[
https://issues.apache.org/jira/browse/KYLIN-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638186#comment-17638186
]
mukvin edited comment on KYLIN-5298 at 11/24/22 8:31 AM:
---------------------------------------------------------
[~Rohannimmagadda],
So currently If you set the "kylin.security.acl.admin-role", then whole admin
users can access Kylin and another role of "all users" can not access Kylin?
But if you removed "kylin.security.acl.admin-role", then whole all users can
access Kylin, but they can not do something?
Kylin uses the role to separate the auth for admin and normal users.
Would you try to separate some user to be admin role and all user roles? And
then try to test again.
was (Author: mukvin):
[~Rohannimmagadda],
So currently If you set the "kylin.security.acl.admin-role", then whole admin
users can access Kylin and another role of "all users" can not access Kylin?
But if you removed "kylin.security.acl.admin-role", then whole all users can
access Kylin, but they can not do something?
> Kylin Ldap not enforcing role Authorities
> -----------------------------------------
>
> Key: KYLIN-5298
> URL: https://issues.apache.org/jira/browse/KYLIN-5298
> Project: Kylin
> Issue Type: Bug
> Components: Others, Security
> Affects Versions: v4.0.2
> Reporter: Rohan Nimmagadda
> Priority: Blocker
> Attachments: image-2022-11-24-02-19-38-977.png,
> image-2022-11-24-15-57-43-134.png, image-2022-11-24-15-58-47-523.png
>
>
> After enabling Ldap with following changes , Kylin is not enforcing
> pre-defined roles to login to UI with Ldap accounts tested on V4.0.3 and
> V4.0.2 getting same behavior
> Here are the properties in kylin.properties
> {code:java}
> kylin.security.profile=ldap
> kylin.security.acl.admin-role=admin_group
> kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
> kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.connection-password=Encrypted_password
> kylin.security.ldap.connection-truststore=/cacerts
> # LDAP user account directory;
> kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-search-pattern=sAMAccountName={0}
> kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
> # LDAP service account directory
> kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.service-search-pattern=sAMAccountName={0}
> kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> {code}
>
> With above settings when tried to login the UI we are getting below exception
> with no Authorities
>
> {code:java}
> 2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1]
> security.KylinAuthenticationProvider:126 : Authenticated user
> UsernamePasswordAuthenticationToken
> [Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab:
> Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username:
> USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any
> authorities, Credentials=[PROTECTED], Authenticated=true,
> Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX,
> SessionId=null], Granted Authorities=[]] {code}
> As per documentation _the kylin.security.acl.default-role is deprecated. It
> not enforcing any Kylin Authorities_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
