[
https://issues.apache.org/jira/browse/KYLIN-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638146#comment-17638146
]
Rohan Nimmagadda commented on KYLIN-5298:
-----------------------------------------
Hi [~mukvin]
our ldap is secured and we were able to enforce “only” ROLE_ADMIN authority to
one of our ldap group, with that we were able to successfully login the UI
using ldap auth. But with this role everyone got access on everything (like we
can see other users project details ) we think that one authority ROLE
(ROLE_ADMIN) is not sufficient in some cases.
Is there any way we can configure admin vs non admin groups with non-admin
groups where they can only see their projects details owned by themself when
logging with their personal ID’s ?
> Kylin Ldap not enforcing role Authorities
> -----------------------------------------
>
> Key: KYLIN-5298
> URL: https://issues.apache.org/jira/browse/KYLIN-5298
> Project: Kylin
> Issue Type: Bug
> Components: Others, Security
> Affects Versions: v4.0.2
> Reporter: Rohan Nimmagadda
> Priority: Blocker
>
> After enabling Ldap with following changes , Kylin is not enforcing
> pre-defined roles to login to UI with Ldap accounts tested on V4.0.3 and
> V4.0.2 getting same behavior
> Here are the properties in kylin.properties
> {code:java}
> kylin.security.profile=ldap
> kylin.security.acl.admin-role=admin_group
> kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
> kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.connection-password=Encrypted_password
> kylin.security.ldap.connection-truststore=/cacerts
> # LDAP user account directory;
> kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-search-pattern=sAMAccountName={0}
> kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
> # LDAP service account directory
> kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.service-search-pattern=sAMAccountName={0}
> kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> {code}
>
> With above settings when tried to login the UI we are getting below exception
> with no Authorities
>
> {code:java}
> 2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1]
> security.KylinAuthenticationProvider:126 : Authenticated user
> UsernamePasswordAuthenticationToken
> [Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab:
> Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username:
> USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any
> authorities, Credentials=[PROTECTED], Authenticated=true,
> Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX,
> SessionId=null], Granted Authorities=[]] {code}
> As per documentation _the kylin.security.acl.default-role is deprecated. It
> not enforcing any Kylin Authorities_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
