[
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226667#comment-16226667
]
jiatao.tao edited comment on KYLIN-2960 at 10/31/17 11:56 AM:
--------------------------------------------------------------
Hi peng.jianhua,
1. Kylin need ROLE_ADMIN to indicate that the user is a global ADMIN(user can
define LDAP admin group by kylin.security.acl.admin-role=admin).
2. I'll replace all AuthoritiesPopulator to LDAPAuthoritiesPopulator in
kylinSecurity.xml. But the origin AuthoritiesPopulator will be tagged
@Deprecated but still keeped in case of some previous users use this.
was (Author: aron.tao):
Hi peng.jianhua,
1. Kylin need ROLE_ADMIN to indicate that the user is a global ADMIN(see
kylin.security.acl.admin-role=admin).
2. I'll replace all AuthoritiesPopulator to LDAPAuthoritiesPopulator in
kylinSecurity.xml. But the origin AuthoritiesPopulator will still keep in case
of some previous users use this
> We should submit a new feature that it support the authentication for user
> and role and the authentication for user and group when the LDAP
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KYLIN-2960
> URL: https://issues.apache.org/jira/browse/KYLIN-2960
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: jiatao.tao
> Labels: patch
> Attachments:
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to
> the third party only supports user and role authentication. However only user
> and group have authentication function when we use the LDAP authentication.
> In fact the authentication for user and role and the authentication for user
> and group have the same functional characteristics between different
> appplication system. So we should submit a new feature that it support the
> authentication for user and role and the authentication for user and group
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In
> the interface we set user groups information to the userRoles parameter when
> the LDAP was enabled, on the contrary we set user roles information to the
> userRoles parameter. The interface is as following:
> /**
> * Checks if a user has permission on an entity.
> *
> * @param user
> * @param userRoles
> * @param entityType String constants defined in AclEntityType
> * @param entityUuid
> * @param permission
> *
> * @return true if has permission
> */
> abstract public boolean checkPermission(String user, List<String> userRoles,
> //
> String entityType, String entityUuid, Permission permission);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
