[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r336999094
##
File path: server/src/main/scala/org/apache/livy/LivyConf.scala
##
@@ -167,7 +167,13 @@ object LivyConf {
Entry("livy.server.thrift.delegation.token.max-lifetime", "7d")
val THRIFT_DELEGATION_TOKEN_RENEW_INTERVAL =
Entry("livy.server.thrift.delegation.token.renew-interval", "1d")
-
+ val THRIFT_LDAP_AUTHENTICATION_URL =
Entry("livy.server.thrift.ldap.authentication.url", null)
+ val THRIFT_LDAP_AUTHENTICATION_BASEDN =
Review comment:
Hi @mgaido91 @jerryshao
Should we unify the configurations here? there will be configuration
differences, such as:
livy.server.thrift.authentication can be NOSASL while livy.server.auth.type
cannot be NOSASL.
thrift.ldap.authentication has userfilter while server.thrift.authentication
hasn‘t.
What should we do about the situation above?
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r336999094
##
File path: server/src/main/scala/org/apache/livy/LivyConf.scala
##
@@ -167,7 +167,13 @@ object LivyConf {
Entry("livy.server.thrift.delegation.token.max-lifetime", "7d")
val THRIFT_DELEGATION_TOKEN_RENEW_INTERVAL =
Entry("livy.server.thrift.delegation.token.renew-interval", "1d")
-
+ val THRIFT_LDAP_AUTHENTICATION_URL =
Entry("livy.server.thrift.ldap.authentication.url", null)
+ val THRIFT_LDAP_AUTHENTICATION_BASEDN =
Review comment:
Hi @mgaido91 @jerryshao
Should we unify the configurations here? there will be configuration
differences, such as:
livy.server.thrift.authentication can be NOSASL while livy.server.auth.type
cannot be NOSASL.
thrift.ldap.authentication has userfilter while server.thrift.authentication
hasn‘t.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334270376
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
Review comment:
Yes, there are several methods that can be reused. I'll change it here.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334263458
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/UserFilter.scala
##
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * A factory for a Filter based on a list of allowed users.
+ * The produced filter object filters out all users that are not on the
provided in
+ * Livy configuration list.
+ */
+class UserFilter(conf: LivyConf) extends Filter with Logging {
+ private val userFilterStr =
conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER)
Review comment:
This conf.get usage is the same as others that livy used before, and we’d
batter keep it the same here
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236659
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
+val idx = userName.indexOf('/')
+val idx2 = userName.indexOf('@')
+endIdx = Math.min(idx, idx2)
+
+// If neither '/' nor '@' was found, using the latter
+if (endIdx == -1) endIdx = Math.max(idx, idx2)
+
+endIdx
+ }
+
+ /**
+ * Check for a domain part in the provided username.
+ *
+ * Example:
+ *
+ *
+ * LdapUtils.hasDomain("us...@mycorp.com") = true
+ * LdapUtils.hasDomain("user1")= false
+ *
+ */
+ def hasDomain(userName: String): Boolean = {
+indexOfDomainMatch(userName) > 0
+ }
+
+ /**
+ * Detects DN names.
+ *
+ * Example:
+ *
+ *
+ * LdapUtils.isDn("cn=UserName,dc=mycompany,dc=com") = true
+ * LdapUtils.isDn("user1") = false
+ *
+ */
+ def isDn(name: String): Boolean = {
+name.contains("=")
+ }
+
+ /**
+ * Creates a principal to be used for user authentication.
+ */
+ def createCandidatePrincipal(conf: LivyConf, user: String): String = {
+val ldapDomain = conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_DOMAIN)
+val ldapBaseDN = conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN)
+
+var principle = user
+if (!hasDomain(user) && ldapDomain != null) {
+ principle = user + "@" + ldapDomain
+}
+
+var bindDN = principle
Review comment:
bindDN can be assigned later, so we need var here
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236623
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
+val idx = userName.indexOf('/')
+val idx2 = userName.indexOf('@')
+endIdx = Math.min(idx, idx2)
+
+// If neither '/' nor '@' was found, using the latter
+if (endIdx == -1) endIdx = Math.max(idx, idx2)
+
+endIdx
+ }
+
+ /**
+ * Check for a domain part in the provided username.
+ *
+ * Example:
+ *
+ *
+ * LdapUtils.hasDomain("us...@mycorp.com") = true
+ * LdapUtils.hasDomain("user1")= false
+ *
+ */
+ def hasDomain(userName: String): Boolean = {
+indexOfDomainMatch(userName) > 0
+ }
+
+ /**
+ * Detects DN names.
+ *
+ * Example:
+ *
+ *
+ * LdapUtils.isDn("cn=UserName,dc=mycompany,dc=com") = true
+ * LdapUtils.isDn("user1") = false
+ *
+ */
+ def isDn(name: String): Boolean = {
+name.contains("=")
+ }
+
+ /**
+ * Creates a principal to be used for user authentication.
+ */
+ def createCandidatePrincipal(conf: LivyConf, user: String): String = {
+val ldapDomain = conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_DOMAIN)
+val ldapBaseDN = conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN)
+
+var principle = user
Review comment:
principle can be assigned later, so we need var here
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236564
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
Review comment:
endIdx needs to be assigned later, so we need var here
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236191
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
Review comment:
endIdx then needs to be assigned, so we need var here
endIdx = Math.min(idx, idx2)
endIdx = Math.max(idx, idx2)
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236191
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
Review comment:
endIdx then needs to be assigned, so we need var here
endIdx = Math.min(idx, idx2)
endIdx = Math.max(idx, idx2)
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236165
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
Review comment:
endIdx then needs to be assigned, so we need var here
endIdx = Math. Min (independence idx idx2)
endIdx = Math. Max (independence idx idx2)
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r334236165
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging {
+
+ /**
+ * Extracts username from user DN.
+ *
+ * Examples:
+ *
+ * LdapUtils.extractUserName("UserName")= "UserName"
+ * LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+ * LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+ *
+ */
+ def extractUserName(userDn: String): String = {
+var userName = userDn
+
+if (!isDn(userDn) && !hasDomain(userDn)) {
+ userName = userDn
+} else {
+ val domainIdx = indexOfDomainMatch(userDn)
+ if (domainIdx > 0) {
+userName = userDn.substring(0, domainIdx)
+ } else if (userDn.contains("=")) {
+userName = userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+ }
+}
+userName
+ }
+
+ /**
+ * Get the index separating the user name from domain name (the user's name
up
+ * to the first '/' or '@'). Index of domain match or -1 if not found
+ */
+ def indexOfDomainMatch(userName: String): Int = {
+var endIdx = -1
Review comment:
endIdx then needs to be assigned, so we need var here
endIdx = Math. Min (independence idx idx2)
endIdx = Math. Max (independence idx idx2)
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333422091
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
+try {
+ handler = new LdapAuthenticationProviderImpl(livyConf)
+ handler.Authenticate(user, pwd)
+} catch {
+ case e: AuthenticationException =>
+val message = String.format("Authentication failed for user '%s' with
password '%s'",
+ user, pwd)
+throw new AssertionError(message, e)
+}
+ }
+
+ @Test(timeout = 6)
+ @throws[Exception]
+ def testAuthenticateWithWrongUser(): Unit = {
+
Review comment:
It was removed in the previous commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333421978
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
Review comment:
It was removed in the previous commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333424915
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.commons.lang.StringUtils
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging{
+
+ /**
+* Extracts username from user DN.
+*
+* Examples:
+*
+* LdapUtils.extractUserName("UserName")= "UserName"
+* LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+* LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+*
+*
+* @param userDn
+* @return
+*/
+ def extractUserName(userDn: String): String = {
+if (!isDn(userDn) && !hasDomain(userDn)) return userDn
+val domainIdx = indexOfDomainMatch(userDn)
+if (domainIdx > 0) return userDn.substring(0, domainIdx)
+if (userDn.contains("=")) return userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+userDn
+ }
+
+ /**
+* Get the index separating the user name from domain name (the user's name
up
+* to the first '/' or '@').
+*
+* @param userName full user name.
+* @return index of domain match or -1 if not found
+*/
+ def indexOfDomainMatch(userName: String): Int = {
+if (userName == null) return -1
+val idx = userName.indexOf('/')
+val idx2 = userName.indexOf('@')
+var endIdx = Math.min(idx, idx2) // Use the earlier match.
+// Unless at least one of '/' or '@' was not found, in
+// which case, user the latter match.
+if (endIdx == -1) endIdx = Math.max(idx, idx2)
+endIdx
+ }
+
+ /**
+* Check for a domain part in the provided username.
+*
+* Example:
+*
+*
+* LdapUtils.hasDomain("us...@mycorp.com") = true
+* LdapUtils.hasDomain("user1")= false
+*
+*
+* @param userName username
+* @return true if { @code userName} contains { @code @} part
+*/
+ def hasDomain(userName: String): Boolean = {
+indexOfDomainMatch(userName) > 0
+ }
+
+ /**
+* Detects DN names.
+*
+* Example:
+*
+*
+* LdapUtils.isDn("cn=UserName,dc=mycompany,dc=com") = true
+* LdapUtils.isDn("user1") = false
+*
+*
+* @param name name to be checked
+* @return true if the provided name is a distinguished name
+*/
+ def isDn(name: String): Boolean = {
Review comment:
This format may not be recommended
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333424085
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
Review comment:
Method needs appropriate blank lines to make the logic clearer
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333423403
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
+try {
+ handler = new LdapAuthenticationProviderImpl(livyConf)
+ handler.Authenticate(user, pwd)
+} catch {
+ case e: AuthenticationException =>
+val message = String.format("Authentication failed for user '%s' with
password '%s'",
+ user, pwd)
+throw new AssertionError(message, e)
+}
+ }
+
+ @Test(timeout = 6)
+ @throws[Exception]
+ def testAuthenticateWithWrongUser(): Unit = {
+
Review comment:
A blank line is required between methods
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333422091
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
+try {
+ handler = new LdapAuthenticationProviderImpl(livyConf)
+ handler.Authenticate(user, pwd)
+} catch {
+ case e: AuthenticationException =>
+val message = String.format("Authentication failed for user '%s' with
password '%s'",
+ user, pwd)
+throw new AssertionError(message, e)
+}
+ }
+
+ @Test(timeout = 6)
+ @throws[Exception]
+ def testAuthenticateWithWrongUser(): Unit = {
+
Review comment:
It was removed in the previous commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333421978
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
Review comment:
It was removed in the previous commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333420717
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
Review comment:
It was removed in the previous commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333420717
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
+ private var handler: LdapAuthenticationProviderImpl = null
+ private var user = "bjones"
+ private var pwd = "p@ssw0rd"
+ val livyConf = new LivyConf()
+
+ @Before
+ @throws[Exception]
+ def setup(): Unit = {
+livyConf.set(LivyConf.THRIFT_AUTHENTICATION, "ldap")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN,
"dc=example,dc=com")
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_URL,
String.format("ldap://%s:%s";, "localhost",
+ AbstractLdapTestUnit.getLdapServer.getPort.toString))
+livyConf.set(LivyConf.THRIFT_LDAP_AUTHENTICATION_USERFILTER, "bjones,jake")
+ }
+
+ @Test(timeout = 6)
+ @throws[AuthenticationException]
+ def testAuthenticatePasses(): Unit = {
+
Review comment:
It was removed in the previous commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333419265
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.commons.lang.StringUtils
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging{
+
+ /**
+* Extracts username from user DN.
+*
+* Examples:
+*
+* LdapUtils.extractUserName("UserName")= "UserName"
+* LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+* LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+*
+*
+* @param userDn
+* @return
+*/
+ def extractUserName(userDn: String): String = {
+if (!isDn(userDn) && !hasDomain(userDn)) return userDn
+val domainIdx = indexOfDomainMatch(userDn)
+if (domainIdx > 0) return userDn.substring(0, domainIdx)
+if (userDn.contains("=")) return userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+userDn
+ }
+
+ /**
+* Get the index separating the user name from domain name (the user's name
up
+* to the first '/' or '@').
+*
+* @param userName full user name.
+* @return index of domain match or -1 if not found
+*/
+ def indexOfDomainMatch(userName: String): Int = {
+if (userName == null) return -1
+val idx = userName.indexOf('/')
+val idx2 = userName.indexOf('@')
+var endIdx = Math.min(idx, idx2) // Use the earlier match.
+// Unless at least one of '/' or '@' was not found, in
+// which case, user the latter match.
+if (endIdx == -1) endIdx = Math.max(idx, idx2)
+endIdx
+ }
+
+ /**
+* Check for a domain part in the provided username.
+*
Review comment:
This is usually formatted when the API is displayed in idea
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r333418190
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/ldap/LdapUtils.scala
##
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth.ldap
+
+import org.apache.commons.lang.StringUtils
+
+import org.apache.livy.{LivyConf, Logging}
+
+/**
+ * Static utility methods related to LDAP authentication module.
+ */
+object LdapUtils extends Logging{
+
+ /**
+* Extracts username from user DN.
+*
+* Examples:
+*
+* LdapUtils.extractUserName("UserName")= "UserName"
+* LdapUtils.extractUserName("usern...@mycorp.com") = "UserName"
+* LdapUtils.extractUserName("cn=UserName,dc=mycompany,dc=com") = "UserName"
+*
+*
+* @param userDn
+* @return
+*/
+ def extractUserName(userDn: String): String = {
+if (!isDn(userDn) && !hasDomain(userDn)) return userDn
+val domainIdx = indexOfDomainMatch(userDn)
+if (domainIdx > 0) return userDn.substring(0, domainIdx)
+if (userDn.contains("=")) return userDn.substring(userDn.indexOf("=") + 1,
userDn.indexOf(","))
+userDn
+ }
+
+ /**
+* Get the index separating the user name from domain name (the user's name
up
+* to the first '/' or '@').
+*
+* @param userName full user name.
+* @return index of domain match or -1 if not found
+*/
+ def indexOfDomainMatch(userName: String): Int = {
+if (userName == null) return -1
+val idx = userName.indexOf('/')
+val idx2 = userName.indexOf('@')
+var endIdx = Math.min(idx, idx2) // Use the earlier match.
+// Unless at least one of '/' or '@' was not found, in
+// which case, user the latter match.
+if (endIdx == -1) endIdx = Math.max(idx, idx2)
+endIdx
+ }
+
+ /**
+* Check for a domain part in the provided username.
+*
+* Example:
+*
+*
+* LdapUtils.hasDomain("us...@mycorp.com") = true
+* LdapUtils.hasDomain("user1")= false
+*
+*
+* @param userName username
+* @return true if { @code userName} contains { @code @} part
+*/
+ def hasDomain(userName: String): Boolean = {
+indexOfDomainMatch(userName) > 0
+ }
+
+ /**
+* Detects DN names.
+*
+* Example:
+*
+*
+* LdapUtils.isDn("cn=UserName,dc=mycompany,dc=com") = true
+* LdapUtils.isDn("user1") = false
+*
+*
+* @param name name to be checked
+* @return true if the provided name is a distinguished name
+*/
+ def isDn(name: String): Boolean = {
+name.contains("=")
+ }
+
+ /**
+* Creates a principal to be used for user authentication.
+*
+* @param conf Livy configuration
+* @param user username
+* @return a list of user's principal
+*/
+ def createCandidatePrincipal(conf: LivyConf, user: String): String = {
+val ldapDomain = conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_DOMAIN)
+val ldapBaseDN = conf.get(LivyConf.THRIFT_LDAP_AUTHENTICATION_BASEDN)
Review comment:
DN can be represented as a directory in ldap, for example: google.com, then
DN can be represented as: dc= Google,dc=com
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r330583924
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/LdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.commons.lang.StringUtils
+import org.apache.hive.service.auth.PasswdAuthenticationProvider
+
+import org.apache.livy.thriftserver.auth.ldap._
+import org.apache.livy.LivyConf
+
+object LdapAuthenticationProviderImpl {
+
+ // Initialize the Chain Filter List. Now GroupFilter is not supported.
+ // If needed, GroupFilter can be added in this list.
+
+ private def createFilters(conf: LivyConf): Filter = {
+val chainFilters: List[Filter] = List[Filter](new UserFilter(conf))
+val filter: Filter = new ChainFilter(chainFilters)
+filter
+ }
+}
+
+class LdapAuthenticationProviderImpl(val conf: LivyConf) extends
PasswdAuthenticationProvider {
+ final private val filter: Filter =
LdapAuthenticationProviderImpl.createFilters(conf)
+ final private val searchFactory: DirSearchFactory = new LdapSearchFactory()
+
+ @throws[AuthenticationException]
+ def Authenticate(user: String, password: String): Unit = {
+createDirSearch(user, password)
+applyFilter(user)
+ }
+
+ @throws[AuthenticationException]
+ private def createDirSearch(user: String, password: String): Unit = {
+if (StringUtils.isBlank(user) || StringUtils.isEmpty(user)) {
+ throw new AuthenticationException("Error validating LDAP:" +
+" a null or blank user name has been provided")
+}
+if (StringUtils.isBlank(password) || StringUtils.isEmpty(password)) {
+ throw new AuthenticationException("Error validating LDAP:" +
+" a null or blank password has been provided")
+}
+val principal = LdapUtils.createCandidatePrincipal(conf, user)
+try {
+ searchFactory.getInstance(conf, principal, password)
+} catch {
+ case e: AuthenticationException =>
+throw new AuthenticationException(s"Error validating " +
+ s"LDAP user: $user, password: $password", e)
+}
+ }
+
+ @throws[AuthenticationException]
+ private def applyFilter(user: String): Unit = {
+if (filter != null) {
Review comment:
I have already determined userFilterStr != null in UserFilter, this place is
redundant, I will delete it in the next commit
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r328134533
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/LdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.commons.lang.StringUtils
+import org.apache.hive.service.auth.PasswdAuthenticationProvider
+
+import org.apache.livy.thriftserver.auth.ldap._
+import org.apache.livy.LivyConf
+
+object LdapAuthenticationProviderImpl {
+
+ // Initialize the Chain FilterFactory List. Now GroupFilter is not supported.
+ // If needed, GroupFilterFactory can be added in this list.
+ var chainFactories: List[FilterFactory] = List[FilterFactory](new
UserFilterFactory)
+
+ private def resolveFilter(conf: LivyConf): Filter = {
Review comment:
I'll direct create filters instead of using factories.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r328131911
##
File path:
thriftserver/server/src/test/scala/org/apache/livy/thriftserver/auth/TestLdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.directory.server.annotations.CreateLdapServer
+import org.apache.directory.server.annotations.CreateTransport
+import org.apache.directory.server.core.annotations.ApplyLdifs
+import org.apache.directory.server.core.annotations.ContextEntry
+import org.apache.directory.server.core.annotations.CreateDS
+import org.apache.directory.server.core.annotations.CreatePartition
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit
+import org.apache.directory.server.core.integ.FrameworkRunner
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+import org.apache.livy.LivyConf
+
+/**
+ * This unit test verifies the functionality of
LdapAuthenticationProviderImpl.
+ */
+@RunWith(classOf[FrameworkRunner])
+@CreateLdapServer(transports = Array(new CreateTransport(protocol = "LDAP",
address = "localhost")))
+@CreateDS(allowAnonAccess = true, partitions = Array(new CreatePartition(name
= "Test_Partition",
+ suffix = "dc=example,dc=com", contextEntry = new ContextEntry(entryLdif =
"dn: dc=example," +
+"dc=com \ndc: example\nobjectClass: top\n" + "objectClass: domain\n\n"
+@ApplyLdifs(Array("dn: uid=bjones,dc=example,dc=com", "cn: Bob Jones", "sn:
Jones",
+ "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd"))
+class TestLdapAuthenticationProviderImpl extends AbstractLdapTestUnit {
Review comment:
Here we extends AbstractLdapTestUnit an abstract class. So extends
org.scalatest.FunSuite is not supported. We're going to use org.junit.test
instead.
I had tested it in Travis, It can be executed normally.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-livy] captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap authentication, based on ldapurl, basedn, domain
captainzmc commented on a change in pull request #236: [LIVY-678] Thrift ldap
authentication, based on ldapurl, basedn, domain
URL: https://github.com/apache/incubator-livy/pull/236#discussion_r328126062
##
File path:
thriftserver/server/src/main/scala/org/apache/livy/thriftserver/auth/LdapAuthenticationProviderImpl.scala
##
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.livy.thriftserver.auth
+
+import javax.security.sasl.AuthenticationException
+
+import org.apache.commons.lang.StringUtils
+import org.apache.hive.service.auth.PasswdAuthenticationProvider
+
+import org.apache.livy.thriftserver.auth.ldap._
+import org.apache.livy.LivyConf
+
+object LdapAuthenticationProviderImpl {
+
+ // Initialize the Chain FilterFactory List. Now GroupFilter is not supported.
+ // If needed, GroupFilterFactory can be added in this list.
+ var chainFactories: List[FilterFactory] = List[FilterFactory](new
UserFilterFactory)
+
+ private def resolveFilter(conf: LivyConf): Filter = {
Review comment:
The hive implementation is referenced here. Currently we only support
UserFilter, which is a little more complicated at this point. We may add other
filters later, so I suggest using factories for better reuse later.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
