[
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16224810#comment-16224810
]
peng.jianhua edited comment on KYLIN-2960 at 10/30/17 12:22 PM:
----------------------------------------------------------------
hi [~Aron.tao], thank you for your response, I have gotten your idea, and I
also agree very much, but I also have some questions.
1. Do you mean to use LDAPAuthoritiesPopulator to replace AuthoritiesPopulator?
I think AuthoritiesPopulator#getGroupMembershipRoles will return the roles of
user, and LDAPAuthoritiesPopulator #getGroupMembershipRoles will return the
groups of user, but you give me an example which will return not only groups
but also ROLE_ADMIN, so do you mean using LDAPAuthoritiesPopulator
#getGroupMembershipRoles to return all of groups and roles of user?
2. If AuthoritiesPopulator and LDAPAuthoritiesPopulator both exist, how I let
the Authentication#getAuthorities() to return result about AuthoritiesPopulator
or LDAPAuthoritiesPopulator?
So I am puzzled. In my comprehension, I think the LDAPAuthoritiesPopulator is
like this. then I can only get the groups of user by
LDAPAuthoritiesPopulator#getGroupMembershipRoles, which maybe meet my needs.
Thank you for your help, looking forward your response.
{code:java}
package org.apache.kylin.rest.security;
import java.util.Set;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
import
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
public class LDAPAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
//defaultRole may be helpful, it needs discuss
public LDAPAuthoritiesPopulator(ContextSource contextSource, String
groupSearchBase, String adminRole,
String defaultRole) {
super(contextSource, groupSearchBase);
setGroupSearchFilter("(|(member={0})(memberUid={1}))");
setConvertToUpperCase(false);
setRolePrefix("");
}
@Override
public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String
username) {
return super.getGroupMembershipRoles(userDn, username);
}
}
{code}
was (Author: peng.jianhua):
hi [~Aron.tao], thank you for your response, I have gotten your idea, and I
also agree very much, but I also have one question.
1. Do you mean to use LDAPAuthoritiesPopulator to replace AuthoritiesPopulator?
I think AuthoritiesPopulator#getGroupMembershipRoles will return the roles of
user, and LDAPAuthoritiesPopulator #getGroupMembershipRoles will return the
groups of user, but you give me an example which will return not only groups
but also ROLE_ADMIN, so do you mean using LDAPAuthoritiesPopulator
#getGroupMembershipRoles to return all of groups and roles of user?
2. If AuthoritiesPopulator and LDAPAuthoritiesPopulator both exist, how I let
the Authentication#getAuthorities() to return result about AuthoritiesPopulator
or LDAPAuthoritiesPopulator?
So I am puzzled. In my comprehension, I think the LDAPAuthoritiesPopulator is
like this. then I can only get the groups of user by
LDAPAuthoritiesPopulator#getGroupMembershipRoles, which maybe meet my needs.
Thank you for your help, looking forward your response.
{code:java}
package org.apache.kylin.rest.security;
import java.util.Set;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
import
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
public class LDAPAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
//defaultRole may be helpful, it needs discuss
public LDAPAuthoritiesPopulator(ContextSource contextSource, String
groupSearchBase, String adminRole,
String defaultRole) {
super(contextSource, groupSearchBase);
setGroupSearchFilter("(|(member={0})(memberUid={1}))");
setConvertToUpperCase(false);
setRolePrefix("");
}
@Override
public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String
username) {
return super.getGroupMembershipRoles(userDn, username);
}
}
{code}
> We should submit a new feature that it support the authentication for user
> and role and the authentication for user and group when the LDAP
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KYLIN-2960
> URL: https://issues.apache.org/jira/browse/KYLIN-2960
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: patch
> Attachments:
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to
> the third party only supports user and role authentication. However only user
> and group have authentication function when we use the LDAP authentication.
> In fact the authentication for user and role and the authentication for user
> and group have the same functional characteristics between different
> appplication system. So we should submit a new feature that it support the
> authentication for user and role and the authentication for user and group
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In
> the interface we set user groups information to the userRoles parameter when
> the LDAP was enabled, on the contrary we set user roles information to the
> userRoles parameter. The interface is as following:
> /**
> * Checks if a user has permission on an entity.
> *
> * @param user
> * @param userRoles
> * @param entityType String constants defined in AclEntityType
> * @param entityUuid
> * @param permission
> *
> * @return true if has permission
> */
> abstract public boolean checkPermission(String user, List<String> userRoles,
> //
> String entityType, String entityUuid, Permission permission);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
