[
https://issues.apache.org/jira/browse/KYLIN-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636909#comment-17636909
]
Rohan Nimmagadda commented on KYLIN-5298:
-----------------------------------------
After slightly updating some of below configs , i'm login to UI but still user
is not able to enforce any authorities from kylin pre-defined roles
(ROLE_ADMIN,ROLE_MODELER,ROLE_ANALYST)
{code:java}
Caused by: org.springframework.security.access.AccessDeniedException: Access is
denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:238)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:208)
at
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:58)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708)
at
org.apache.kylin.rest.util.AclUtil$$EnhancerBySpringCGLIB$$6577fb86.hasProjectOperationPermission(<generated>)
at
org.apache.kylin.rest.util.AclEvaluate.checkProjectOperationPermission(AclEvaluate.java:77)
at
org.apache.kylin.rest.util.AclEvaluate.checkProjectOperationPermission(AclEvaluate.java:98)
at
org.apache.kylin.rest.service.JobService.searchJobsByCubeNameV2(JobService.java:1026)
at
org.apache.kylin.rest.service.JobService.searchJobsOverview(JobService.java:991)
at
org.apache.kylin.rest.controller.JobController.jobOverview(JobController.java:145)
{code}
Properties
{code:java}
kylin.security.profile=ldap
kylin.security.acl.admin-role=admin_group
kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
kylin.security.ldap.connection-password=Encrypted_password
kylin.security.ldap.connection-truststore=/cacerts
# LDAP user account directory;
kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
kylin.security.ldap.user-search-pattern=sAMAccountName={0}
kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
kylin.security.ldap.user-group-search-filter=(|(memberOf=CN=admin_group,OU=UNIX-Enabled,OU=Groupings,DC=corp,DC=my_company,DC=com)(sAMAccountName=*))
# LDAP service account directory
kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
kylin.security.ldap.service-search-pattern=sAMAccountName={0}
kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
{code}
> Kylin Ldap not enforcing role Authorities
> -----------------------------------------
>
> Key: KYLIN-5298
> URL: https://issues.apache.org/jira/browse/KYLIN-5298
> Project: Kylin
> Issue Type: Bug
> Components: Others, Security
> Affects Versions: v4.0.2
> Reporter: Rohan Nimmagadda
> Priority: Blocker
>
> After enabling Ldap with following changes , Kylin is not enforcing
> pre-defined roles to login to UI with Ldap accounts tested on V4.0.3 and
> V4.0.2 getting same behavior
> Here are the properties in kylin.properties
> {code:java}
> kylin.security.profile=ldap
> kylin.security.acl.admin-role=admin_group
> kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
> kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.connection-password=Encrypted_password
> kylin.security.ldap.connection-truststore=/cacerts
> # LDAP user account directory;
> kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-search-pattern=sAMAccountName={0}
> kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
> # LDAP service account directory
> kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.service-search-pattern=sAMAccountName={0}
> kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> {code}
>
> With above settings when tried to login the UI we are getting below exception
> with no Authorities
>
> {code:java}
> 2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1]
> security.KylinAuthenticationProvider:126 : Authenticated user
> UsernamePasswordAuthenticationToken
> [Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab:
> Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username:
> USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any
> authorities, Credentials=[PROTECTED], Authenticated=true,
> Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX,
> SessionId=null], Granted Authorities=[]] {code}
> As per documentation _the kylin.security.acl.default-role is deprecated. It
> not enforcing any Kylin Authorities_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
