[ 
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360388#comment-16360388
 ] 

Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM:
-----------------------------------------------------------

Hi [~Aron.tao], I have found out the reason why your environment is useable for 
case insensitive ldap username, because your linux is SUSE, the member format 
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in 
group, so when userDn is 
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap 
can use userDn to match the ldap group. I have tested in SUSE environment, it's 
really ok. 

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}

But my environment is Redhat, the memberUid format is username or cn just like 
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match 
the ldap group.

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 10000
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}

Then I will answer your two questions. 
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username, 
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty 
Set, so I analyze the spring source code, after 
'getGroupMembershipRoles(userDn, username)', there will call 
'getAdditionalRoles(user, username)' to get the roles again, then I can get the 
real username from the DirContextOperations object.

2. In your patch you directly get username and not use the name that 
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way 
to fetch the real one from DirContextOperations  object by 'username = 
user.getStringAttribute("cn");'


was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for 
case insensitive ldap username, because your linux is SUSE, the member format 
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in 
group, so when userDn is 
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap 
can use userDn to match the ldap group. I have tested in SUSE environment, it's 
really ok. 

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}

But my environment is Redhat, the member format is username or cn just like 
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match 
the ldap group.

{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 10000
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#000000#001#000000
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}

Then I will answer your two questions. 
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username, 
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty 
Set, so I analyze the spring source code, after 
'getGroupMembershipRoles(userDn, username)', there will call 
'getAdditionalRoles(user, username)' to get the roles again, then I can get the 
real username from the DirContextOperations object.

2. In your patch you directly get username and not use the name that 
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way 
to fetch the real one from DirContextOperations  object by 'username = 
user.getStringAttribute("cn");'

> When ldap is opened, I use an ignored case user to login, the page does not 
> respond.
> ------------------------------------------------------------------------------------
>
>                 Key: KYLIN-3197
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3197
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Major
>              Labels: patch
>             Fix For: Future
>
>         Attachments: 
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, 
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, 
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, 
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, 
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, 
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the 
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use 
> '{color:#ff0000}wkh{color}' to login in, which is normal.
>  But when I use '{color:#ff0000}WKH{color}' to login in, the page does not 
> respond.
>  I analyze the backgroud code, and find the function of 
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
>  String)' has problem.
>  When userDn is 
> "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and 
> username is "{color:#ff0000}WKH{color}", then authorities will be empty Set 
> by the follow code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, 
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
>  I have test the patch, please review, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to