[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:54 AM:
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur. And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
I believe we are not the only one met this problem, we should go and find out
how other people solve this.
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur. And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
I believe we are not the only one met the problem, we should go and find out
how other people solve this.
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:53 AM:
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur. And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
I believe we are not the only one met the problem, we should go and find out
how other people solve this.
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur. And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
>
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:49 AM:
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur. And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur.And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:49 AM:
Hi [~xingpeng1]
About Redhat we may need further discussion, it's need a full discussion and
comparison or we can solve one problem today, but next day, another problem may
occur.And can you also put your user's ldif?
Besides, I know you use getAdditionalRoles() to solve this problem, for sure,
but what I say is that should we use this method like this way? Can you find
some examples like document or other projects use this way? Not asking for how
it works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
About Redhat we may need further discussion, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? Not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:44 AM:
Hi [~xingpeng1]
About Redhat we may need further discussion, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? Not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? Not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:42 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? Not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:41 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way? not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way, not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:40 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way, not asking for how it
works. We all understand how it works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way, not asking for how it
works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:39 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use getAdditionalRoles to solve this problem, for sure, but
what I say is that should we use this method like this way? Can you find some
examples like document or other projects use this way, not asking for how it
works.
{code:java}
The signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use xxx to solve this problem, but what I say is that
should we use this method like this way? Can you find some examples like
document or other project use this way.
{code:java}
the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:37 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use xxx to solve this problem, but what I say is that
should we use this method like this way? Can you find some examples like
document or other project use this way.
{code:java}
the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code}
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use xxx to solve this problem, but what I say is that
should we use this method like this way? Can you find some examples like
document or other project use this way.
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:36 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Besides, I know you use xxx to solve this problem, but what I say is that
should we use this method like this way? Can you find some examples like
document or other project use this way.
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734
]
jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:32 AM:
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
Looking forward your opinion.
was (Author: aron.tao):
Hi [~xingpeng1]
We will consider about Redhat, can you also put your user's ldif?
Also, I think it may be a requirements or issue that need discussion, but not
directly get "cn" from DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch
the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:43 AM:
---
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have tested in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the memberUid format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
{code:java}
@Override
public final Collection getGrantedAuthorities(
DirContextOperations user, String username) {
String userDn = user.getNameInNamespace();
if (logger.isDebugEnabled()) {
logger.debug("Getting authorities for user " + userDn);
}
Set roles = getGroupMembershipRoles(userDn,
username);
Set extraRoles = getAdditionalRoles(user,
username);
if (extraRoles != null) {
roles.addAll(extraRoles);
}
if (this.defaultRole != null) {
roles.add(this.defaultRole);
}
List result = new
ArrayList(roles.size());
result.addAll(roles);
return result;
}
{code}
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way
to fetch the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have tested in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the memberUid format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID:
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM:
---
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have tested in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way
to fetch the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have test in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM:
---
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have test in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way
to fetch the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM:
---
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have tested in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the memberUid format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way
to fetch the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group. I have tested in SUSE environment, it's
really ok.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:39 AM:
---
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
memberUid: wkh
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is not real one, but the 'WKH', so I find a way
to fetch the real one from DirContextOperations object by 'username =
user.getStringAttribute("cn");'
was (Author: xingpeng1):
Hi [~Aron.tao], I have found out the reason why your environment is useable for
case insensitive ldap username, because your linux is SUSE, the member format
is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in
group, so when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap
can use userDn to match the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: wkhGroup
gidNumber: 10015
{color:red}member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com{color}
structuralObjectClass: groupOfNames
entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180212071549Z
entryCSN: 20180212071617.147179Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180212071617Z
{code}
But my environment is Redhat, the member format is username or cn just like
'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match
the ldap group.
{code:java}
dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com
objectClass: posixGroup
objectClass: top
cn: wkhGroup
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c
creatorsName: cn=LdapAdmin,dc=zdh,dc=com
createTimestamp: 20180123085558Z
{color:red}memberUid: wkh{color}
memberUid: wkh1
memberUid: wkh2
memberUid: Wkh5
entryCSN: 20180124082044.774518Z#00#001#00
modifiersName: cn=LdapAdmin,dc=zdh,dc=com
modifyTimestamp: 20180124082044Z
{code}
Then I will answer your two questions.
1. the signature of getAdditionalRoles() seems not the way you use.
Because the Redhat linux can not support the case insensitive ldap username,
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty
Set, so I analyze the spring source code, after
'getGroupMembershipRoles(userDn, username)', there will call
'getAdditionalRoles(user, username)' to get the roles again, then I can get the
real username from the DirContextOperations object.
2. In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
Because the username passed in is
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360264#comment-16360264
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:39 AM:
---
Hi [~Aron.tao], Thanks for you reply, I found that when judge whether username
and password are valid, ldap is not case insensitive. but when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
username is "{color:red}WKH{color}", then the follow function will return empty
Set.
{code:java}
Set authorities = super.getGroupMembershipRoles(userDn,
username);
{code}
My kylin ldap config is as follows.
{code:java}
## Spring security profile, options: testing, ldap, saml
## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN
to login
kylin.security.profile=ldap
#
## Admin roles in LDAP, for ldap and saml
kylin.security.acl.admin-role=wkhGroup
#
## LDAP authentication configuration
kylin.security.ldap.connection-server=ldap://**:389
kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com
kylin.security.ldap.connection-password=**
#
## LDAP user account directory;
kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zdh,dc=com
kylin.security.ldap.user-search-pattern=(uid={0})
kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zdh,dc=com
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
{code}
was (Author: xingpeng1):
Hi [~Aron.tao], Thanks for you reply, I found that when judge whether username
and password are valid, ldap is not case insensitive. but when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
username is "{color:red}WKH{color}", then the follow function will return empty
Set.
{code:java}
Set authorities = super.getGroupMembershipRoles(userDn,
username);
{code}
My kylin ldap config is as follows.
{code:java}
## Spring security profile, options: testing, ldap, saml
## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN
to login
kylin.security.profile=ldap
#
## Admin roles in LDAP, for ldap and saml
kylin.security.acl.admin-role=wkhGroup
#
## LDAP authentication configuration
kylin.security.ldap.connection-server=ldap://**:389
kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com
kylin.security.ldap.connection-password=**
#
## LDAP user account directory;
kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zzz,dc=com
kylin.security.ldap.user-search-pattern=(uid={0})
kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zzz,dc=com
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:49 AM:
-1
[~peng.jianhua] The root clause is even still under discussion, why do you
merge the code???
was (Author: aron.tao):
-1
[~peng.jianhua] The root clause is still under discussion, why do you merge
the code???
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360305#comment-16360305
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:41 AM:
Besides, as for you patch, there are two things that are little confusing to
me and it would be great if you can confirm these:
# the signature of getAdditionalRoles() seems not the way you use.
# In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
{code:java}
username = user.getStringAttribute("cn");
{code}
!image-2018-02-12-12-25-15-793.png|width=615,height=212!
was (Author: aron.tao):
Besides, there are two things that are little confusing to me in your patch and
it would be great if you can confirm these:
# the signature of getAdditionalRoles() seems not the way you use.
# In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
{code:java}
username = user.getStringAttribute("cn");
{code}
!image-2018-02-12-12-25-15-793.png|width=615,height=212!
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:40 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me,*
{color:#ff}kylin.security.ldap.user-search-pattern=(uid=\{0}){color}
*in your config is very suspicious, ldap may use this as username when
searching group members. And please confirm is this within your expectations.
And may you use {color:#ff}cn{color} for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me,*
{color:#FF}kylin.security.ldap.user-search-pattern=(uid=\{0}){color}
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use {color:#FF}cn{color} for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:39 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me,*
{color:#FF}kylin.security.ldap.user-search-pattern=(uid=\{0}){color}
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use {color:#FF}cn{color} for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})*
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:38 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})*
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?)
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
>
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:38 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})*
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
*As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})*
*in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?*
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
>
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:37 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for a try?)
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for try.)
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
>
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:37 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations. And may you
use cn for try.)
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me,
kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations )
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:36 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me,
kylin.security.ldap.user-search-pattern=(uid=\{0})
in your config is very suspicious, ldap may use this as username to search
group members. And please confirm is this within your expectations )
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, in your config is very suspicious, ldap may use this as username
to search group members. )
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code,
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:35 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
(As for me, in your config is very suspicious, ldap may use this as username
to search group members. )
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
>
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:33 AM:
Hi [~xingpeng1]
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:32 AM:
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
Let's put aside your patch first, and the root clause may not the one you
think, I recommend that we first find what's the problem, eg. wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
May be your code is right, but the root clause may not the one you think, I
recommend that we first find what's the problem, eg. wrong using? environment
problem? LDAP problem? or it's our Kylin's bug. You can referring to my
experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
>
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360305#comment-16360305
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:32 AM:
Besides, there are two things that are little confusing to me in your patch and
it would be great if you can confirm these:
# the signature of getAdditionalRoles() seems not the way you use.
# In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
{code:java}
username = user.getStringAttribute("cn");
{code}
!image-2018-02-12-12-25-15-793.png|width=615,height=212!
was (Author: aron.tao):
Besides, there are two things that are little confusing to me and it would be
great if you can confirm these:
# the signature of getAdditionalRoles() seems not the way you use.
# In your patch you directly get username and not use the name that
getAdditionalRoles(DirContextOperations user, String username) passed in.
{code:java}
username = user.getStringAttribute("cn");
{code}
!image-2018-02-12-12-25-15-793.png|width=615,height=212!
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:23 AM:
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
May be your code is right, but the root clause may not the one you think, I
recommend that we first find what's the problem, eg. wrong using? environment
problem? LDAP problem? or it's our Kylin's bug. You can referring to my
experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
I recommend that we first find what's the problem, eg. wrong using? environment
problem? LDAP problem? or it's our Kylin's bug. You can referring to my
experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:22 AM:
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
I recommend that we first find what's the problem, eg. wrong using? environment
problem? LDAP problem? or it's our Kylin's bug. You can referring to my
experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
I recommend that we first find what's the problem, eg. it's your wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:22 AM:
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
I recommend that we first find what's the problem, eg. it's your wrong using?
environment problem? LDAP problem? or it's our Kylin's bug. You can referring
to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
was (Author: aron.tao):
I understand your description, and there's no need post again if there's no
update.
And I test your scenes, as you can see in the previous comment, and can not
reproduce your problem.
I recommend that we first find what's the problem, like the it's your wrong
using? environment problem? LDAP problem? or it's our Kylin's bug. You can
referring to my experiment. The LDIF config and Kyiln config are as follows.
Hope you can find the truly root clause.
LDIF
{code:java}
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
cn: People
objectClass: organizationalRole
objectClass: top
# jenny, People, example.com
dn: cn=jenny,ou=People,dc=example,dc=com
mail: je...@example.io
ou: Analyst
cn: jenny
sn: jenny liu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: ZXhhbXBsZTEyMw==
# admin, Groups, example.com
dn: cn=admin,ou=Groups,dc=example,dc=com
cn: admin
member: cn=jenny,ou=People,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
{code}
{code:java}
kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com
kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com
kylin.security.ldap.user-search-pattern=(&(cn={0}))
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
kylin.security.acl.admin-role=admin
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360291#comment-16360291
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:18 AM:
Besides, your implementation will add getGroupMembershipRoles() twice, please
confirm this. The code is not under strict review and test and direct merged, I
am worried about this.
DefaultLdapAuthoritiesPopulator.java, in package
org.springframework.security.ldap.userdetails.
!image-2018-02-12-12-15-39-132.png!
was (Author: aron.tao):
Besides, your implementation will add getGroupMembershipRoles() twice, please
confirm this. The code is not under strict test and I am worried about this.
DefaultLdapAuthoritiesPopulator.java, in package
org.springframework.security.ldap.userdetails.
!image-2018-02-12-12-15-39-132.png!
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 3:38 AM:
-1
[~peng.jianhua] The root clause is still under discussion, why do you merge
the code???
was (Author: aron.tao):
[~peng.jianhua] The root clause is still under discussion, why do you merge
the code???
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360264#comment-16360264
]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 3:31 AM:
---
Hi [~Aron.tao], Thanks for you reply, I found that when judge whether username
and password are valid, ldap is not case insensitive. but when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
username is "{color:red}WKH{color}", then the follow function will return empty
Set.
{code:java}
Set authorities = super.getGroupMembershipRoles(userDn,
username);
{code}
My kylin ldap config is as follows.
{code:java}
## Spring security profile, options: testing, ldap, saml
## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN
to login
kylin.security.profile=ldap
#
## Admin roles in LDAP, for ldap and saml
kylin.security.acl.admin-role=wkhGroup
#
## LDAP authentication configuration
kylin.security.ldap.connection-server=ldap://**:389
kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com
kylin.security.ldap.connection-password=**
#
## LDAP user account directory;
kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zzz,dc=com
kylin.security.ldap.user-search-pattern=(uid={0})
kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zzz,dc=com
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
{code}
was (Author: xingpeng1):
Hi [~Aron.tao], Thanks for you reply, I found that when judge whether user name
and password is valid, ldap is not case insensitive. but when userDn is
"uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
username is "{color:red}WKH{color}", then the follow function will return empty
Set.
{code:java}
Set authorities = super.getGroupMembershipRoles(userDn,
username);
{code}
My kylin ldap config is as follows.
{code:java}
## Spring security profile, options: testing, ldap, saml
## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN
to login
kylin.security.profile=ldap
#
## Admin roles in LDAP, for ldap and saml
kylin.security.acl.admin-role=wkhGroup
#
## LDAP authentication configuration
kylin.security.ldap.connection-server=ldap://**:389
kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com
kylin.security.ldap.connection-password=**
#
## LDAP user account directory;
kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zzz,dc=com
kylin.security.ldap.user-search-pattern=(uid={0})
kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zzz,dc=com
kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1}))
{code}
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 3:17 AM:
[~peng.jianhua] The root clause is still under discussion, why do you merge
the code???
was (Author: aron.tao):
[~peng.jianhua] The root clause is still not confirm, why do you merge the
code???
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 2:47 AM:
[~peng.jianhua] The root clause is still not confirm, why do you merge the
code???
was (Author: aron.tao):
[~peng.jianhua] The root clause is still not found, why do you merge the
code???
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360221#comment-16360221
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 2:35 AM:
[~xingpeng1] can you put your kylin ldap config here?
was (Author: aron.tao):
[~xingpeng1] can you put your config here?
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360219#comment-16360219
]
jiatao.tao edited comment on KYLIN-3197 at 2/12/18 2:31 AM:
Hi [~xingpeng1] I test the code before and do find that ldap is not case
insensitive, so please do confirm its root clause.
Thanks.
root @ sandbox in ~ [10:23:45]
$ rpm -qa|grep openldap
openldap-clients-2.4.40-16.el6.x86_64
openldap-devel-2.4.40-16.el6.x86_64
openldap-2.4.40-16.el6.x86_64
openldap-servers-2.4.40-16.el6.x86_64
was (Author: aron.tao):
Hi [~xingpeng1] I test the code before and do find that ldap is not case
insensitive, so please do confirm you problem.
Thanks.
root @ sandbox in ~ [10:23:45]
$ rpm -qa|grep openldap
openldap-clients-2.4.40-16.el6.x86_64
openldap-devel-2.4.40-16.el6.x86_64
openldap-2.4.40-16.el6.x86_64
openldap-servers-2.4.40-16.el6.x86_64
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359983#comment-16359983
]
peng.jianhua edited comment on KYLIN-3197 at 2/11/18 4:29 PM:
--
+1
I used the issue to verify my push code.
was (Author: peng.jianhua):
+1
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16358145#comment-16358145
]
Peng Xing edited comment on KYLIN-3197 at 2/9/18 9:18 AM:
--
Hi [~Aron.tao], I run the latest Kylin code, and I check out my configuration
by your LDAP document, it has the same, but the user 'WKH' still can not login
the system, I guess it may be the openldap version problem, so can you tell me
your openldap version? thanks!
My openldap version is
{code:java}
[root@zdh131 ~]# rpm -qa|grep openldap
openldap-servers-2.4.40-16.el6.x86_64
openldap-servers-sql-2.4.40-16.el6.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.40-16.el6.x86_64
openldap-2.4.40-16.el6.x86_64
openldap-clients-2.4.40-16.el6.x86_64
{code}
was (Author: xingpeng1):
Hi [~Aron.tao], I run the latest Kylin code, and I check out my configuration
by your LDAP document, it has the same, but the user 'WKH' still can not login
the system, I guess it may be the openldap version problem, so can you tell me
your openldap version? thanks!
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: v2.3.0
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356600#comment-16356600
]
jiatao.tao edited comment on KYLIN-3197 at 2/8/18 7:42 AM:
---
Hi [~xingpeng1],
I run the latest Kylin code. The user in LDAP is jenny, and I use JENNY and
jenny, even if jeNNY, all can login.
!image-2018-02-08-15-33-07-277.png|width=881,height=101!
!image-2018-02-08-15-35-03-902.png|width=881,height=93!
!image-2018-02-08-15-33-54-480.png|width=885,height=100!
!image-2018-02-08-15-32-25-030.png!
[http://kylin.apache.org/docs21/howto/howto_ldap_and_sso.html]
This is our LDAP document and you can confirm your configuration about LDAP.
was (Author: aron.tao):
Hi [~xingpeng1],
I run the latest Kylin code. The user in LDAP is jenny, and I use JENNY and
jenny, even if jeNNY, all can login.
!image-2018-02-08-15-33-07-277.png|width=881,height=101!
!image-2018-02-08-15-35-03-902.png|width=881,height=93!
!image-2018-02-08-15-33-54-480.png|width=885,height=100!
!image-2018-02-08-15-32-25-030.png!
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
>
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
>Affects Versions: v2.3.0
>Reporter: Peng Xing
>Assignee: Peng Xing
>Priority: Major
> Labels: patch
> Fix For: v2.3.0
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
