You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Sebastian Toader <st...@hortonworks.com> on 2016/03/24 14:04:34 UTC
Review Request 45284: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/
-----------------------------------------------------------
Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
Bugs: AMBARI-15554
https://issues.apache.org/jira/browse/AMBARI-15554
Repository: ambari
Description
-------
Problem:
In case LDAP set up with multiple Domains which are joined into a Forrest with trusts between the different Domains users may appear in different locations in LDAP.
Since users who wants to access Ambari can be in any domain Ambari has to search the whole forrest, and as the users appearing in multiple domains are identical Ambari cannot filter out all but one of the user entries.
Solution:
1.If the LDAP search upon login to Ambari leads to multiple match user match due to the user appears in multiple domains show an error message to user prompting for providing domain as well to log-in. (e.g. Login Failed: Please append your domain to your username and try again. Example: username@domain)
2. When user provides domain information at login as well Ambari looks up the user in LDAP using different filter which is configurable. If this configuration is not set Ambari defaults to filter by userPrincipalName
3. A map of login name (login alias) to ambari user name is stored in the session so as later whenever is needed the login name can be resolved to ambari user name (user name stored in ambari database).
4. User related rest API calls includes user name in the URL. There is a filter set up for these resolve the user name in the URL to ambari user name if needed.
Diffs
-----
ambari-server/pom.xml 1e44517
ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java bf18325
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 076f850
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java 20cf2fd
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java fc7f73a
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java ed68c01
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b136182
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java 8eeaf35
ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785
ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java 3ecb5aa
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java d48be85
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java 62f719d
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 0797239
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java 7c72f4c
ambari-server/src/test/resources/users.ldif 3620e63
ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION
ambari-web/app/controllers/login_controller.js fc64a54
ambari-web/app/router.js ccf8cb4
ambari-web/test/controllers/login_controller_test.js 90ba06a
Diff: https://reviews.apache.org/r/45284/diff/
Testing
-------
Manual testing using OpenLDAP. Since OpenLDAP does not support userPrincipalName attribute in the manual testing used email address (filter config in ambari properties: authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass})))
UI unit tests:
24692 tests complete (21 seconds)
145 tests pending
Ambari server unit tests:
Results :
Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33
Thanks,
Sebastian Toader
Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
Posted by Robert Levas <rl...@hortonworks.com>.
> On March 24, 2016, 12:52 p.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java, line 39
> > <https://reviews.apache.org/r/45284/diff/1/?file=1313635#file1313635line39>
> >
> > Is there any chance that this will be `null`? There seem to be a lot of internal calls that will throw an NPE if this is `null`.
> >
> > See `getPrincipalOverride()`
>
> Sebastian Toader wrote:
> if authentication is null than that's a critical error that we can not recover from. The authetication object is created by the spring security framework (Basic authentication). If this is null we should fail fast.
Thanks for the clarification. Dropping the issue.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125279
-----------------------------------------------------------
On March 24, 2016, 9:04 a.m., Sebastian Toader wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> -----------------------------------------------------------
>
> (Updated March 24, 2016, 9:04 a.m.)
>
>
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
>
>
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest with trusts between the different Domains users may appear in different locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to search the whole forrest, and as the users appearing in multiple domains are identical Ambari cannot filter out all but one of the user entries.
>
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match due to the user appears in multiple domains show an error message to user prompting for providing domain as well to log-in. (e.g. Login Failed: Please append your domain to your username and try again. Example: username@domain)
>
> 2. When user provides domain information at login as well Ambari looks up the user in LDAP using different filter which is configurable. If this configuration is not set Ambari defaults to filter by userPrincipalName
>
> 3. A map of login name (login alias) to ambari user name is stored in the session so as later whenever is needed the login name can be resolved to ambari user name (user name stored in ambari database).
>
> 4. User related rest API calls includes user name in the URL. There is a filter set up for these resolve the user name in the URL to ambari user name if needed.
>
>
> Diffs
> -----
>
> ambari-server/pom.xml 1e44517
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java bf18325
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 076f850
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java 20cf2fd
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java fc7f73a
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java ed68c01
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b136182
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java 8eeaf35
> ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java 3ecb5aa
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java d48be85
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java 62f719d
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 0797239
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java 7c72f4c
> ambari-server/src/test/resources/users.ldif 3620e63
> ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION
> ambari-web/app/controllers/login_controller.js fc64a54
> ambari-web/app/router.js ccf8cb4
> ambari-web/test/controllers/login_controller_test.js 90ba06a
>
> Diff: https://reviews.apache.org/r/45284/diff/
>
>
> Testing
> -------
>
> Manual testing using OpenLDAP. Since OpenLDAP does not support userPrincipalName attribute in the manual testing used email address (filter config in ambari properties: authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass})))
>
> UI unit tests:
> 24692 tests complete (21 seconds)
> 145 tests pending
>
> Ambari server unit tests:
> Results :
>
> Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33
>
>
> Thanks,
>
> Sebastian Toader
>
>
Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
Posted by Sebastian Toader <st...@hortonworks.com>.
> On March 24, 2016, 5:52 p.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java, line 39
> > <https://reviews.apache.org/r/45284/diff/1/?file=1313635#file1313635line39>
> >
> > Is there any chance that this will be `null`? There seem to be a lot of internal calls that will throw an NPE if this is `null`.
> >
> > See `getPrincipalOverride()`
if authentication is null than that's a critical error that we can not recover from. The authetication object is created by the spring security framework (Basic authentication). If this is null we should fail fast.
- Sebastian
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125279
-----------------------------------------------------------
On March 24, 2016, 2:04 p.m., Sebastian Toader wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> -----------------------------------------------------------
>
> (Updated March 24, 2016, 2:04 p.m.)
>
>
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
>
>
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest with trusts between the different Domains users may appear in different locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to search the whole forrest, and as the users appearing in multiple domains are identical Ambari cannot filter out all but one of the user entries.
>
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match due to the user appears in multiple domains show an error message to user prompting for providing domain as well to log-in. (e.g. Login Failed: Please append your domain to your username and try again. Example: username@domain)
>
> 2. When user provides domain information at login as well Ambari looks up the user in LDAP using different filter which is configurable. If this configuration is not set Ambari defaults to filter by userPrincipalName
>
> 3. A map of login name (login alias) to ambari user name is stored in the session so as later whenever is needed the login name can be resolved to ambari user name (user name stored in ambari database).
>
> 4. User related rest API calls includes user name in the URL. There is a filter set up for these resolve the user name in the URL to ambari user name if needed.
>
>
> Diffs
> -----
>
> ambari-server/pom.xml 1e44517
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java bf18325
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 076f850
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java 20cf2fd
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java fc7f73a
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java ed68c01
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b136182
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java 8eeaf35
> ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java 3ecb5aa
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java d48be85
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java 62f719d
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 0797239
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java 7c72f4c
> ambari-server/src/test/resources/users.ldif 3620e63
> ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION
> ambari-web/app/controllers/login_controller.js fc64a54
> ambari-web/app/router.js ccf8cb4
> ambari-web/test/controllers/login_controller_test.js 90ba06a
>
> Diff: https://reviews.apache.org/r/45284/diff/
>
>
> Testing
> -------
>
> Manual testing using OpenLDAP. Since OpenLDAP does not support userPrincipalName attribute in the manual testing used email address (filter config in ambari properties: authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass})))
>
> UI unit tests:
> 24692 tests complete (21 seconds)
> 145 tests pending
>
> Ambari server unit tests:
> Results :
>
> Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33
>
>
> Thanks,
>
> Sebastian Toader
>
>
Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125279
-----------------------------------------------------------
Fix it, then Ship it!
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java (line 39)
<https://reviews.apache.org/r/45284/#comment188064>
Is there any chance that this will be `null`? There seem to be a lot of internal calls that will throw an NPE if this is `null`.
See `getPrincipalOverride()`
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java (lines 193 - 210)
<https://reviews.apache.org/r/45284/#comment188072>
Maybe exit out early if principal is `null`? Seems like 2 unnecessary checks will be done in this case.
- Robert Levas
On March 24, 2016, 9:04 a.m., Sebastian Toader wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> -----------------------------------------------------------
>
> (Updated March 24, 2016, 9:04 a.m.)
>
>
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
>
>
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest with trusts between the different Domains users may appear in different locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to search the whole forrest, and as the users appearing in multiple domains are identical Ambari cannot filter out all but one of the user entries.
>
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match due to the user appears in multiple domains show an error message to user prompting for providing domain as well to log-in. (e.g. Login Failed: Please append your domain to your username and try again. Example: username@domain)
>
> 2. When user provides domain information at login as well Ambari looks up the user in LDAP using different filter which is configurable. If this configuration is not set Ambari defaults to filter by userPrincipalName
>
> 3. A map of login name (login alias) to ambari user name is stored in the session so as later whenever is needed the login name can be resolved to ambari user name (user name stored in ambari database).
>
> 4. User related rest API calls includes user name in the URL. There is a filter set up for these resolve the user name in the URL to ambari user name if needed.
>
>
> Diffs
> -----
>
> ambari-server/pom.xml 1e44517
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java bf18325
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 076f850
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java 20cf2fd
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java fc7f73a
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java ed68c01
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b136182
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java 8eeaf35
> ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java 3ecb5aa
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java d48be85
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java 62f719d
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 0797239
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java 7c72f4c
> ambari-server/src/test/resources/users.ldif 3620e63
> ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION
> ambari-web/app/controllers/login_controller.js fc64a54
> ambari-web/app/router.js ccf8cb4
> ambari-web/test/controllers/login_controller_test.js 90ba06a
>
> Diff: https://reviews.apache.org/r/45284/diff/
>
>
> Testing
> -------
>
> Manual testing using OpenLDAP. Since OpenLDAP does not support userPrincipalName attribute in the manual testing used email address (filter config in ambari properties: authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass})))
>
> UI unit tests:
> 24692 tests complete (21 seconds)
> 145 tests pending
>
> Ambari server unit tests:
> Results :
>
> Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33
>
>
> Thanks,
>
> Sebastian Toader
>
>
Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
Posted by Oliver Szabo <os...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125248
-----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java (line 192)
<https://reviews.apache.org/r/45284/#comment188039>
It should be authentication instead of authorization
- Oliver Szabo
On March 24, 2016, 1:04 p.m., Sebastian Toader wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> -----------------------------------------------------------
>
> (Updated March 24, 2016, 1:04 p.m.)
>
>
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
>
>
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest with trusts between the different Domains users may appear in different locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to search the whole forrest, and as the users appearing in multiple domains are identical Ambari cannot filter out all but one of the user entries.
>
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match due to the user appears in multiple domains show an error message to user prompting for providing domain as well to log-in. (e.g. Login Failed: Please append your domain to your username and try again. Example: username@domain)
>
> 2. When user provides domain information at login as well Ambari looks up the user in LDAP using different filter which is configurable. If this configuration is not set Ambari defaults to filter by userPrincipalName
>
> 3. A map of login name (login alias) to ambari user name is stored in the session so as later whenever is needed the login name can be resolved to ambari user name (user name stored in ambari database).
>
> 4. User related rest API calls includes user name in the URL. There is a filter set up for these resolve the user name in the URL to ambari user name if needed.
>
>
> Diffs
> -----
>
> ambari-server/pom.xml 1e44517
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java bf18325
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 076f850
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java 20cf2fd
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java fc7f73a
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java ed68c01
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b136182
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java 8eeaf35
> ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java 3ecb5aa
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java d48be85
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java 62f719d
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 0797239
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java 7c72f4c
> ambari-server/src/test/resources/users.ldif 3620e63
> ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION
> ambari-web/app/controllers/login_controller.js fc64a54
> ambari-web/app/router.js ccf8cb4
> ambari-web/test/controllers/login_controller_test.js 90ba06a
>
> Diff: https://reviews.apache.org/r/45284/diff/
>
>
> Testing
> -------
>
> Manual testing using OpenLDAP. Since OpenLDAP does not support userPrincipalName attribute in the manual testing used email address (filter config in ambari properties: authorization.ldap.alternateUserSearchFilter=(&(mail={0})(objectClass={userObjectClass})))
>
> UI unit tests:
> 24692 tests complete (21 seconds)
> 145 tests pending
>
> Ambari server unit tests:
> Results :
>
> Tests run: 4035, Failures: 0, Errors: 0, Skipped: 33
>
>
> Thanks,
>
> Sebastian Toader
>
>