[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:44 AM:
------------------------------------------------------------
Hi [~xingpeng1]
About Redhat we may need further discussion, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? Not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? Not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
> ------------------------------------------------------------------------------------
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
> Affects Versions: v2.3.0
> Reporter: Peng Xing
> Assignee: Peng Xing
> Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff0000}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff0000}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff0000}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
