[GitHub] [incubator-kyuubi] turboFei commented on a diff in pull request #3213: [KYUUBI #3020] kyuubi ldap add new config property kyuubi.authentication.ldap.bindnpw and kyuubi.authentication.ldap.attrs

GitBox Mon, 15 Aug 2022 22:05:53 -0700


turboFei commented on code in PR #3213:
URL: https://github.com/apache/incubator-kyuubi/pull/3213#discussion_r946336456



##########
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala:
##########
@@ -645,6 +645,23 @@ object KyuubiConf {
       .stringConf
       .createWithDefault("uid")
 
+  val AUTHENTICATION_LDAP_PASSWORD: OptionalConfigEntry[String] =
+    buildConf("kyuubi.authentication.ldap.bindnpw")
+      .doc("The password of the LDAP bind user " +
+        "is used to search for the full name of the authenticated user.")

Review Comment:
   Let us refer the description of hive:
   ```
   The password for the bind user, to be used to search for the full name of 
the user being authenticated.
   ```



##########
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala:
##########
@@ -58,28 +59,65 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf) 
extends PasswdAuthenticat
     conf.get(AUTHENTICATION_LDAP_URL).foreach(env.put(Context.PROVIDER_URL, _))
 
     val domain = conf.get(AUTHENTICATION_LDAP_DOMAIN)
-    val u =
-      if (!hasDomain(user) && domain.nonEmpty) {
-        user + "@" + domain.get
-      } else {
-        user
-      }
-
+    val mail = getMail(user, domain.get)
     val guidKey = conf.get(AUTHENTICATION_LDAP_GUIDKEY)
-    val bindDn = conf.get(AUTHENTICATION_LDAP_BASEDN) match {
-      case Some(dn) => guidKey + "=" + u + "," + dn
-      case _ => u
-    }
-
-    env.put(Context.SECURITY_PRINCIPAL, bindDn)
-    env.put(Context.SECURITY_CREDENTIALS, password)
+    val baseDn = conf.get(AUTHENTICATION_LDAP_BASEDN).get
+    val bindnPw = conf.get(AUTHENTICATION_LDAP_PASSWORD).get

Review Comment:
   bindnPw => bindPw



##########
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala:
##########
@@ -645,6 +645,23 @@ object KyuubiConf {
       .stringConf
       .createWithDefault("uid")
 
+  val AUTHENTICATION_LDAP_PASSWORD: OptionalConfigEntry[String] =
+    buildConf("kyuubi.authentication.ldap.bindnpw")

Review Comment:
   bindnpw => bindpw



##########
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala:
##########
@@ -58,28 +59,65 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf) 
extends PasswdAuthenticat
     conf.get(AUTHENTICATION_LDAP_URL).foreach(env.put(Context.PROVIDER_URL, _))
 
     val domain = conf.get(AUTHENTICATION_LDAP_DOMAIN)
-    val u =
-      if (!hasDomain(user) && domain.nonEmpty) {
-        user + "@" + domain.get
-      } else {
-        user
-      }
-
+    val mail = getMail(user, domain.get)
     val guidKey = conf.get(AUTHENTICATION_LDAP_GUIDKEY)
-    val bindDn = conf.get(AUTHENTICATION_LDAP_BASEDN) match {
-      case Some(dn) => guidKey + "=" + u + "," + dn
-      case _ => u
-    }
-
-    env.put(Context.SECURITY_PRINCIPAL, bindDn)
-    env.put(Context.SECURITY_CREDENTIALS, password)
+    val baseDn = conf.get(AUTHENTICATION_LDAP_BASEDN).get
+    val bindnPw = conf.get(AUTHENTICATION_LDAP_PASSWORD).get
+    val attrs = conf.get(AUTHENTICATION_LDAP_ATTRIBUTES).toArray
 
+    env.put(Context.SECURITY_PRINCIPAL, guidKey)
+    env.put(Context.SECURITY_CREDENTIALS, bindnPw)
+    import javax.naming.NamingEnumeration

Review Comment:
   add to L21? 



##########
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala:
##########
@@ -645,6 +645,23 @@ object KyuubiConf {
       .stringConf
       .createWithDefault("uid")
 
+  val AUTHENTICATION_LDAP_PASSWORD: OptionalConfigEntry[String] =
+    buildConf("kyuubi.authentication.ldap.bindnpw")

Review Comment:
   FYI:
   ```
       
HIVE_SERVER2_PLAIN_LDAP_BIND_USER("hive.server2.authentication.ldap.binddn", 
null,
           "The user with which to bind to the LDAP server, and search for the 
full domain name " +
           "of the user being authenticated.\n" +
           "This should be the full domain name of the user, and should have 
search access across all " +
           "users in the LDAP tree.\n" +
           "If not specified, then the user being authenticated will be used as 
the bind user.\n" +
           "For example: CN=bindUser,CN=Users,DC=subdomain,DC=domain,DC=com"),
       
HIVE_SERVER2_PLAIN_LDAP_BIND_PASSWORD("hive.server2.authentication.ldap.bindpw",
 null,
           "The password for the bind user, to be used to search for the full 
name of the user being authenticated.\n" +
           "If the username is specified, this parameter must also be 
specified."),
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[GitHub] [incubator-kyuubi] turboFei commented on a diff in pull request #3213: [KYUUBI #3020] kyuubi ldap add new config property kyuubi.authentication.ldap.bindnpw and kyuubi.authentication.ldap.attrs

Reply via email to