This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push: new 7003916bffa [SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials' 7003916bffa is described below commit 7003916bffa64952daf1b29cfa1eea76a94ed3c0 Author: xiuzhu9527 <1406823...@qq.com> AuthorDate: Sat Jun 25 14:15:18 2022 -0500 [SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials' ### What changes were proposed in this pull request? In the PR, Fixed the problem that the DN is (cn=user,ou=people, dc=example, dc=com) LDAP login failure. ### Why are the changes needed? The hard coded DN in the org.apache.hive.service.auth.LdapAuthenticationProviderImpl#Authenticate() is (uid=user,ou=people, dc=example, dc=com), resulting in LDAP authentication failure ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Existing test. Closes #36784 from xiuzhu9527/fix_thriftserver_ldap. Authored-by: xiuzhu9527 <1406823...@qq.com> Signed-off-by: Sean Owen <sro...@gmail.com> --- .../auth/LdapAuthenticationProviderImpl.java | 61 ++++++++++++++++------ 1 file changed, 44 insertions(+), 17 deletions(-) diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java index b83b5e1cd11..b74151a42e1 100644 --- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java +++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java @@ -16,12 +16,17 @@ */ package org.apache.hive.service.auth; +import java.util.ArrayList; +import java.util.Collections; import java.util.Hashtable; +import java.util.Iterator; +import java.util.List; import javax.naming.Context; import javax.naming.NamingException; import javax.naming.directory.InitialDirContext; import javax.security.sasl.AuthenticationException; +import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hive.service.ServiceUtils; @@ -30,21 +35,19 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi private final String ldapURL; private final String baseDN; private final String ldapDomain; + private final String userDNPattern; LdapAuthenticationProviderImpl() { HiveConf conf = new HiveConf(); ldapURL = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL); baseDN = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN); ldapDomain = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN); + userDNPattern = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN); } @Override public void Authenticate(String user, String password) throws AuthenticationException { - Hashtable<String, Object> env = new Hashtable<String, Object>(); - env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); - env.put(Context.PROVIDER_URL, ldapURL); - // If the domain is available in the config, then append it unless domain is // already part of the username. LDAP providers like Active Directory use a // fully qualified user name like f...@bar.com. @@ -58,22 +61,46 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi } // setup the security principal - String bindDN; - if (baseDN == null) { - bindDN = user; + List<String> candidatePrincipals = new ArrayList<>(); + if (StringUtils.isBlank(userDNPattern)) { + if (StringUtils.isNotBlank(baseDN)) { + String pattern = "uid=" + user + "," + baseDN; + candidatePrincipals.add(pattern); + } } else { - bindDN = "uid=" + user + "," + baseDN; + String[] patterns = userDNPattern.split(":"); + for (String pattern : patterns) { + if (StringUtils.contains(pattern, ",") && StringUtils.contains(pattern, "=")) { + candidatePrincipals.add(pattern.replaceAll("%s", user)); + } + } + } + + if (candidatePrincipals.isEmpty()) { + candidatePrincipals = Collections.singletonList(user); } - env.put(Context.SECURITY_AUTHENTICATION, "simple"); - env.put(Context.SECURITY_PRINCIPAL, bindDN); - env.put(Context.SECURITY_CREDENTIALS, password); - try { - // Create initial context - Context ctx = new InitialDirContext(env); - ctx.close(); - } catch (NamingException e) { - throw new AuthenticationException("Error validating LDAP user", e); + for (Iterator<String> iterator = candidatePrincipals.iterator(); iterator.hasNext();) { + String principal = iterator.next(); + + Hashtable<String, Object> env = new Hashtable<String, Object>(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.PROVIDER_URL, ldapURL); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, principal); + env.put(Context.SECURITY_CREDENTIALS, password); + + try { + + // Create initial context + Context ctx = new InitialDirContext(env); + ctx.close(); + break; + } catch (NamingException e) { + if (!iterator.hasNext()) { + throw new AuthenticationException("Error validating LDAP user", e); + } + } } } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org