[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:54 AM: Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur. And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} I believe we are not the only one met this problem, we should go and find out how other people solve this. Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur. And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} I believe we are not the only one met the problem, we should go and find out how other people solve this. Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:53 AM: Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur. And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} I believe we are not the only one met the problem, we should go and find out how other people solve this. Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur. And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, >
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:49 AM: Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur. And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur.And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:49 AM: Hi [~xingpeng1] About Redhat we may need further discussion, it's need a full discussion and comparison or we can solve one problem today, but next day, another problem may occur.And can you also put your user's ldif? Besides, I know you use getAdditionalRoles() to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] About Redhat we may need further discussion, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:44 AM: Hi [~xingpeng1] About Redhat we may need further discussion, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:42 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? Not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:41 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way? not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way, not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:40 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way, not asking for how it works. We all understand how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way, not asking for how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:39 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use getAdditionalRoles to solve this problem, for sure, but what I say is that should we use this method like this way? Can you find some examples like document or other projects use this way, not asking for how it works. {code:java} The signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use xxx to solve this problem, but what I say is that should we use this method like this way? Can you find some examples like document or other project use this way. {code:java} the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:37 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use xxx to solve this problem, but what I say is that should we use this method like this way? Can you find some examples like document or other project use this way. {code:java} the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code} Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use xxx to solve this problem, but what I say is that should we use this method like this way? Can you find some examples like document or other project use this way. Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:36 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Besides, I know you use xxx to solve this problem, but what I say is that should we use this method like this way? Can you find some examples like document or other project use this way. Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361734#comment-16361734 ] jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:32 AM: Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} Looking forward your opinion. was (Author: aron.tao): Hi [~xingpeng1] We will consider about Redhat, can you also put your user's ldif? Also, I think it may be a requirements or issue that need discussion, but not directly get "cn" from DirContextOperations. {code:java} the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:43 AM: --- Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the memberUid format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. {code:java} @Override public final Collection getGrantedAuthorities( DirContextOperations user, String username) { String userDn = user.getNameInNamespace(); if (logger.isDebugEnabled()) { logger.debug("Getting authorities for user " + userDn); } Set roles = getGroupMembershipRoles(userDn, username); Set extraRoles = getAdditionalRoles(user, username); if (extraRoles != null) { roles.addAll(extraRoles); } if (this.defaultRole != null) { roles.add(this.defaultRole); } List result = new ArrayList(roles.size()); result.addAll(roles); return result; } {code} 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' was (Author: xingpeng1): Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the memberUid format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID:
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM: --- Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' was (Author: xingpeng1): Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have test in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM: --- Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have test in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' was (Author: xingpeng1): Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM: --- Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the memberUid format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' was (Author: xingpeng1): Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360388#comment-16360388 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:39 AM: --- Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' was (Author: xingpeng1): Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 {color:red}member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com{color} structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 1 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z {color:red}memberUid: wkh{color} memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#00#001#00 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360264#comment-16360264 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:39 AM: --- Hi [~Aron.tao], Thanks for you reply, I found that when judge whether username and password are valid, ldap is not case insensitive. but when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and username is "{color:red}WKH{color}", then the follow function will return empty Set. {code:java} Set authorities = super.getGroupMembershipRoles(userDn, username); {code} My kylin ldap config is as follows. {code:java} ## Spring security profile, options: testing, ldap, saml ## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN to login kylin.security.profile=ldap # ## Admin roles in LDAP, for ldap and saml kylin.security.acl.admin-role=wkhGroup # ## LDAP authentication configuration kylin.security.ldap.connection-server=ldap://**:389 kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com kylin.security.ldap.connection-password=** # ## LDAP user account directory; kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zdh,dc=com kylin.security.ldap.user-search-pattern=(uid={0}) kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zdh,dc=com kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) {code} was (Author: xingpeng1): Hi [~Aron.tao], Thanks for you reply, I found that when judge whether username and password are valid, ldap is not case insensitive. but when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and username is "{color:red}WKH{color}", then the follow function will return empty Set. {code:java} Set authorities = super.getGroupMembershipRoles(userDn, username); {code} My kylin ldap config is as follows. {code:java} ## Spring security profile, options: testing, ldap, saml ## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN to login kylin.security.profile=ldap # ## Admin roles in LDAP, for ldap and saml kylin.security.acl.admin-role=wkhGroup # ## LDAP authentication configuration kylin.security.ldap.connection-server=ldap://**:389 kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com kylin.security.ldap.connection-password=** # ## LDAP user account directory; kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zzz,dc=com kylin.security.ldap.user-search-pattern=(uid={0}) kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zzz,dc=com kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:49 AM: -1 [~peng.jianhua] The root clause is even still under discussion, why do you merge the code??? was (Author: aron.tao): -1 [~peng.jianhua] The root clause is still under discussion, why do you merge the code??? > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360305#comment-16360305 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:41 AM: Besides, as for you patch, there are two things that are little confusing to me and it would be great if you can confirm these: # the signature of getAdditionalRoles() seems not the way you use. # In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. {code:java} username = user.getStringAttribute("cn"); {code} !image-2018-02-12-12-25-15-793.png|width=615,height=212! was (Author: aron.tao): Besides, there are two things that are little confusing to me in your patch and it would be great if you can confirm these: # the signature of getAdditionalRoles() seems not the way you use. # In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. {code:java} username = user.getStringAttribute("cn"); {code} !image-2018-02-12-12-25-15-793.png|width=615,height=212! > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:40 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me,* {color:#ff}kylin.security.ldap.user-search-pattern=(uid=\{0}){color} *in your config is very suspicious, ldap may use this as username when searching group members. And please confirm is this within your expectations. And may you use {color:#ff}cn{color} for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me,* {color:#FF}kylin.security.ldap.user-search-pattern=(uid=\{0}){color} *in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use {color:#FF}cn{color} for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code}
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:39 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me,* {color:#FF}kylin.security.ldap.user-search-pattern=(uid=\{0}){color} *in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use {color:#FF}cn{color} for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})* *in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:38 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})* *in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, kylin.security.ldap.user-search-pattern=(uid=\{0}) in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for a try?) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use >
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:38 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})* *in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. *As for me, kylin.security.ldap.user-search-pattern=(uid=\{0})* *in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for a try?* Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use >
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:37 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, kylin.security.ldap.user-search-pattern=(uid=\{0}) in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for a try?) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, kylin.security.ldap.user-search-pattern=(uid=\{0}) in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for try.) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use >
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:37 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, kylin.security.ldap.user-search-pattern=(uid=\{0}) in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations. And may you use cn for try.) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, kylin.security.ldap.user-search-pattern=(uid=\{0}) in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations ) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:36 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, kylin.security.ldap.user-search-pattern=(uid=\{0}) in your config is very suspicious, ldap may use this as username to search group members. And please confirm is this within your expectations ) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, in your config is very suspicious, ldap may use this as username to search group members. ) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code,
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:35 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. (As for me, in your config is very suspicious, ldap may use this as username to search group members. ) Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is >
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:33 AM: Hi [~xingpeng1] I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:32 AM: I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. Let's put aside your patch first, and the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. May be your code is right, but the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: >
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360305#comment-16360305 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:32 AM: Besides, there are two things that are little confusing to me in your patch and it would be great if you can confirm these: # the signature of getAdditionalRoles() seems not the way you use. # In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. {code:java} username = user.getStringAttribute("cn"); {code} !image-2018-02-12-12-25-15-793.png|width=615,height=212! was (Author: aron.tao): Besides, there are two things that are little confusing to me and it would be great if you can confirm these: # the signature of getAdditionalRoles() seems not the way you use. # In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. {code:java} username = user.getStringAttribute("cn"); {code} !image-2018-02-12-12-25-15-793.png|width=615,height=212! > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:23 AM: I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. May be your code is right, but the root clause may not the one you think, I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:22 AM: I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. I recommend that we first find what's the problem, eg. wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. I recommend that we first find what's the problem, eg. it's your wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360290#comment-16360290 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:22 AM: I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. I recommend that we first find what's the problem, eg. it's your wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} was (Author: aron.tao): I understand your description, and there's no need post again if there's no update. And I test your scenes, as you can see in the previous comment, and can not reproduce your problem. I recommend that we first find what's the problem, like the it's your wrong using? environment problem? LDAP problem? or it's our Kylin's bug. You can referring to my experiment. The LDIF config and Kyiln config are as follows. Hope you can find the truly root clause. LDIF {code:java} # People, example.com dn: ou=People,dc=example,dc=com ou: People cn: People objectClass: organizationalRole objectClass: top # jenny, People, example.com dn: cn=jenny,ou=People,dc=example,dc=com mail: je...@example.io ou: Analyst cn: jenny sn: jenny liu objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top userPassword:: ZXhhbXBsZTEyMw== # admin, Groups, example.com dn: cn=admin,ou=Groups,dc=example,dc=com cn: admin member: cn=jenny,ou=People,dc=example,dc=com objectClass: groupOfNames objectClass: top {code} {code:java} kylin.security.ldap.user-search-base=ou=People,dc=example,dc=com kylin.security.ldap.user-group-search-base=ou=Groups,dc=example,dc=com kylin.security.ldap.user-search-pattern=(&(cn={0})) kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) kylin.security.acl.admin-role=admin {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360291#comment-16360291 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 4:18 AM: Besides, your implementation will add getGroupMembershipRoles() twice, please confirm this. The code is not under strict review and test and direct merged, I am worried about this. DefaultLdapAuthoritiesPopulator.java, in package org.springframework.security.ldap.userdetails. !image-2018-02-12-12-15-39-132.png! was (Author: aron.tao): Besides, your implementation will add getGroupMembershipRoles() twice, please confirm this. The code is not under strict test and I am worried about this. DefaultLdapAuthoritiesPopulator.java, in package org.springframework.security.ldap.userdetails. !image-2018-02-12-12-15-39-132.png! > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 3:38 AM: -1 [~peng.jianhua] The root clause is still under discussion, why do you merge the code??? was (Author: aron.tao): [~peng.jianhua] The root clause is still under discussion, why do you merge the code??? > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360264#comment-16360264 ] Peng Xing edited comment on KYLIN-3197 at 2/12/18 3:31 AM: --- Hi [~Aron.tao], Thanks for you reply, I found that when judge whether username and password are valid, ldap is not case insensitive. but when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and username is "{color:red}WKH{color}", then the follow function will return empty Set. {code:java} Set authorities = super.getGroupMembershipRoles(userDn, username); {code} My kylin ldap config is as follows. {code:java} ## Spring security profile, options: testing, ldap, saml ## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN to login kylin.security.profile=ldap # ## Admin roles in LDAP, for ldap and saml kylin.security.acl.admin-role=wkhGroup # ## LDAP authentication configuration kylin.security.ldap.connection-server=ldap://**:389 kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com kylin.security.ldap.connection-password=** # ## LDAP user account directory; kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zzz,dc=com kylin.security.ldap.user-search-pattern=(uid={0}) kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zzz,dc=com kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) {code} was (Author: xingpeng1): Hi [~Aron.tao], Thanks for you reply, I found that when judge whether user name and password is valid, ldap is not case insensitive. but when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and username is "{color:red}WKH{color}", then the follow function will return empty Set. {code:java} Set authorities = super.getGroupMembershipRoles(userDn, username); {code} My kylin ldap config is as follows. {code:java} ## Spring security profile, options: testing, ldap, saml ## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN to login kylin.security.profile=ldap # ## Admin roles in LDAP, for ldap and saml kylin.security.acl.admin-role=wkhGroup # ## LDAP authentication configuration kylin.security.ldap.connection-server=ldap://**:389 kylin.security.ldap.connection-username=cn=**,dc=zzz,dc=com kylin.security.ldap.connection-password=** # ## LDAP user account directory; kylin.security.ldap.user-search-base=ou=People,ou=defaultCluster,dc=zzz,dc=com kylin.security.ldap.user-search-pattern=(uid={0}) kylin.security.ldap.user-group-search-base=ou=Group,ou=defaultCluster,dc=zzz,dc=com kylin.security.ldap.user-group-search-filter=(|(member={0})(memberUid={1})) {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 3:17 AM: [~peng.jianhua] The root clause is still under discussion, why do you merge the code??? was (Author: aron.tao): [~peng.jianhua] The root clause is still not confirm, why do you merge the code??? > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360224#comment-16360224 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 2:47 AM: [~peng.jianhua] The root clause is still not confirm, why do you merge the code??? was (Author: aron.tao): [~peng.jianhua] The root clause is still not found, why do you merge the code??? > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360221#comment-16360221 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 2:35 AM: [~xingpeng1] can you put your kylin ldap config here? was (Author: aron.tao): [~xingpeng1] can you put your config here? > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16360219#comment-16360219 ] jiatao.tao edited comment on KYLIN-3197 at 2/12/18 2:31 AM: Hi [~xingpeng1] I test the code before and do find that ldap is not case insensitive, so please do confirm its root clause. Thanks. root @ sandbox in ~ [10:23:45] $ rpm -qa|grep openldap openldap-clients-2.4.40-16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 openldap-2.4.40-16.el6.x86_64 openldap-servers-2.4.40-16.el6.x86_64 was (Author: aron.tao): Hi [~xingpeng1] I test the code before and do find that ldap is not case insensitive, so please do confirm you problem. Thanks. root @ sandbox in ~ [10:23:45] $ rpm -qa|grep openldap openldap-clients-2.4.40-16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 openldap-2.4.40-16.el6.x86_64 openldap-servers-2.4.40-16.el6.x86_64 > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359983#comment-16359983 ] peng.jianhua edited comment on KYLIN-3197 at 2/11/18 4:29 PM: -- +1 I used the issue to verify my push code. was (Author: peng.jianhua): +1 > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16358145#comment-16358145 ] Peng Xing edited comment on KYLIN-3197 at 2/9/18 9:18 AM: -- Hi [~Aron.tao], I run the latest Kylin code, and I check out my configuration by your LDAP document, it has the same, but the user 'WKH' still can not login the system, I guess it may be the openldap version problem, so can you tell me your openldap version? thanks! My openldap version is {code:java} [root@zdh131 ~]# rpm -qa|grep openldap openldap-servers-2.4.40-16.el6.x86_64 openldap-servers-sql-2.4.40-16.el6.x86_64 compat-openldap-2.3.43-2.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 openldap-2.4.40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 {code} was (Author: xingpeng1): Hi [~Aron.tao], I run the latest Kylin code, and I check out my configuration by your LDAP document, it has the same, but the user 'WKH' still can not login the system, I guess it may be the openldap version problem, so can you tell me your openldap version? thanks! > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: v2.3.0 > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KYLIN-3197) When ldap is opened, I use an ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356600#comment-16356600 ] jiatao.tao edited comment on KYLIN-3197 at 2/8/18 7:42 AM: --- Hi [~xingpeng1], I run the latest Kylin code. The user in LDAP is jenny, and I use JENNY and jenny, even if jeNNY, all can login. !image-2018-02-08-15-33-07-277.png|width=881,height=101! !image-2018-02-08-15-35-03-902.png|width=881,height=93! !image-2018-02-08-15-33-54-480.png|width=885,height=100! !image-2018-02-08-15-32-25-030.png! [http://kylin.apache.org/docs21/howto/howto_ldap_and_sso.html] This is our LDAP document and you can confirm your configuration about LDAP. was (Author: aron.tao): Hi [~xingpeng1], I run the latest Kylin code. The user in LDAP is jenny, and I use JENNY and jenny, even if jeNNY, all can login. !image-2018-02-08-15-33-07-277.png|width=881,height=101! !image-2018-02-08-15-35-03-902.png|width=881,height=93! !image-2018-02-08-15-33-54-480.png|width=885,height=100! !image-2018-02-08-15-32-25-030.png! > When ldap is opened, I use an ignored case user to login, the page does not > respond. > > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security >Affects Versions: v2.3.0 >Reporter: Peng Xing >Assignee: Peng Xing >Priority: Major > Labels: patch > Fix For: v2.3.0 > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff}wkh{color}' to login in, which is normal. > But when I use '{color:#ff}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)