> On May 3, 2017, 5:08 p.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java > > Lines 79 (patched) > > <https://reviews.apache.org/r/58968/diff/1/?file=1707168#file1707168line79> > > > > There are other User types - LDAP and JWT. You should check to see if > > any user exists with the username. If the existing user is not a PAM user > > the failure should occur. > > > > For example: > > ``` > > UserEntitiy foundUser = userDAO.findUserByName(username)' > > if((foundUser != null) && (foundUser.getUserType != UserType.PAM)) { > > ... Fail ... > > } > > ``` > > Tim Thorpe wrote: > Hi Robert, I'm not sure I'm following your logic here. My interpretation > is that the PAM users will not be found using the > UserDAO.findLocalUserByName(String userName) method. So basically the > getUserType() != UserType.PAM is unnecessary. Although it wouldn't hurt. > > Anita Jebaraj wrote: > Hi Tim, Robert means that I should look for all user types like > (Local/ldap/jwt), I am aware ldap cannot be enabled when pam is enabled, but > jwt users can exist when pam is enabled. That should be the reason why he > wants me to look for all the users. > > Tim Thorpe wrote: > Sorry missed the part where you changed findLocalUserByName to > findUserByName. That makes sense now.
Hi Robert, please review the new patch - Anita ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58968/#review173752 ----------------------------------------------------------- On May 3, 2017, 6:24 p.m., Anita Jebaraj wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58968/ > ----------------------------------------------------------- > > (Updated May 3, 2017, 6:24 p.m.) > > > Review request for Ambari, Attila Doroszlai, Di Li, Robert Levas, and Tim > Thorpe. > > > Bugs: AMBARI-20909 > https://issues.apache.org/jira/browse/AMBARI-20909 > > > Repository: ambari > > > Description > ------- > > Create a local user "test" in Ambari > > Create a system user "test" with different password > > Trying to authenticate via pam in Ambari UI as user "test" throws Server > Error in Ambari UI, without any error in Ambari-server logs > > Also the UI gets stalled and not even able to login as admin user unless the > browser cache is removed or Ambari UI is opened in a new browser page > > Ambari doesn't allow creating users with same user name but different > types(Local/pam), We reach the pam authentication only when the local user > authentication failed due to non-existing userid or incorrect password, So if > local user exists do not attempt to authenticate via PAM, This lets Ambari to > avoid importing duplicate userid into the database > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java > b3fb861 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java > b7272c5 > > > Diff: https://reviews.apache.org/r/58968/diff/2/ > > > Testing > ------- > > Updated the related test cases > > > Thanks, > > Anita Jebaraj > >
