[jira] [Comment Edited] (KYLIN-2960) We should submit a new feature that it support the authentication for user and role and the authentication for user and group when the LDAP authentication was enabled.

[jiatao.tao (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16223514#comment-16223514
 ] 

jiatao.tao edited comment on KYLIN-2960 at 10/28/17 1:26 PM:
-------------------------------------------------------------

It may looks like that.
{code:java}
package org.apache.kylin.rest.security;

import java.util.Set;

import org.apache.kylin.rest.constant.Constant;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import 
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;

import com.google.common.collect.Sets;

public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {

    private SimpleGrantedAuthority adminRoleAsAuthority;

    //defaultRole may be helpful, it needs discuss
    public AuthoritiesPopulator(ContextSource contextSource, String 
groupSearchBase, String adminRole, String defaultRole) {
        super(contextSource, groupSearchBase);
        setGroupSearchFilter("(|(member={0})(memberUid={1}))");
        setConvertToUpperCase(false);
        setRolePrefix("");
        this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole);
    }

    @Override
    public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String 
username) {
        Set<GrantedAuthority> authorities = 
super.getGroupMembershipRoles(userDn, username);
        Set<GrantedAuthority> userAuthorities = Sets.newHashSet(authorities);
        if (authorities.contains(adminRoleAsAuthority)) {
            userAuthorities.add(new 
SimpleGrantedAuthority(Constant.ROLE_ADMIN));
        }
        return userAuthorities;
    }
}
{code}



was (Author: aron.tao):

{code:java}
package org.apache.kylin.rest.security;

import java.util.Set;

import org.apache.kylin.rest.constant.Constant;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import 
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;

import com.google.common.collect.Sets;

public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {

    private SimpleGrantedAuthority adminRoleAsAuthority;

    //defaultRole may be helpful, it needs discuss
    public AuthoritiesPopulator(ContextSource contextSource, String 
groupSearchBase, String adminRole, String defaultRole) {
        super(contextSource, groupSearchBase);
        setGroupSearchFilter("(|(member={0})(memberUid={1}))");
        setConvertToUpperCase(false);
        setRolePrefix("");
        this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole);
    }

    @Override
    public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String 
username) {
        Set<GrantedAuthority> authorities = 
super.getGroupMembershipRoles(userDn, username);
        Set<GrantedAuthority> userAuthorities = Sets.newHashSet(authorities);
        if (authorities.contains(adminRoleAsAuthority)) {
            userAuthorities.add(new 
SimpleGrantedAuthority(Constant.ROLE_ADMIN));
        }
        return userAuthorities;
    }
}
{code}


> We should submit a new feature that it support the authentication for user 
> and role and the authentication for user and group when the LDAP 
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KYLIN-2960
>                 URL: https://issues.apache.org/jira/browse/KYLIN-2960
>             Project: Kylin
>          Issue Type: New Feature
>          Components: General
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>              Labels: patch
>         Attachments: 
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to 
> the third party only supports user and role authentication. However only user 
> and group have authentication function when we use the LDAP authentication. 
> In fact the authentication for user and role and the authentication for user 
> and group have the same functional characteristics between different 
> appplication system. So we should submit a new feature that it support the 
> authentication for user and role and the authentication for user and group 
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In 
> the interface we set user groups information to the userRoles parameter when 
> the LDAP was enabled, on the contrary we set user roles information to the 
> userRoles parameter. The interface is as following:
> /**
>  * Checks if a user has permission on an entity.
>  * 
>  * @param user
>  * @param userRoles
>  * @param entityType String constants defined in AclEntityType 
>  * @param entityUuid
>  * @param permission
>  * 
>  * @return true if has permission
>  */
> abstract public boolean checkPermission(String user, List<String> userRoles, 
> //
>               String entityType, String entityUuid, Permission permission);



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)