This is an automated email from the ASF dual-hosted git repository.
asnaik pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new 177dd19 AMBARI-25382 Issues with Views in ambari when User Logs In
from KNOX/LDAP and the username has spaces and Camel Case Letters (#3092)
177dd19 is described below
commit 177dd195f6248c54e94104bb25476e42ae9da72d
Author: Asnaik HWX <asn...@hortonworks.com>
AuthorDate: Thu Oct 3 12:50:25 2019 +0530
AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP
and the username has spaces and Camel Case Letters (#3092)
* AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP
and the username has spaces and Camel Case Letters (asnaik)
* AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP
and the username has spaces and Camel Case Letters -UT Fix (asnaik)
* AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP
and the username has spaces and Camel Case Letters -- review comments (asnaik)
---
.../org/apache/ambari/server/orm/entities/ViewInstanceEntity.java | 3 ++-
.../authentication/jwt/AmbariJwtAuthenticationProvider.java | 7 +++++++
.../security/authorization/AmbariLdapBindAuthenticator.java | 8 +++++---
.../ambari/server/security/authorization/AuthorizationHelper.java | 6 ++++--
.../authentication/jwt/AmbariJwtAuthenticationFilterTest.java | 1 +
.../security/authorization/AmbariLdapBindAuthenticatorTest.java | 4 ++++
6 files changed, 23 insertions(+), 6 deletions(-)
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
index 7d45849..e7714e9 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
@@ -49,6 +49,7 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.security.SecurityHelper;
import org.apache.ambari.server.security.SecurityHelperImpl;
import
org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.view.ViewContextImpl;
import org.apache.ambari.server.view.ViewRegistry;
import org.apache.ambari.server.view.configuration.InstanceConfig;
@@ -811,7 +812,7 @@ public class ViewInstanceEntity implements
ViewInstanceDefinition {
* @return the current user name; empty String if user is not known
*/
public String getUsername() {
- return securityHelper.getCurrentUserName();
+ return
AuthorizationHelper.resolveLoginAliasToUserName(securityHelper.getCurrentUserName());
}
/**
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
index 076e1b7..a3ea7f9 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
@@ -29,6 +29,7 @@ import
org.apache.ambari.server.security.authentication.AmbariUserDetails;
import org.apache.ambari.server.security.authentication.AmbariUserDetailsImpl;
import
org.apache.ambari.server.security.authentication.TooManyLoginFailuresException;
import org.apache.ambari.server.security.authentication.UserNotFoundException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.security.authorization.UserAuthenticationType;
import org.apache.ambari.server.security.authorization.Users;
import org.slf4j.Logger;
@@ -120,6 +121,12 @@ public class AmbariJwtAuthenticationProvider extends
AmbariAuthenticationProvide
}
AmbariUserDetails userDetails = new
AmbariUserDetailsImpl(users.getUser(userEntity), null,
users.getUserAuthorities(userEntity));
+
+ String jwtTokenName = userDetails.getUsername().trim();
+ //If JwtToken Provided Username and authenticatedUsername is different
Add it to Alias
+ if(!userName.equals(jwtTokenName)){
+ AuthorizationHelper.addLoginNameAlias(userName,jwtTokenName);
+ }
return new
AmbariUserAuthentication(authentication.getCredentials().toString(),
userDetails, true);
} else {
// The user was not authenticated, fail
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
index ea0f5f0..4ca6cda 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
@@ -85,7 +85,7 @@ public class AmbariLdapBindAuthenticator extends
AbstractLdapAuthenticator {
LOG.warn("The user data does not contain a value for {}.",
ldapServerProperties.getUsernameAttribute());
} else if (ldapUserName.isEmpty()) {
LOG.warn("The user data contains an empty value for {}.",
ldapServerProperties.getUsernameAttribute());
- } else if (!ldapUserName.equals(loginName)) {
+ } else {
// if authenticated user name is different from ldap user name than user
has logged in
// with a login name that is different (e.g. user principal name) from
the ambari user name stored in
// ambari db. In this case add the user login name as login alias for
ambari user name.
@@ -100,8 +100,10 @@ public class AmbariLdapBindAuthenticator extends
AbstractLdapAuthenticator {
} else {
processedLdapUserName = ldapUserName;
}
-
- AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName);
+ if (!processedLdapUserName.equals(loginName.toLowerCase()))
+ {
+ AuthorizationHelper.addLoginNameAlias(processedLdapUserName,
loginName.toLowerCase());
+ }
}
return user;
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index d92fc44..4d7bc5e 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -325,16 +325,18 @@ public class AuthorizationHelper {
* of alias user name to local ambari user name to make possible resolving
* login alias to ambari user name.
* @param ambariUserName ambari user name for which the alias is to be
stored in the session
- * @param loginAlias the alias for the ambari user name.
+ * @param loginAlias The Name with which user logged in Ambari UI.
*/
public static void addLoginNameAlias(String ambariUserName, String
loginAlias) {
ServletRequestAttributes attr = (ServletRequestAttributes)
RequestContextHolder.getRequestAttributes();
if (attr != null) {
LOG.info("Adding login alias '{}' for user name '{}'", loginAlias,
ambariUserName);
attr.setAttribute(loginAlias, ambariUserName,
RequestAttributes.SCOPE_SESSION);
+ //save Vice Versa Too
+ attr.setAttribute(ambariUserName, loginAlias,
RequestAttributes.SCOPE_SESSION);
}
}
-
+
/**
* Looks up the provided loginAlias in the current http session and return
the ambari
* user name that the alias is defined for.
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
index 2dac365..2668c5e 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
@@ -409,6 +409,7 @@ public class AmbariJwtAuthenticationFilterTest extends
EasyMockSupport {
Users users = createMock(Users.class);
expect(users.getUserEntity("test-user")).andReturn(userEntity).once();
expect(users.getUser(userEntity)).andReturn(user).once();
+ expect(user.getUserName()).andReturn("test-user").atLeastOnce();
expect(users.getUserAuthorities(userEntity)).andReturn(Collections.emptyList()).once();
users.validateLogin(userEntity, "test-user");
expectLastCall().once();
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
index 335ad70..3ebb476 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
@@ -179,6 +179,8 @@ public class AmbariLdapBindAuthenticatorTest extends
EasyMockSupport {
if (!StringUtils.isEmpty(ldapUsername) &&
!ambariUsername.equals(ldapUsername)) {
servletRequestAttributes.setAttribute(eq(ambariUsername),
eq(forceUsernameToLower ? ldapUsername.toLowerCase() : ldapUsername),
eq(RequestAttributes.SCOPE_SESSION));
expectLastCall().once();
+ servletRequestAttributes.setAttribute(eq(forceUsernameToLower ?
ldapUsername.toLowerCase() : ldapUsername),eq(ambariUsername),
eq(RequestAttributes.SCOPE_SESSION));
+ expectLastCall().once();
}
setupDatabaseConfigurationExpectations(true, forceUsernameToLower);
@@ -186,6 +188,8 @@ public class AmbariLdapBindAuthenticatorTest extends
EasyMockSupport {
replayAll();
RequestContextHolder.setRequestAttributes(servletRequestAttributes);
+// servletRequestAttributes.setAttribute(ambariUsername,ldapUsername,
RequestAttributes.SCOPE_SESSION);
+// expectLastCall().anyTimes();
AmbariLdapBindAuthenticator bindAuthenticator = new
AmbariLdapBindAuthenticator(ldapCtxSource, ldapConfiguration);
bindAuthenticator.setUserSearch(userSearch);
