[jira] [Comment Edited] (KYLIN-5298) Kylin Ldap not enforcing role Authorities

[mukvin (Jira)]

    [ 
https://issues.apache.org/jira/browse/KYLIN-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638032#comment-17638032
 ] 

mukvin edited comment on KYLIN-5298 at 11/24/22 2:55 AM:
---------------------------------------------------------

Hi [~Rohannimmagadda] ,

I have checked your configuration, it looks like well.

1.  I check the URL about 
[https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html.|https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html]
 I have a question about whether the LDAP server is secured. 

2.  Is the "kylin.security.ldap.connection-truststore=/cacerts" correct? Try to 
use full path.

 


was (Author: mukvin):
Hi [~Rohannimmagadda] ,

I have checked your configuration, it looks like well.

1.  I check the URL about 
[https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html.|https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html]
 I have a question about whether the LDAP server is secured. 

2.  Is the "kylin.security.ldap.connection-truststore=/cacerts" correct?

 

> Kylin Ldap not enforcing role Authorities
> -----------------------------------------
>
>                 Key: KYLIN-5298
>                 URL: https://issues.apache.org/jira/browse/KYLIN-5298
>             Project: Kylin
>          Issue Type: Bug
>          Components: Others, Security
>    Affects Versions: v4.0.2
>            Reporter: Rohan Nimmagadda
>            Priority: Blocker
>
> After enabling Ldap with following changes , Kylin is not enforcing 
> pre-defined roles to login to UI with Ldap accounts tested on V4.0.3 and 
> V4.0.2 getting same behavior 
> Here are the properties in kylin.properties 
> {code:java}
> kylin.security.profile=ldap
> kylin.security.acl.admin-role=admin_group
> kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
> kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.connection-password=Encrypted_password
> kylin.security.ldap.connection-truststore=/cacerts
> # LDAP user account directory;
> kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-search-pattern=sAMAccountName={0}
> kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
> # LDAP service account directory
> kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.service-search-pattern=sAMAccountName={0}
> kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
>  {code}
>  
> With above settings when tried to login the UI we are getting below exception 
> with no Authorities 
>  
> {code:java}
> 2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1] 
> security.KylinAuthenticationProvider:126 : Authenticated user 
> UsernamePasswordAuthenticationToken 
> [Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab:
>  Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username: 
> USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; 
> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any 
> authorities, Credentials=[PROTECTED], Authenticated=true, 
> Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX, 
> SessionId=null], Granted Authorities=[]] {code}
> As per documentation _the kylin.security.acl.default-role is deprecated. It 
> not enforcing any Kylin Authorities_ 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)