[
https://issues.apache.org/jira/browse/KYLIN-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640963#comment-17640963
]
Rohan Nimmagadda commented on KYLIN-5298:
-----------------------------------------
[~mukvin] Just one last concern we would like to bring it your attention
If we logged in Kylin UI with Upper cases (ABCD/password) it login successfully
and able to perform all operations.If same user login with lower cases
(abcd/password) we are getting below error screenshot attached below and
viceversa.
We believe that whatever the cases user logged in very first time it is
expecting same cases again. Are there any configs we can apply to accept both
UPPER vs lower cases ?
!image-2022-11-29-16-15-23-628.png!
> Kylin Ldap not enforcing role Authorities
> -----------------------------------------
>
> Key: KYLIN-5298
> URL: https://issues.apache.org/jira/browse/KYLIN-5298
> Project: Kylin
> Issue Type: Bug
> Components: Others, Security
> Affects Versions: v4.0.2
> Reporter: Rohan Nimmagadda
> Priority: Blocker
> Attachments: image-2022-11-24-02-19-38-977.png,
> image-2022-11-24-03-25-42-593.png, image-2022-11-24-15-57-43-134.png,
> image-2022-11-24-15-58-47-523.png, image-2022-11-24-17-00-31-371.png,
> image-2022-11-29-16-15-23-628.png
>
>
> After enabling Ldap with following changes , Kylin is not enforcing
> pre-defined roles to login to UI with Ldap accounts tested on V4.0.3 and
> V4.0.2 getting same behavior
> Here are the properties in kylin.properties
> {code:java}
> kylin.security.profile=ldap
> kylin.security.acl.admin-role=admin_group
> kylin.security.ldap.connection-server=ldaps://ldap-server.com:port
> kylin.security.ldap.connection-username=CN=Ldap_user,OU=ServiceAccounts,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.connection-password=Encrypted_password
> kylin.security.ldap.connection-truststore=/cacerts
> # LDAP user account directory;
> kylin.security.ldap.user-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-search-pattern=sAMAccountName={0}
> kylin.security.ldap.user-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.user-group-search-filter=(|(sAMAccountName={0})(sAMAccountNameUid={1}))
> # LDAP service account directory
> kylin.security.ldap.service-search-base=OU=People,DC=corp,DC=my_company,DC=com
> kylin.security.ldap.service-search-pattern=sAMAccountName={0}
> kylin.security.ldap.service-group-search-base=OU=Groupings,DC=corp,DC=my_company,DC=com
> {code}
>
> With above settings when tried to login the UI we are getting below exception
> with no Authorities
>
> {code:java}
> 2022-11-18 11:20:26,119 DEBUG [http-nio-7070-exec-1]
> security.KylinAuthenticationProvider:126 : Authenticated user
> UsernamePasswordAuthenticationToken
> [Principal=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@47a6c9ab:
> Dn: cn=USER,ou=Employees,ou=People,dc=corp,dc=my_company,dc=com; Username:
> USER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any
> authorities, Credentials=[PROTECTED], Authenticated=true,
> Details=WebAuthenticationDetails [RemoteIpAddress=10.XX.XX.XXX,
> SessionId=null], Granted Authorities=[]] {code}
> As per documentation _the kylin.security.acl.default-role is deprecated. It
> not enforcing any Kylin Authorities_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
