[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:38 AM:
------------------------------------------------------------
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})*
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?)
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
> ------------------------------------------------------------------------------------
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
> Affects Versions: v2.3.0
> Reporter: Peng Xing
> Assignee: Peng Xing
> Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff0000}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff0000}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff0000}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
