----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/45284/#review125401 -----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java (line 466) <https://reviews.apache.org/r/45284/#comment188194> Name says this is alternative search filter. But decision whether to use it is based on hardcoded UPN format (AmbariLdapUtils). This is not obvious. I understand that this is intended to work with AD specifically and it will. But we need to document this well and, possibly, create another issue for more generic approach. - Myroslav Papirkovskyy On Березень 25, 2016, 1:28 до полудня, Sebastian Toader wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/45284/ > ----------------------------------------------------------- > > (Updated Березень 25, 2016, 1:28 до полудня) > > > Review request for Ambari, Andriy Babiichuk, Andrii Tkach, Dmitro > Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku > Sako. > > > Bugs: AMBARI-15554 > https://issues.apache.org/jira/browse/AMBARI-15554 > > > Repository: ambari > > > Description > ------- > > Problem: > In case LDAP set up with multiple Domains which are joined into a Forrest > with trusts between the different Domains users may appear in different > locations in LDAP. > Since users who wants to access Ambari can be in any domain Ambari has to > search the whole forrest, and as the users appearing in multiple domains are > identical Ambari cannot filter out all but one of the user entries. > > Solution: > 1.If the LDAP search upon login to Ambari leads to multiple match user match > due to the user appears in multiple domains show an error message to user > prompting for providing domain as well to log-in. (e.g. Login Failed: Please > append your domain to your username and try again. Example: username@domain) > > 2. When user provides domain information at login as well Ambari looks up the > user in LDAP using different filter which is configurable. If this > configuration is not set Ambari defaults to filter by userPrincipalName > > 3. A map of login name (login alias) to ambari user name is stored in the > session so as later whenever is needed the login name can be resolved to > ambari user name (user name stored in ambari database). > > 4. User related rest API calls includes user name in the URL. There is a > filter set up for these resolve the user name in the URL to ambari user name > if needed. > > > Diffs > ----- > > ambari-server/pom.xml 1e44517 > > ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > bf18325 > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java > 076f850 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java > 20cf2fd > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java > fc7f73a > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java > ed68c01 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java > b136182 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java > 8eeaf35 > ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 > > ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java > 3ecb5aa > > ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java > d48be85 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java > 62f719d > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java > 0797239 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java > 7c72f4c > ambari-server/src/test/resources/users.ldif 3620e63 > ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION > ambari-web/app/controllers/login_controller.js fc64a54 > ambari-web/app/router.js ccf8cb4 > ambari-web/test/controllers/login_controller_test.js 90ba06a > > Diff: https://reviews.apache.org/r/45284/diff/ > > > Testing > ------- > > Manual testing using OpenLDAP. Since OpenLDAP does not support > userPrincipalName attribute in the manual testing used email address (filter > config in ambari properties: > authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass}))) > > UI unit tests: > 24692 tests complete (21 seconds) > 145 tests pending > > Ambari server unit tests: > Results : > > Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33 > > > Thanks, > > Sebastian Toader > >