[
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16223514#comment-16223514
]
jiatao.tao commented on KYLIN-2960:
-----------------------------------
{code:java}
package org.apache.kylin.rest.security;
import java.util.Set;
import org.apache.kylin.rest.constant.Constant;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import com.google.common.collect.Sets;
public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
private SimpleGrantedAuthority adminRoleAsAuthority;
//defaultRole may be helpful, it needs discuss
public AuthoritiesPopulator(ContextSource contextSource, String
groupSearchBase, String adminRole, String defaultRole) {
super(contextSource, groupSearchBase);
setGroupSearchFilter("(|(member={0})(memberUid={1}))");
setConvertToUpperCase(false);
setRolePrefix("");
this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole);
}
@Override
public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String
username) {
Set<GrantedAuthority> authorities =
super.getGroupMembershipRoles(userDn, username);
Set<GrantedAuthority> userAuthorities = Sets.newHashSet(authorities);
if (authorities.contains(adminRoleAsAuthority)) {
userAuthorities.add(new
SimpleGrantedAuthority(Constant.ROLE_ADMIN));
}
return userAuthorities;
}
}
{code}
> We should submit a new feature that it support the authentication for user
> and role and the authentication for user and group when the LDAP
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KYLIN-2960
> URL: https://issues.apache.org/jira/browse/KYLIN-2960
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: patch
> Attachments:
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to
> the third party only supports user and role authentication. However only user
> and group have authentication function when we use the LDAP authentication.
> In fact the authentication for user and role and the authentication for user
> and group have the same functional characteristics between different
> appplication system. So we should submit a new feature that it support the
> authentication for user and role and the authentication for user and group
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In
> the interface we set user groups information to the userRoles parameter when
> the LDAP was enabled, on the contrary we set user roles information to the
> userRoles parameter. The interface is as following:
> /**
> * Checks if a user has permission on an entity.
> *
> * @param user
> * @param userRoles
> * @param entityType String constants defined in AclEntityType
> * @param entityUuid
> * @param permission
> *
> * @return true if has permission
> */
> abstract public boolean checkPermission(String user, List<String> userRoles,
> //
> String entityType, String entityUuid, Permission permission);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
