real groups are as follows:
{code:java}
// Some comments here
[root@server130 ~]# id wkh
uid=10006(wkh) gid=10000(wkhGroup)
组=10000(wkhGroup),10004(wkhGroup1),10005(wkhGroup2)
{code}
And in linux, the groups are case-sensitive, as follows:
{code:java}
WKHGROUP2:x:10006:
wKHGROUP2:x:10007:
{code}
In summary, I think it may not meet our needs, do you think so?
Looking forward to your reply, thank you very much.
was (Author: peng.jianhua):
hi [~Aron.tao], thanks for your suggestion, but i have two questions, as follow:
1. AuthoritiesPopulator.java is only configured under profile 'saml' in
kylinSecurity.xml, so when i open the ldap switch, i cannot fetch this bean,
unless i move the AuthoritiesPopulator.java configuration from profile 'saml'
to 'ldap,saml'.
2. If I have done the first step, I indeed fetch the group role by
‘AuthoritiesPopulator.getGroupMembershipRoles(String userDn, String username)'
list just like '[ROLE_WKHGROUP1, ROLE_WKHGROUP, ROLE_WKHGROUP2]', then you can
find the groups are all converted to uppercase, which is not suitable for the
real ones, in fact, the real groups are as follows:
{code:java}
// Some comments here
[root@server130 ~]# id wkh
uid=10006(wkh) gid=10000(wkhGroup)
组=10000(wkhGroup),10004(wkhGroup1),10005(wkhGroup2)
{code}
And in linux, the groups are case-sensitive, as follows:
{code:java}
{color:#d04437}W{color}KHGROUP2:x:10006:
{color:#d04437}w{color}KHGROUP2:x:10007:
{code}
In summary, I think it may not meet our needs, do you think so?
Looking forward to your reply, thank you very much.
> We should submit a new feature that it support the authentication for user
> and role and the authentication for user and group when the LDAP
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KYLIN-2960
> URL: https://issues.apache.org/jira/browse/KYLIN-2960
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: patch
> Attachments:
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to
> the third party only supports user and role authentication. However only user
> and group have authentication function when we use the LDAP authentication.
> In fact the authentication for user and role and the authentication for user
> and group have the same functional characteristics between different
> appplication system. So we should submit a new feature that it support the
> authentication for user and role and the authentication for user and group
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In
> the interface we set user groups information to the userRoles parameter when
> the LDAP was enabled, on the contrary we set user roles information to the
> userRoles parameter. The interface is as following:
> /**
> * Checks if a user has permission on an entity.
> *
> * @param user
> * @param userRoles
> * @param entityType String constants defined in AclEntityType
> * @param entityUuid
> * @param permission
> *
> * @return true if has permission
> */
> abstract public boolean checkPermission(String user, List<String> userRoles,
> //
> String entityType, String entityUuid, Permission permission);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
