[jira] [Comment Edited] (KYLIN-2960) We should submit a new feature that it support the authentication for user and role and the authentication for user and group when the LDAP authentication was enabled.

jiatao.tao (JIRA) Tue, 31 Oct 2017 04:58:52 -0700

    [ 
https://issues.apache.org/jira/browse/KYLIN-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226667#comment-16226667
 ]


jiatao.tao edited comment on KYLIN-2960 at 10/31/17 11:57 AM:
--------------------------------------------------------------

Hi peng.jianhua,
1. Kylin need ROLE_ADMIN to indicate that the user is a global ADMIN

{code:java}
@PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
{code}

(user can define LDAP admin group by kylin.security.acl.admin-role=admin).
2. I'll replace all AuthoritiesPopulator to LDAPAuthoritiesPopulator in 
kylinSecurity.xml. But the origin AuthoritiesPopulator will be tagged 
@Deprecated but still keeped in case of some previous users use this.


was (Author: aron.tao):
Hi peng.jianhua,
1. Kylin need ROLE_ADMIN to indicate that the user is a global ADMIN(user can 
define LDAP admin group by kylin.security.acl.admin-role=admin).
2. I'll replace all AuthoritiesPopulator to LDAPAuthoritiesPopulator in 
kylinSecurity.xml. But the origin AuthoritiesPopulator will be tagged 
@Deprecated but still keeped in case of some previous users use this.

> We should submit a new feature that it support the authentication for user 
> and role and the authentication for user and group when the LDAP 
> authentication was enabled.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KYLIN-2960
>                 URL: https://issues.apache.org/jira/browse/KYLIN-2960
>             Project: Kylin
>          Issue Type: New Feature
>          Components: General
>            Reporter: peng.jianhua
>            Assignee: jiatao.tao
>              Labels: patch
>         Attachments: 
> 0001-KYLIN-2960-We-should-submit-a-new-feature-that-it-su.patch
>
>
> Currently, the user authentication interface that was provided by kylin to 
> the third party only supports user and role authentication. However only user 
> and group have authentication function when we use the LDAP authentication. 
> In fact the authentication for user and role and the authentication for user 
> and group have the same functional characteristics between different 
> appplication system. So we should submit a new feature that it support the 
> authentication for user and role and the authentication for user and group 
> when the LDAP authentication was enabled.
> We supplied the checkPermission interface to implement the new feature. In 
> the interface we set user groups information to the userRoles parameter when 
> the LDAP was enabled, on the contrary we set user roles information to the 
> userRoles parameter. The interface is as following:
> /**
>  * Checks if a user has permission on an entity.
>  * 
>  * @param user
>  * @param userRoles
>  * @param entityType String constants defined in AclEntityType 
>  * @param entityUuid
>  * @param permission
>  * 
>  * @return true if has permission
>  */
> abstract public boolean checkPermission(String user, List<String> userRoles, 
> //
>               String entityType, String entityUuid, Permission permission);



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Comment Edited] (KYLIN-2960) We should submit a new feature that it support the authentication for user and role and the authentication for user and group when the LDAP authentication was enabled.

Reply via email to