pan3793 commented on code in PR #4152:
URL: https://github.com/apache/kyuubi/pull/4152#discussion_r1159404539
##########
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala:
##########
@@ -41,47 +49,72 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf)
extends PasswdAuthenticat
* @throws AuthenticationException When a user is found to be invalid by the
implementation
*/
override def authenticate(user: String, password: String): Unit = {
+
+ val (usedBind, bindUser, bindPassword) = (
+ conf.get(KyuubiConf.AUTHENTICATION_LDAP_BIND_USER),
+ conf.get(KyuubiConf.AUTHENTICATION_LDAP_BIND_PASSWORD)) match {
+ case (Some(_bindUser), Some(_bindPw)) => (true, _bindUser, _bindPw)
+ case _ =>
+ // If no bind user or bind password was specified,
+ // we assume the user we are authenticating has the ability to search
+ // the LDAP tree, so we use it as the "binding" account.
+ // This is the way it worked before bind users were allowed in the
LDAP authenticator,
+ // so we keep existing systems working.
+ (false, user, password)
+ }
+
+ var search: DirSearch = null
+ try {
+ search = createDirSearch(bindUser, bindPassword)
+ applyFilter(search, user)
+ if (usedBind) {
+ // If we used the bind user, then we need to authenticate again,
+ // this time using the full user name we got during the bind process.
+ createDirSearch(search.findUserDn(user), password)
Review Comment:
Sounds make sense to me. The current logic should be same as Apache Hive,
would you please check if Hive has same issue? Anyway, go ahead to improve it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
