Repository: hive
Updated Branches:
  refs/heads/master b3c5296d7 -> 333fa8763


HIVE-14513: Enhance custom query feature in LDAP atn to support resultset of 
ldap groups (Naveen Gangam, via Chaoyu Tang)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/333fa876
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/333fa876
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/333fa876

Branch: refs/heads/master
Commit: 333fa87633776fe2eabc37718756e0caaec646d2
Parents: b3c5296
Author: ctang <ct...@cloudera.com>
Authored: Fri Aug 12 11:30:20 2016 -0400
Committer: ctang <ct...@cloudera.com>
Committed: Fri Aug 12 11:30:20 2016 -0400

----------------------------------------------------------------------
 .../auth/LdapAuthenticationProviderImpl.java    |  17 ++-
 .../auth/TestLdapAtnProviderWithMiniDS.java     | 111 ++++++++++++++++++-
 2 files changed, 120 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/333fa876/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
----------------------------------------------------------------------
diff --git 
a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
 
b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
index 8f64672..efd5393 100644
--- 
a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
+++ 
b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -594,7 +594,13 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
 
     SearchControls searchControls = new SearchControls();
     List<String> list             = new ArrayList<String>();
-    String[] returnAttributes     = new String[0]; //empty set
+    String[] returnAttributes;
+    if (groupMembership_attr != null) {
+      // retrieve the attributes that are meant to desginate user DNs
+      returnAttributes = new String[] { groupMembership_attr };
+    } else {
+      returnAttributes = new String[0]; //empty set
+    }
 
     searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
     searchControls.setReturningAttributes(returnAttributes);
@@ -604,6 +610,14 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
     SearchResult searchResult = null;
     while(results.hasMoreElements()) {
       searchResult = results.nextElement();
+      if (groupMembership_attr != null) {
+        Attribute userAttribute = 
searchResult.getAttributes().get(groupMembership_attr);
+        if (userAttribute != null) {
+          list.add((String)userAttribute.get());
+          continue;
+        }
+      }
+
       list.add(searchResult.getNameInNamespace());
       LOG.debug("LDAPAtn:executeLDAPQuery()::Return set size " + 
list.get(list.size() - 1));
     }
@@ -632,5 +646,4 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
     }
     return null;
   }
-
 }

http://git-wip-us.apache.org/repos/asf/hive/blob/333fa876/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
----------------------------------------------------------------------
diff --git 
a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
 
b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
index 40430c4..089a059 100644
--- 
a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
+++ 
b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
@@ -123,8 +123,8 @@ partitions = {
       "objectClass: ExtensibleObject",
       "givenName: Group2",
       "ou: Groups",
-      "cn: group1",
-      "sn: group1",
+      "cn: group2",
+      "sn: group2",
       "member: uid=user2,ou=People,dc=example,dc=com",
 
       "dn: cn=group3,ou=Groups,dc=example,dc=com",
@@ -859,14 +859,14 @@ public class TestLdapAtnProviderWithMiniDS extends 
AbstractLdapTestUnit {
                        + USER1.getUID() + ")(uid=" + USER4.getUID() + ")))");
     initLdapAtn(ldapProperties);
 
-      user = USER1.getDN();
+    user = USER1.getDN();
     try {
       ldapProvider.Authenticate(user, USER1.getPassword());
       assertTrue("testCustomQueryPositive: Authentication succeeded for " + 
user + " as expected", true);
 
-     user = USER1.getUID();
-       ldapProvider.Authenticate(user, USER1.getPassword());
-       assertTrue("testCustomQueryPositive: Authentication succeeded for " + 
user + " as expected", true);
+      user = USER1.getUID();
+      ldapProvider.Authenticate(user, USER1.getPassword());
+      assertTrue("testCustomQueryPositive: Authentication succeeded for " + 
user + " as expected", true);
 
       user = USER4.getDN();
       ldapProvider.Authenticate(user, USER4.getPassword());
@@ -903,6 +903,105 @@ public class TestLdapAtnProviderWithMiniDS extends 
AbstractLdapTestUnit {
     }
   }
 
+  /**
+   Test to test the LDAP Atn to use a custom LDAP query that returns
+   a) A set of group DNs
+   b) A combination of group(s) DN and user DN
+   LDAP atn is expected to extract the members of the group using the 
attribute value for
+   "hive.server2.authentication.ldap.groupMembershipKey"
+   */
+  @Test
+  public void testCustomQueryWithGroupsPositive() throws Exception {
+    String user;
+    Map<String, String> ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.baseDN", 
"dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+                         
"(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))");
+    initLdapAtn(ldapProperties);
+
+    user = USER1.getDN();
+    try {
+      ldapProvider.Authenticate(user, USER1.getPassword());
+      assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded 
for " + user + " as expected", true);
+
+       user = USER2.getUID();
+       ldapProvider.Authenticate(user, USER2.getPassword());
+       assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded 
for " + user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed 
for " + user + ",user expected to pass custom LDAP Query");
+    }
+
+    /* the following test uses a query that returns a group and a user entry.
+       the ldap atn should use the groupMembershipKey to identify the users 
for the returned group
+       and the authentication should succeed for the users of that group as 
well as the lone user4 in this case
+    */
+    ldapProperties.put("hive.server2.authentication.ldap.baseDN", 
"dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+    // following query should return group1 and user2
+    ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+                         
"(|(&(objectClass=groupOfNames)(cn=group1))(&(objectClass=person)(sn=user4)))");
+    initLdapAtn(ldapProperties);
+
+    user = USER1.getUID();
+    try {
+      ldapProvider.Authenticate(user, USER1.getPassword());
+      assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded 
for " + user + " as expected", true);
+
+       user = USER4.getUID();
+       ldapProvider.Authenticate(user, USER4.getPassword());
+       assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded 
for " + user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed 
for " + user + ",user expected to pass custom LDAP Query");
+    }
+
+    ldapProperties.put("hive.server2.authentication.ldap.baseDN", 
"dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.groupMembershipKey", 
"uniqueMember");
+    ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+                         "(&(objectClass=groupOfUniqueNames)(cn=group4))");
+    initLdapAtn(ldapProperties);
+
+    user = USER4.getDN();
+    try {
+      ldapProvider.Authenticate(user, USER4.getPassword());
+      assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded 
for " + user + " as expected", true);
+
+      user = USER4.getUID();
+      ldapProvider.Authenticate(user, USER4.getPassword());
+      assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded 
for " + user + " as expected", true);
+    } catch (AuthenticationException e) {
+      Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed 
for " + user + ",user expected to pass custom LDAP Query");
+    }
+  }
+
+  @Test
+  public void testCustomQueryWithGroupsNegative() throws Exception {
+    String user;
+    Map<String, String> ldapProperties = new HashMap<String, String>();
+    ldapProperties.put("hive.server2.authentication.ldap.baseDN", 
"dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", 
"cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+    ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+                         
"(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))");
+    initLdapAtn(ldapProperties);
+
+    user = USER3.getDN();
+    try {
+      ldapProvider.Authenticate(user, USER3.getPassword());
+      Assert.fail("testCustomQueryNegative: Authentication succeeded for " + 
user + ",user expected to fail custom LDAP Query");
+    } catch (AuthenticationException e) {
+      assertTrue("testCustomQueryNegative: Authentication failed for " + user 
+ " as expected", true);
+    }
+
+    try {
+      user = USER3.getUID();
+      ldapProvider.Authenticate(user, USER3.getPassword());
+      Assert.fail("testCustomQueryNegative: Authentication succeeded for " + 
user + ",user expected to fail custom LDAP Query");
+    } catch (AuthenticationException e) {
+      assertTrue("testCustomQueryNegative: Authentication failed for " + user 
+ " as expected", true);
+    }
+  }
+
   @Test
   public void testGroupFilterPositiveWithCustomGUID() throws Exception {
     String user;

Reply via email to