Repository: hive
Updated Branches:
  refs/heads/llap 28d1082b4 -> a7b0ca733


HIVE-13295: Improvement to LDAP search queries in HS2 LDAP Authenticator 
(Naveen Gangam via Chaoyu Tang)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/e665f020
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/e665f020
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/e665f020

Branch: refs/heads/llap
Commit: e665f020b419cf9096006c45f4afcda13fa9e882
Parents: 55383d8
Author: ctang <ct...@cloudera.com>
Authored: Thu Mar 24 09:34:59 2016 -0700
Committer: ctang <ct...@cloudera.com>
Committed: Thu Mar 24 09:34:59 2016 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/conf/HiveConf.java   |   9 +
 .../auth/LdapAuthenticationProviderImpl.java    | 317 ++++++++++---------
 .../auth/TestLdapAtnProviderWithMiniDS.java     | 200 +++++++++++-
 3 files changed, 373 insertions(+), 153 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/e665f020/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index b8b9dcf..b8870f2 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -2237,6 +2237,15 @@ public class HiveConf extends Configuration {
     
HIVE_SERVER2_PLAIN_LDAP_USERFILTER("hive.server2.authentication.ldap.userFilter",
 null,
         "COMMA-separated list of LDAP usernames (just short names, not full 
DNs).\n" +
         "For example: hiveuser,impalauser,hiveadmin,hadoopadmin"),
+    
HIVE_SERVER2_PLAIN_LDAP_GUIDKEY("hive.server2.authentication.ldap.guidKey", 
"uid",
+        "LDAP attribute name whose values are unique in this LDAP server.\n" +
+        "For example: uid or CN."),
+    
HIVE_SERVER2_PLAIN_LDAP_GROUPMEMBERSHIP_KEY("hive.server2.authentication.ldap.groupMembershipKey",
 "member",
+        "LDAP attribute name on the user entry that references a group, the 
user belongs to.\n" +
+        "For example: member, uniqueMember or memberUid"),
+    
HIVE_SERVER2_PLAIN_LDAP_GROUPCLASS_KEY("hive.server2.authentication.ldap.groupClassKey",
 "groupOfNames",
+        "LDAP attribute name on the group entry that is to be used in LDAP 
group searches.\n" +
+        "For example: group, groupOfNames or groupOfUniqueNames."),
     
HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY("hive.server2.authentication.ldap.customLDAPQuery",
 null,
         "A full LDAP query that LDAP Atn provider uses to execute against LDAP 
Server.\n" +
         "If this query returns a null resultset, the LDAP Provider fails the 
Authentication\n" +

http://git-wip-us.apache.org/repos/asf/hive/blob/e665f020/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
----------------------------------------------------------------------
diff --git 
a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
 
b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
index 9b0b14d..8f64672 100644
--- 
a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
+++ 
b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -41,7 +41,6 @@ import org.slf4j.LoggerFactory;
 public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvider {
 
   private static final Logger LOG     = 
LoggerFactory.getLogger(LdapAuthenticationProviderImpl.class);
-  private static final String DN_ATTR = "distinguishedName";
 
   private String ldapURL;
   private String baseDN;
@@ -51,6 +50,9 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
   private static List<String> userFilter;
   private static List<String> groupFilter;
   private String customQuery;
+  private static String guid_attr;
+  private static String groupMembership_attr;
+  private static String groupClass_attr;
 
   LdapAuthenticationProviderImpl(HiveConf conf) {
     init(conf);
@@ -61,65 +63,66 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
     baseDN      = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
     ldapDomain  = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
     customQuery = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY);
-
-    if (customQuery == null) {
-      groupBases             = new ArrayList<String>();
-      userBases              = new ArrayList<String>();
-      String groupDNPatterns = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN);
-      String groupFilterVal  = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER);
-      String userDNPatterns  = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN);
-      String userFilterVal   = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER);
-
-      // parse COLON delimited root DNs for users/groups that may or may not 
be under BaseDN.
-      // Expect the root DNs be fully qualified including the baseDN
-      if (groupDNPatterns != null && groupDNPatterns.trim().length() > 0) {
-        String[] groupTokens = groupDNPatterns.split(":");
-        for (int i = 0; i < groupTokens.length; i++) {
-          if (groupTokens[i].contains(",") && groupTokens[i].contains("=")) {
-            groupBases.add(groupTokens[i]);
-          } else {
-            LOG.warn("Unexpected format for " + 
HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN
-                         + "..ignoring " + groupTokens[i]);
-          }
+    guid_attr   = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GUIDKEY);
+    groupBases  = new ArrayList<String>();
+    userBases   = new ArrayList<String>();
+    userFilter  = new ArrayList<String>();
+    groupFilter = new ArrayList<String>();
+
+    String groupDNPatterns = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN);
+    String groupFilterVal  = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER);
+    String userDNPatterns  = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN);
+    String userFilterVal   = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER);
+    groupMembership_attr   = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPMEMBERSHIP_KEY);
+    groupClass_attr        = 
conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPCLASS_KEY);
+
+    // parse COLON delimited root DNs for users/groups that may or may not be 
under BaseDN.
+    // Expect the root DNs be fully qualified including the baseDN
+    if (groupDNPatterns != null && groupDNPatterns.trim().length() > 0) {
+      String[] groupTokens = groupDNPatterns.split(":");
+      for (int i = 0; i < groupTokens.length; i++) {
+        if (groupTokens[i].contains(",") && groupTokens[i].contains("=")) {
+          groupBases.add(groupTokens[i]);
+        } else {
+          LOG.warn("Unexpected format for " + 
HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN
+                       + "..ignoring " + groupTokens[i]);
         }
-      } else if (baseDN != null) {
-        groupBases.add("uid=%s," + baseDN);
       }
+    } else if (baseDN != null) {
+      groupBases.add(guid_attr + "=%s," + baseDN);
+    }
 
-      if (groupFilterVal != null && groupFilterVal.trim().length() > 0) {
-        groupFilter     = new ArrayList<String>();
-        String[] groups = groupFilterVal.split(",");
-        for (int i = 0; i < groups.length; i++) {
-          if (LOG.isDebugEnabled()) {
-            LOG.debug("Filtered group: " + groups[i]);
-          }
-          groupFilter.add(groups[i]);
+    if (groupFilterVal != null && groupFilterVal.trim().length() > 0) {
+      String[] groups = groupFilterVal.split(",");
+      for (int i = 0; i < groups.length; i++) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("Filtered group: " + groups[i]);
         }
+        groupFilter.add(groups[i]);
       }
+    }
 
-      if (userDNPatterns != null && userDNPatterns.trim().length() > 0) {
-        String[] userTokens = userDNPatterns.split(":");
-        for (int i = 0; i < userTokens.length; i++) {
-          if (userTokens[i].contains(",") && userTokens[i].contains("=")) {
-            userBases.add(userTokens[i]);
-          } else {
-            LOG.warn("Unexpected format for " + 
HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN
-                         + "..ignoring " + userTokens[i]);
-          }
+    if (userDNPatterns != null && userDNPatterns.trim().length() > 0) {
+      String[] userTokens = userDNPatterns.split(":");
+      for (int i = 0; i < userTokens.length; i++) {
+        if (userTokens[i].contains(",") && userTokens[i].contains("=")) {
+          userBases.add(userTokens[i]);
+        } else {
+          LOG.warn("Unexpected format for " + 
HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN
+                       + "..ignoring " + userTokens[i]);
         }
-      } else if (baseDN != null) {
-        userBases.add("uid=%s," + baseDN);
       }
+    } else if (baseDN != null) {
+      userBases.add(guid_attr + "=%s," + baseDN);
+    }
 
-      if (userFilterVal != null && userFilterVal.trim().length() > 0) {
-        userFilter     = new ArrayList<String>();
-        String[] users = userFilterVal.split(",");
-        for (int i = 0; i < users.length; i++) {
-          if (LOG.isDebugEnabled()) {
-            LOG.debug("Filtered user: " + users[i]);
-          }
-          userFilter.add(users[i]);
+    if (userFilterVal != null && userFilterVal.trim().length() > 0) {
+      String[] users = userFilterVal.split(",");
+      for (int i = 0; i < users.length; i++) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("Filtered user: " + users[i]);
         }
+        userFilter.add(users[i]);
       }
     }
   }
@@ -159,7 +162,7 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
         try {
           bindDN = listIter.next().replaceAll("%s", user);
           env.put(Context.SECURITY_PRINCIPAL, bindDN);
-          LOG.debug("Connecting using principal=" + user + " at url=" + 
ldapURL);
+          LOG.debug("Connecting using DN " + bindDN + " at url " + ldapURL);
           ctx = new InitialDirContext(env);
           break;
         } catch (NamingException e) {
@@ -168,7 +171,7 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
       }
     } else {
       env.put(Context.SECURITY_PRINCIPAL, user);
-      LOG.debug("Connecting using principal=" + user + " at url=" + ldapURL);
+      LOG.debug("Connecting using principal " + user + " at url " + ldapURL);
       try {
         ctx = new InitialDirContext(env);
       } catch (NamingException e) {
@@ -177,9 +180,11 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
     }
 
     if (ctx == null) {
+      LOG.debug("Could not connect to the LDAP Server:Authentication failed 
for " + user);
       throw new AuthenticationException("LDAP Authentication failed for user", 
ex);
     }
 
+    LOG.debug("Connected using principal=" + user + " at url=" + ldapURL);
     try {
       if (isDN(user) || hasDomain(user)) {
         userName = extractName(user);
@@ -187,7 +192,24 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
         userName = user;
       }
 
-      if (userFilter == null && groupFilter == null && customQuery == null && 
userBases.size() > 0) {
+      // if a custom LDAP query is specified, it takes precedence over other 
configuration properties.
+      // if the user being authenticated is part of the resultset from the 
custom query, it succeeds.
+      if (customQuery != null) {
+        List<String> resultList = executeLDAPQuery(ctx, customQuery, baseDN);
+        if (resultList != null) {
+          for (String matchedDN : resultList) {
+            LOG.info("<queried user=" + 
matchedDN.split(",",2)[0].split("=",2)[1] + ",user=" + user + ">");
+            if 
(matchedDN.split(",",2)[0].split("=",2)[1].equalsIgnoreCase(user) ||
+                matchedDN.equalsIgnoreCase(user)) {
+              LOG.info("Authentication succeeded based on result set from LDAP 
query");
+              return;
+            }
+          }
+        }
+        LOG.info("Authentication failed based on result set from custom LDAP 
query");
+        throw new AuthenticationException("Authentication failed: LDAP query " 
+
+            "from property returned no data");
+      } else if (userBases.size() > 0) {
         if (isDN(user)) {
           userDN = findUserDNByDN(ctx, user);
         } else {
@@ -196,7 +218,7 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
           }
 
           if (userDN == null) {
-            userDN = findUserDNByName(ctx, baseDN, userName);
+            userDN = findUserDNByName(ctx, userName);
           }
         }
 
@@ -205,86 +227,60 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
         if (userDN == null) {
           throw new AuthenticationException("Authentication failed: User 
search failed");
         }
-        return;
-      }
-
-      if (customQuery != null) {
-        List<String> resultList = executeLDAPQuery(ctx, customQuery, baseDN);
-        if (resultList != null) {
-          for (String matchedDN : resultList) {
-            if 
(matchedDN.split(",",2)[0].split("=",2)[1].equalsIgnoreCase(user)) {
-              LOG.info("Authentication succeeded based on result set from LDAP 
query");
-              return;
-            }
-          }
-        }
-        throw new AuthenticationException("Authentication failed: LDAP query " 
+
-            "from property returned no data");
-      }
 
-      // This section checks if the user satisfies the specified user filter.
-      if (userFilter != null && userFilter.size() > 0) {
-        LOG.info("Authenticating user " + user + " using user filter");
+        // This section checks if the user satisfies the specified user filter.
+        if (userFilter.size() > 0) {
+          LOG.info("Authenticating user " + user + " using user filter");
 
-        boolean success = false;
-        for (String filteredUser : userFilter) {
-          if (filteredUser.equalsIgnoreCase(userName)) {
-            LOG.debug("User filter partially satisfied");
-            success = true;
-            break;
+          if (userDN != null) {
+            LOG.info("User filter partially satisfied");
           }
-        }
-
-        if (!success) {
-          LOG.info("Authentication failed based on user membership");
-          throw new AuthenticationException("Authentication failed: User not a 
member " +
-              "of specified list");
-        }
-
-        userDN = findUserDNByPattern(ctx, userName);
-        if (userDN != null) {
-          LOG.info("User filter entirely satisfied");
-        } else {
-          LOG.info("User " + user + " could not be found in the configured 
UserBaseDN," +
-              "authentication failed");
-          throw new AuthenticationException("Authentication failed: UserDN 
could not be " +
-              "found in specified User base(s)");
-        }
-      }
 
-      if (groupFilter != null && groupFilter.size() > 0) {
-        LOG.debug("Authenticating user " + user + " using group membership:");
+          boolean success = false;
+          for (String filteredUser : userFilter) {
+            if (filteredUser.equalsIgnoreCase(userName)) {
+              LOG.debug("User filter entirely satisfied");
+              success = true;
+              break;
+            }
+          }
 
-        // if only groupFilter is configured.
-        if (userDN == null) {
-          userDN = findUserDNByName(ctx, baseDN, userName);
+          if (!success) {
+            LOG.info("Authentication failed based on user membership");
+            throw new AuthenticationException("Authentication failed: User not 
a member " +
+                "of specified list");
+          }
         }
 
-        List<String> userGroups = getGroupsForUser(ctx, userDN);
-        if (LOG.isDebugEnabled()) {
-          LOG.debug("User member of :");
-          prettyPrint(userGroups);
-        }
+        // This section checks if the user satisfies the specified user filter.
+        if (groupFilter.size() > 0) {
+          LOG.debug("Authenticating user " + user + " using group membership");
+          List<String> userGroups = getGroupsForUser(ctx, userDN);
+          if (LOG.isDebugEnabled()) {
+            LOG.debug("User member of :");
+            prettyPrint(userGroups);
+          }
 
-        if (userGroups != null) {
-          for (String elem : userGroups) {
-            String shortName = ((elem.split(","))[0].split("="))[1];
-            String groupDN   = elem.split(",", 2)[1];
-            LOG.debug("Checking group:DN=" + elem + ",shortName=" + shortName +
-                ",groupDN=" + groupDN);
-            if (groupFilter.contains(shortName)) {
-              LOG.info("Authentication succeeded based on group membership");
-              return;
+          if (userGroups != null) {
+            for (String elem : userGroups) {
+              String shortName = ((elem.split(","))[0].split("="))[1];
+              if (groupFilter.contains(shortName)) {
+                LOG.info("Authentication succeeded based on group membership");
+                return;
+              }
             }
           }
-        }
 
-        throw new AuthenticationException("Authentication failed: User not a 
member of " +
-            "listed groups");
+          LOG.debug("Authentication failed: User is not a member of configured 
groups");
+          throw new AuthenticationException("Authentication failed: User not a 
member of " +
+              "listed groups");
+        }
+        LOG.info("Authentication succeeded using ldap user search");
+        return;
       }
-
+      // Ideally we should not be here. Indicates partially configured LDAP 
Service.
+      // We allow it for now for backward compatibility.
       LOG.info("Simple password authentication succeeded");
-
     } catch (NamingException e) {
       throw new AuthenticationException("LDAP Authentication failed for user", 
e);
     } finally {
@@ -337,7 +333,7 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
    */
   public static String findGroupDNByName(DirContext ctx, String baseDN, String 
groupName)
     throws NamingException {
-    String searchFilter  = "(&(objectClass=group)(CN=" + groupName + "))";
+    String searchFilter  = "(&(objectClass=" + groupClass_attr + ")(" + 
guid_attr + "=" + groupName + "))";
     List<String> results = null;
 
     results = findDNByName(ctx, baseDN, searchFilter, 2);
@@ -410,9 +406,9 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
    * @param userName A unique userid that is to be located in the LDAP.
    * @return LDAP DN if the user is found in LDAP, null otherwise.
    */
-  public static String findUserDNByName(DirContext ctx, String baseDN, String 
userName)
+  public static String findUserDNByName(DirContext ctx, String userName)
       throws NamingException {
-    if (baseDN == null) {
+    if (userBases.size() == 0) {
       return null;
     }
 
@@ -421,23 +417,28 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
                              "(|(uid=" + userName + ")(sAMAccountName=" + 
userName + ")))",
                              "(|(cn=*" + userName + "*)))"
                            };
-    String searchFilter  = null;
-    List<String> results = null;
+
+    String searchFilter           = null;
+    List<String> results          = null;
+    ListIterator<String> listIter = userBases.listIterator();
 
     for (int i = 0; i < suffix.length; i++) {
       searchFilter = baseFilter + suffix[i];
-      results      = findDNByName(ctx, baseDN, searchFilter, 2);
 
-      if(results == null) {
-        continue;
-      }
+      while (listIter.hasNext()) {
+        results = findDNByName(ctx, listIter.next().split(",",2)[1], 
searchFilter, 2);
 
-      if(results != null && results.size() > 1) {
-        //make sure there is not another item available, there should be only 
1 match
-        LOG.info("Matched multiple users for the user: " + userName + 
",returning null");
-        return null;
+        if(results == null) {
+          continue;
+        }
+
+        if(results != null && results.size() > 1) {
+          //make sure there is not another item available, there should be 
only 1 match
+          LOG.info("Matched multiple users for the user: " + userName + 
",returning null");
+          return null;
+        }
+        return results.get(0);
       }
-      return results.get(0);
     }
     return null;
   }
@@ -525,37 +526,47 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
 
   /**
    * This helper method finds all the groups a given user belongs to.
-   * This method relies on the "memberOf" attribute being set on the user that 
references
-   * the group the group. The returned list ONLY includes direct groups the 
user belongs to.
-   * Parent groups of these direct groups are NOT included.
+   * This method relies on the attribute,configurable via 
HIVE_SERVER2_PLAIN_LDAP_GROUPMEMBERSHIP_KEY,
+   * being set on the user entry that references the group. The returned list 
ONLY includes direct
+   * groups the user belongs to. Parent groups of these direct groups are NOT 
included.
    * @param ctx DirContext for the LDAP Connection.
-   * @param userName A unique userid that is to be located in the LDAP.
+   * @param userDN A unique userDN that is to be located in the LDAP.
    * @return List of Group DNs the user belongs to, emptylist otherwise.
    */
   public static List<String> getGroupsForUser(DirContext ctx, String userDN)
       throws NamingException {
     List<String> groupList        = new ArrayList<String>();
-    String searchFilter           = "(" + DN_ATTR + "=" + userDN + ")";
+    String user                   = extractName(userDN);
+    String searchFilter           = "(&(objectClass=" + groupClass_attr + 
")(|(" +
+                                      groupMembership_attr + "=" + userDN + 
")(" +
+                                      groupMembership_attr + "=" + user + 
")))";
     SearchControls searchControls = new SearchControls();
+    NamingEnumeration<SearchResult> results = null;
+    SearchResult result = null;
+    String groupBase = null;
 
     LOG.debug("getGroupsForUser:searchFilter=" + searchFilter);
-    String[] attrIDs = { "memberOf" };
+    String[] attrIDs = new String[0];
     searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
     searchControls.setReturningAttributes(attrIDs);
 
-    // treat everything after the first COMMA as a baseDN for the search to 
find this user
-    NamingEnumeration<SearchResult> results = 
ctx.search(userDN.split(",",2)[1], searchFilter,
-        searchControls);
-    while(results.hasMoreElements()) {
-      NamingEnumeration<? extends Attribute> groups = 
results.next().getAttributes().getAll();
-      while (groups.hasMore()) {
-        Attribute attr = groups.next();
-        NamingEnumeration<?> list = attr.getAll();
-        while (list.hasMore()) {
-          groupList.add((String)list.next());
+    ListIterator<String> listIter = groupBases.listIterator();
+    while (listIter.hasNext()) {
+      try {
+        groupBase = listIter.next().split(",", 2)[1];
+        LOG.debug("Searching for groups under " + groupBase);
+        results   = ctx.search(groupBase, searchFilter, searchControls);
+
+        while(results.hasMoreElements()) {
+          result = results.nextElement();
+          LOG.debug("Found Group:" + result.getNameInNamespace());
+          groupList.add(result.getNameInNamespace());
         }
+      } catch (NamingException e) {
+        LOG.warn("Exception searching for user groups", e);
       }
     }
+
     return groupList;
   }
 
@@ -577,6 +588,10 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
    */
   public static List<String> executeLDAPQuery(DirContext ctx, String query, 
String rootDN)
       throws NamingException {
+    if (rootDN == null) {
+      return null;
+    }
+
     SearchControls searchControls = new SearchControls();
     List<String> list             = new ArrayList<String>();
     String[] returnAttributes     = new String[0]; //empty set

http://git-wip-us.apache.org/repos/asf/hive/blob/e665f020/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
----------------------------------------------------------------------
diff --git 
a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
 
b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
index 832ebdf..ee9262a 100644
--- 
a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
+++ 
b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
@@ -109,21 +109,23 @@ partitions = {
       "dn: uid=group1,ou=Groups,dc=example,dc=com",
       "distinguishedName: uid=group1,ou=Groups,dc=example,dc=com",
       "objectClass: top",
-      "objectClass: organizationalUnit",
+      "objectClass: groupOfNames",
       "objectClass: ExtensibleObject",
       "cn: group1",
       "ou: Groups",
       "sn: group1",
+      "member: uid=user1,ou=People,dc=example,dc=com",
 
       "dn: uid=group2,ou=Groups,dc=example,dc=com",
       "distinguishedName: uid=group2,ou=Groups,dc=example,dc=com",
       "objectClass: top",
-      "objectClass: organizationalUnit",
+      "objectClass: groupOfNames",
       "objectClass: ExtensibleObject",
       "givenName: Group2",
       "ou: Groups",
       "cn: group1",
       "sn: group1",
+      "member: uid=user2,ou=People,dc=example,dc=com",
 
       "dn: uid=user1,ou=People,dc=example,dc=com",
       "distinguishedName: uid=user1,ou=People,dc=example,dc=com",
@@ -535,4 +537,198 @@ public class TestLdapAtnProviderWithMiniDS extends 
AbstractLdapTestUnit {
     }
   }
 
+  @Test
+  public void testUserFilterPositive() throws Exception {
+    String user;
+    Map<String, String> ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userFilter", "user2");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user2,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user2");
+      assertTrue("testUserFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+
+      user = "user2";
+      ldapProvider.Authenticate(user, "user2");
+      assertTrue("testUserFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testUserFilterPositive: Authentication failed for " + user 
+ ",user expected to pass userfilter");
+    }
+
+    ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userFilter", "user1");
+    initLdapAtn(ldapProperties);
+
+    try {
+      user = "uid=user1,ou=People,dc=example,dc=com";
+      ldapProvider.Authenticate(user, "user1");
+      assertTrue("testUserFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+
+      user = "user1";
+      ldapProvider.Authenticate(user, "user1");
+      assertTrue("testUserFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testUserFilterPositive: Authentication failed for " + user 
+ ",user expected to pass userfilter");
+    }
+
+    ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userFilter", 
"user2,user1");
+    initLdapAtn(ldapProperties);
+
+    try {
+      user = "uid=user1,ou=People,dc=example,dc=com";
+      ldapProvider.Authenticate(user, "user1");
+      assertTrue("testUserFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+
+      user = "user2";
+      ldapProvider.Authenticate(user, "user2");
+      assertTrue("testUserFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+
+    } catch (AuthenticationException e) {
+      Assert.fail("testUserFilterPositive: Authentication failed for user, 
user is expected to pass userfilter");
+    }
+  }
+
+  @Test
+  public void testUserFilterNegative() throws Exception {
+    String user;
+    Map<String, String> ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userFilter", "user2");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user1,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user1");
+      Assert.fail("testUserFilterNegative: Authentication succeeded for " + 
user + ",user is expected to fail userfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testUserFilterNegative: Authentication failed for " + user + 
" as expected", true);
+    }
+
+    user = "user1";
+    try {
+      ldapProvider.Authenticate(user, "user1");
+      Assert.fail("testUserFilterNegative: Authentication succeeded for " + 
user + ",user is expected to fail userfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testUserFilterNegative: Authentication failed for " + user + 
" as expected", true);
+    }
+
+    ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userFilter", "user1");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user2,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user2");
+      Assert.fail("testUserFilterNegative: Authentication succeeded for " + 
user + ",user is expected to fail userfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testUserFilterNegative: Authentication failed for " + user + 
" as expected", true);
+    }
+
+    user = "user2";
+    try {
+      ldapProvider.Authenticate(user, "user2");
+      Assert.fail("testUserFilterNegative: Authentication succeeded for " + 
user + ",user is expected to fail userfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testUserFilterNegative: Authentication failed for " + user + 
" as expected", true);
+    }
+
+    ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userFilter", "user3");
+    initLdapAtn(ldapProperties);
+
+    user = "user1";
+    try {
+      ldapProvider.Authenticate(user, "user1");
+      Assert.fail("testUserFilterNegative: Authentication succeeded for " + 
user + ",user expected to fail userfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testUserFilterNegative: Authentication failed for " + user + 
" as expected", true);
+    }
+
+    user = "uid=user2,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user2");
+      Assert.fail("testUserFilterNegative: Authentication succeeded for " + 
user + ",user expected to fail userfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testUserFilterNegative: Authentication failed for " + user + 
" as expected", true);
+    }
+  }
+
+  @Test
+  public void testGroupFilterPositive() throws Exception {
+    String user;
+    Map<String, String> ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupDNPattern", 
"uid=%s,ou=Groups,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupFilter", 
"group1,group2");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user1,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user1");
+      assertTrue("testGroupFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+
+      user = "user1";
+      ldapProvider.Authenticate(user, "user1");
+      assertTrue("testGroupFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+
+      user = "uid=user2,ou=People,dc=example,dc=com";
+      ldapProvider.Authenticate(user, "user2");
+      assertTrue("testGroupFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testGroupFilterPositive: Authentication failed for " + user 
+ ",user expected to pass groupfilter");
+    }
+
+    ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupDNPattern", 
"uid=%s,ou=Groups,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupFilter", 
"group2");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user2,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user2");
+      assertTrue("testGroupFilterPositive: Authentication succeeded for " + 
user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testGroupFilterPositive: Authentication failed for " + user 
+ ",user expected to pass groupfilter");
+    }
+  }
+
+  @Test
+  public void testGroupFilterNegative() throws Exception {
+    String user;
+    Map<String, String> ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupDNPattern", 
"uid=%s,ou=Groups,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupFilter", 
"group1");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user2,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user2");
+      Assert.fail("testGroupFilterNegative: Authentication succeeded for " + 
user + ",user expected to fail groupfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testGroupFilterNegative: Authentication failed for " + user 
+ " as expected", true);
+    }
+
+    ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupDNPattern", 
"uid=%s,ou=Groups,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupFilter", 
"group2");
+    initLdapAtn(ldapProperties);
+
+    user = "uid=user1,ou=People,dc=example,dc=com";
+    try {
+      ldapProvider.Authenticate(user, "user1");
+      Assert.fail("testGroupFilterNegative: Authentication succeeded for " + 
user + ",user expected to fail groupfilter");
+    } catch (AuthenticationException e) {
+      assertTrue("testGroupFilterNegative: Authentication failed for " + user 
+ " as expected", true);
+    }
+  }
 }

Reply via email to