Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Thu, 24 Mar 2016 06:06:08 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/
-----------------------------------------------------------

Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav 
Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.


Bugs: AMBARI-15554
    https://issues.apache.org/jira/browse/AMBARI-15554


Repository: ambari


Description
-------

Problem:
In case LDAP set up with multiple Domains which are joined into a Forrest with 
trusts between the different Domains users may appear in different locations in 
LDAP.
Since users who wants to access Ambari can be in any domain Ambari has to 
search the whole forrest, and as the users appearing in multiple domains are 
identical Ambari cannot filter out all but one of the user entries.

Solution:
1.If the LDAP search upon login to Ambari leads to multiple match user match 
due to the user appears in multiple domains show an error message to user 
prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
append your domain to your username and try again. Example: username@domain)

2. When user provides domain information at login as well Ambari looks up the 
user in LDAP using different filter which is configurable. If this 
configuration is not set Ambari defaults to filter by userPrincipalName

3. A map of login name (login alias) to ambari user name is stored in the 
session so as later whenever is needed the login name can be resolved to ambari 
user name (user name stored in ambari database).

4. User related rest API calls includes user name in the URL. There is a filter 
set up for these resolve the user name in the URL to ambari user name if needed.


Diffs
-----

  ambari-server/pom.xml 1e44517 
  
ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 bf18325 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 076f850 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
 20cf2fd 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
 fc7f73a 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
 ed68c01 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
 b136182 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
 8eeaf35 
  ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
  
ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
 3ecb5aa 
  
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
 d48be85 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
 62f719d 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java
 0797239 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
 7c72f4c 
  ambari-server/src/test/resources/users.ldif 3620e63 
  ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION 
  ambari-web/app/controllers/login_controller.js fc64a54 
  ambari-web/app/router.js ccf8cb4 
  ambari-web/test/controllers/login_controller_test.js 90ba06a 

Diff: https://reviews.apache.org/r/45284/diff/


Testing
-------

Manual testing using OpenLDAP. Since OpenLDAP does not support 
userPrincipalName attribute in the manual testing used email address (filter 
config in ambari properties: 
authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass})))

UI unit tests:
24692 tests complete (21 seconds)
  145 tests pending

Ambari server unit tests:
Results :

Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33


Thanks,

Sebastian Toader

Reply via email to