xiacongling opened a new pull request #931: KYLIN-4240 use kylin SSO without LDAP URL: https://github.com/apache/kylin/pull/931 KYLIN-4240 use kylin SSO without LDAP. see: https://issues.apache.org/jira/browse/KYLIN-4240 ## add additional profile first we change `kylin.sh` to support multiple profiles (`spring.profiles.active` can accept a list of profiles) ``` additional_security_profiles=`bash ${dir}/get-properties.sh kylin.security.additional-profiles` if [[ "x${additional_security_profiles}" != "x" ]]; then spring_profile="${spring_profile},${additional_security_profiles}" fi ``` We use `custom` security profile and a additional `authn-cas` profile to enable it. ``` kylin.security.profile=custom kylin.security.additional-profiles=authn-cas ``` ## beans and security settings for CAS Then we add the CAS security context to the classpath, here we put it in `server/resources/kylin-security-cas-plugin.xml` as a plugin. define the following beans under `authn-cas` profile: ``` <beans profile="authn-cas"> ... <spring-security:http pattern="/cas/**"> ... </spring-security:http> </beans> ``` in security http settings, the CAS filter only applied on `/cas/**`. see the code for details. ## UI update In front-end, a button is added to redirect to the CAS server.  User can now login with either username/password or SSO, and their groups can be managed in the `System` tab. ## Other improvement - automatically add an admin user if there is none (controlled by `kylin.security.create-admin-when-absent`) - change to `kylinSecurityProfile()` instead of `spring.profiles.active` to avoid mismatch - fix ehcache settings for `custom` profile - SAML without LDAP plugin (see `server/resources/kylin-security-saml-noldap-plugin.xml`) ## Appendix: properties for CAS ``` ## Security settings, enable CAS kylin.security.profile=custom kylin.security.additional-profiles=authn-cas ## CAS properties # kylin server url should be set for CAS callback, values should be set properly kylin.server.url=http://localhost:7070/kylin # change the cas server kylin.security.cas.server.prefix=https://cas.example.com/ kylin.security.cas.server.login-url=https://cas.example.com/login kylin.security.cas.server.logout-url=https://cas.example.com/logout # optional properties, default values are listed below #kylin.security.cas.default-groups=ALL_USERS #kylin.security.cas.service-param=service #kylin.security.cas.artifact-param=ticket ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
