[
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16223498#comment-16223498
]
jiatao.tao edited comment on KYLIN-2960 at 10/28/17 1:42 PM:
-------------------------------------------------------------
Hi jianhua, these are my opinions:
1. In the latest kylinSecurity.xml, it seems that AuthoritiesPopulator is
already in ldap profile.
2. The default AuthoritiesPopulator will transform role/group to uppercase and
add "ROLE_" as prefix, but deep into the source I found we can control these by
setting two fields: rolePrefix/convertToUpperCase (also we can set group search
filter ).So in the first comment I say we may change some places.In fact, we
can create a LDAPAuthoritiesPopulator if necessary, so that everything can be
fine.
3. You needn't direct call getGroupMembershipRoles, you can just call
Authentication#getAuthorities()
Thanks very much, looking forward your response.
was (Author: aron.tao):
Hi jianhua, these are my opinions:
1. In the latest kylinSecurity.xml, it seems that AuthoritiesPopulator is
already in ldap profile.
2. The default AuthoritiesPopulator will transform role/group to uppercase and
add "ROLE_" as prefix, but deep into the source I found we can control these by
setting two fields: rolePrefix/convertToUpperCase (also we can set group search
filter ).So in the first comment I say we may change some places.In fact, we
can create a LDAPAuthoritiesPopulator if necessary, so that everything can be
fine.
3. You needn't direct call getGroupMembershipRoles, you can just call
Authentication#getAuthorities()
> We should submit a new feature that it support the authentication for user
> and role and the authentication for user and group when the LDAP
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KYLIN-2960
> URL: https://issues.apache.org/jira/browse/KYLIN-2960
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: patch
> Attachments:
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to
> the third party only supports user and role authentication. However only user
> and group have authentication function when we use the LDAP authentication.
> In fact the authentication for user and role and the authentication for user
> and group have the same functional characteristics between different
> appplication system. So we should submit a new feature that it support the
> authentication for user and role and the authentication for user and group
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In
> the interface we set user groups information to the userRoles parameter when
> the LDAP was enabled, on the contrary we set user roles information to the
> userRoles parameter. The interface is as following:
> /**
> * Checks if a user has permission on an entity.
> *
> * @param user
> * @param userRoles
> * @param entityType String constants defined in AclEntityType
> * @param entityUuid
> * @param permission
> *
> * @return true if has permission
> */
> abstract public boolean checkPermission(String user, List<String> userRoles,
> //
> String entityType, String entityUuid, Permission permission);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
