This is an automated email from the ASF dual-hosted git repository. asnaik pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new 177dd19 AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters (#3092) 177dd19 is described below commit 177dd195f6248c54e94104bb25476e42ae9da72d Author: Asnaik HWX <asn...@hortonworks.com> AuthorDate: Thu Oct 3 12:50:25 2019 +0530 AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters (#3092) * AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters (asnaik) * AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters -UT Fix (asnaik) * AMBARI-25382 Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters -- review comments (asnaik) --- .../org/apache/ambari/server/orm/entities/ViewInstanceEntity.java | 3 ++- .../authentication/jwt/AmbariJwtAuthenticationProvider.java | 7 +++++++ .../security/authorization/AmbariLdapBindAuthenticator.java | 8 +++++--- .../ambari/server/security/authorization/AuthorizationHelper.java | 6 ++++-- .../authentication/jwt/AmbariJwtAuthenticationFilterTest.java | 1 + .../security/authorization/AmbariLdapBindAuthenticatorTest.java | 4 ++++ 6 files changed, 23 insertions(+), 6 deletions(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java index 7d45849..e7714e9 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java @@ -49,6 +49,7 @@ import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.security.SecurityHelper; import org.apache.ambari.server.security.SecurityHelperImpl; import org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter; +import org.apache.ambari.server.security.authorization.AuthorizationHelper; import org.apache.ambari.server.view.ViewContextImpl; import org.apache.ambari.server.view.ViewRegistry; import org.apache.ambari.server.view.configuration.InstanceConfig; @@ -811,7 +812,7 @@ public class ViewInstanceEntity implements ViewInstanceDefinition { * @return the current user name; empty String if user is not known */ public String getUsername() { - return securityHelper.getCurrentUserName(); + return AuthorizationHelper.resolveLoginAliasToUserName(securityHelper.getCurrentUserName()); } /** diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java index 076e1b7..a3ea7f9 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java @@ -29,6 +29,7 @@ import org.apache.ambari.server.security.authentication.AmbariUserDetails; import org.apache.ambari.server.security.authentication.AmbariUserDetailsImpl; import org.apache.ambari.server.security.authentication.TooManyLoginFailuresException; import org.apache.ambari.server.security.authentication.UserNotFoundException; +import org.apache.ambari.server.security.authorization.AuthorizationHelper; import org.apache.ambari.server.security.authorization.UserAuthenticationType; import org.apache.ambari.server.security.authorization.Users; import org.slf4j.Logger; @@ -120,6 +121,12 @@ public class AmbariJwtAuthenticationProvider extends AmbariAuthenticationProvide } AmbariUserDetails userDetails = new AmbariUserDetailsImpl(users.getUser(userEntity), null, users.getUserAuthorities(userEntity)); + + String jwtTokenName = userDetails.getUsername().trim(); + //If JwtToken Provided Username and authenticatedUsername is different Add it to Alias + if(!userName.equals(jwtTokenName)){ + AuthorizationHelper.addLoginNameAlias(userName,jwtTokenName); + } return new AmbariUserAuthentication(authentication.getCredentials().toString(), userDetails, true); } else { // The user was not authenticated, fail diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java index ea0f5f0..4ca6cda 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java @@ -85,7 +85,7 @@ public class AmbariLdapBindAuthenticator extends AbstractLdapAuthenticator { LOG.warn("The user data does not contain a value for {}.", ldapServerProperties.getUsernameAttribute()); } else if (ldapUserName.isEmpty()) { LOG.warn("The user data contains an empty value for {}.", ldapServerProperties.getUsernameAttribute()); - } else if (!ldapUserName.equals(loginName)) { + } else { // if authenticated user name is different from ldap user name than user has logged in // with a login name that is different (e.g. user principal name) from the ambari user name stored in // ambari db. In this case add the user login name as login alias for ambari user name. @@ -100,8 +100,10 @@ public class AmbariLdapBindAuthenticator extends AbstractLdapAuthenticator { } else { processedLdapUserName = ldapUserName; } - - AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName); + if (!processedLdapUserName.equals(loginName.toLowerCase())) + { + AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName.toLowerCase()); + } } return user; diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java index d92fc44..4d7bc5e 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java @@ -325,16 +325,18 @@ public class AuthorizationHelper { * of alias user name to local ambari user name to make possible resolving * login alias to ambari user name. * @param ambariUserName ambari user name for which the alias is to be stored in the session - * @param loginAlias the alias for the ambari user name. + * @param loginAlias The Name with which user logged in Ambari UI. */ public static void addLoginNameAlias(String ambariUserName, String loginAlias) { ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes(); if (attr != null) { LOG.info("Adding login alias '{}' for user name '{}'", loginAlias, ambariUserName); attr.setAttribute(loginAlias, ambariUserName, RequestAttributes.SCOPE_SESSION); + //save Vice Versa Too + attr.setAttribute(ambariUserName, loginAlias, RequestAttributes.SCOPE_SESSION); } } - + /** * Looks up the provided loginAlias in the current http session and return the ambari * user name that the alias is defined for. diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java index 2dac365..2668c5e 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java @@ -409,6 +409,7 @@ public class AmbariJwtAuthenticationFilterTest extends EasyMockSupport { Users users = createMock(Users.class); expect(users.getUserEntity("test-user")).andReturn(userEntity).once(); expect(users.getUser(userEntity)).andReturn(user).once(); + expect(user.getUserName()).andReturn("test-user").atLeastOnce(); expect(users.getUserAuthorities(userEntity)).andReturn(Collections.emptyList()).once(); users.validateLogin(userEntity, "test-user"); expectLastCall().once(); diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java index 335ad70..3ebb476 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java @@ -179,6 +179,8 @@ public class AmbariLdapBindAuthenticatorTest extends EasyMockSupport { if (!StringUtils.isEmpty(ldapUsername) && !ambariUsername.equals(ldapUsername)) { servletRequestAttributes.setAttribute(eq(ambariUsername), eq(forceUsernameToLower ? ldapUsername.toLowerCase() : ldapUsername), eq(RequestAttributes.SCOPE_SESSION)); expectLastCall().once(); + servletRequestAttributes.setAttribute(eq(forceUsernameToLower ? ldapUsername.toLowerCase() : ldapUsername),eq(ambariUsername), eq(RequestAttributes.SCOPE_SESSION)); + expectLastCall().once(); } setupDatabaseConfigurationExpectations(true, forceUsernameToLower); @@ -186,6 +188,8 @@ public class AmbariLdapBindAuthenticatorTest extends EasyMockSupport { replayAll(); RequestContextHolder.setRequestAttributes(servletRequestAttributes); +// servletRequestAttributes.setAttribute(ambariUsername,ldapUsername, RequestAttributes.SCOPE_SESSION); +// expectLastCall().anyTimes(); AmbariLdapBindAuthenticator bindAuthenticator = new AmbariLdapBindAuthenticator(ldapCtxSource, ldapConfiguration); bindAuthenticator.setUserSearch(userSearch);