You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by km...@apache.org on 2016/01/19 23:36:47 UTC
knox git commit: [KNOX-650] - Add posixGroups support for LDAP groups
lookup
Repository: knox
Updated Branches:
refs/heads/master 447b8fd7a -> 9619a398f
[KNOX-650] - Add posixGroups support for LDAP groups lookup
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/9619a398
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/9619a398
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/9619a398
Branch: refs/heads/master
Commit: 9619a398f9ed57d4cd7f705e73f100e85921bfdd
Parents: 447b8fd
Author: Kevin Minder <ke...@hortonworks.com>
Authored: Tue Jan 19 17:22:02 2016 -0500
Committer: Kevin Minder <ke...@hortonworks.com>
Committed: Tue Jan 19 17:26:47 2016 -0500
----------------------------------------------------------------------
CHANGES | 8 +
.../ldap/SimpleLdapDirectoryServer.java | 14 +
.../gateway/shirorealm/KnoxLdapRealm.java | 5 +
.../gateway/GatewayLdapPosixGroupFuncTest.java | 314 +++++++++++++++++++
.../GatewayLdapPosixGroupFuncTest/users.ldif | 106 +++++++
5 files changed, 447 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 5916c6e..7cfc6db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,14 @@
Release Notes - Apache Knox - Version 0.7.0
------------------------------------------------------------------------------
** New Feature
+** Improvement
+ * [KNOX-650] - Add posixGroups support for LDAP groups lookup
+** Bug
+
+------------------------------------------------------------------------------
+Release Notes - Apache Knox - Version 0.7.0
+------------------------------------------------------------------------------
+** New Feature
* [KNOX-476] - implementation for X-Forwarded-* headers support and population
* [KNOX-547] - KnoxCLI adds new validate-topology and list-topologies commands.
* [KNOX-548] - KnoxCLI adds a new system-user-auth-test command to test a topology's system username and password
http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
----------------------------------------------------------------------
diff --git a/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java b/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
index 139b83b..efa8df8 100644
--- a/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
+++ b/gateway-demo-ldap/src/main/java/org/apache/hadoop/gateway/security/ldap/SimpleLdapDirectoryServer.java
@@ -18,6 +18,10 @@
package org.apache.hadoop.gateway.security.ldap;
import org.apache.commons.io.FileUtils;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.partition.Partition;
@@ -50,6 +54,8 @@ public class SimpleLdapDirectoryServer {
factory.init( UUID.randomUUID().toString() );
service = factory.getDirectoryService();
+ enabledPosixSchema( service );
+
Partition partition = factory.getPartitionFactory().createPartition(
service.getSchemaManager(), "users", rootDn, 500, service.getInstanceLayout().getInstanceDirectory() );
service.addPartition( partition );
@@ -61,6 +67,14 @@ public class SimpleLdapDirectoryServer {
server = new LdapServer();
server.setTransports( transports );
server.setDirectoryService( service );
+
+ }
+
+ private static void enabledPosixSchema( DirectoryService service ) throws LdapException {
+ service.getSchemaManager().getLoadedSchema( "nis" ).enable();
+ service.getAdminSession().modify(
+ new Dn( "cn=nis,ou=schema" ),
+ new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, "m-disabled", "FALSE" ) );
}
public void start() throws Exception {
http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
index 1006053..888b6a9 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
@@ -133,6 +133,8 @@ public class KnoxLdapRealm extends JndiLdapRealm {
private final static String MEMBER_URL = "memberUrl";
+ private final static String POSIX_GROUP = "posixGroup";
+
private static final String HASHING_ALGORITHM = "SHA-1";
static {
@@ -303,6 +305,9 @@ public class KnoxLdapRealm extends JndiLdapRealm {
}
}
} else {
+ if (groupObjectClass.equalsIgnoreCase(POSIX_GROUP)){
+ attrValue = memberAttributeValuePrefix + attrValue + memberAttributeValueSuffix;
+ }
if (userLdapDn.equals(new LdapName(attrValue))) {
groupNames.add(groupName);
String roleName = roleNameFor(groupName);
http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
new file mode 100644
index 0000000..b8d520f
--- /dev/null
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest.java
@@ -0,0 +1,314 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway;
+
+import com.mycila.xmltool.XMLDoc;
+import com.mycila.xmltool.XMLTag;
+import org.apache.directory.server.protocol.shared.transport.TcpTransport;
+import org.apache.hadoop.gateway.config.GatewayConfig;
+import org.apache.hadoop.gateway.security.ldap.SimpleLdapDirectoryServer;
+import org.apache.hadoop.gateway.services.DefaultGatewayServices;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.hadoop.gateway.services.security.AliasService;
+import org.apache.hadoop.test.category.FunctionalTests;
+import org.apache.http.HttpStatus;
+import org.apache.log4j.Appender;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.ServerSocket;
+import java.net.URL;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import static com.jayway.restassured.RestAssured.given;
+import static org.apache.hadoop.test.TestUtils.LOG_ENTER;
+import static org.apache.hadoop.test.TestUtils.LOG_EXIT;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+/**
+ * Functional test to verify : looking up ldap groups from directory
+ * and using them in acl authorization checks
+ *
+ */
+@Category(FunctionalTests.class)
+public class GatewayLdapPosixGroupFuncTest {
+
+ private static final long SHORT_TIMEOUT = 2000L;
+ private static final long MEDIUM_TIMEOUT = 5 * 1000L;
+
+ private static Class RESOURCE_BASE_CLASS = GatewayLdapPosixGroupFuncTest.class;
+ private static Logger LOG = LoggerFactory.getLogger( GatewayLdapPosixGroupFuncTest.class );
+
+ public static Enumeration<Appender> appenders;
+ public static GatewayConfig config;
+ public static GatewayServer gateway;
+ public static String gatewayUrl;
+ public static String clusterUrl;
+ public static SimpleLdapDirectoryServer ldap;
+ public static TcpTransport ldapTransport;
+
+ @BeforeClass
+ public static void setupSuite() throws Exception {
+ LOG_ENTER();
+ //appenders = NoOpAppender.setUp();
+ int port = setupLdap();
+ setupGateway(port);
+ LOG_EXIT();
+ }
+
+ @AfterClass
+ public static void cleanupSuite() throws Exception {
+ LOG_ENTER();
+ gateway.stop();
+ ldap.stop( true );
+ //FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) );
+ //NoOpAppender.tearDown( appenders );
+ LOG_EXIT();
+ }
+
+ public static int setupLdap() throws Exception {
+ URL usersUrl = getResourceUrl( "users.ldif" );
+ int port = findFreePort();
+ ldapTransport = new TcpTransport( port );
+ ldap = new SimpleLdapDirectoryServer( "dc=hadoop,dc=apache,dc=org", new File( usersUrl.toURI() ), ldapTransport );
+ ldap.start();
+ LOG.info( "LDAP port = " + ldapTransport.getPort() );
+ return port;
+ }
+
+ public static void setupGateway(int ldapPort) throws Exception {
+
+ File targetDir = new File( System.getProperty( "user.dir" ), "target" );
+ File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
+ gatewayDir.mkdirs();
+
+ GatewayTestConfig testConfig = new GatewayTestConfig();
+ config = testConfig;
+ testConfig.setGatewayHomeDir( gatewayDir.getAbsolutePath() );
+
+ File topoDir = new File( testConfig.getGatewayTopologyDir() );
+ topoDir.mkdirs();
+
+ File deployDir = new File( testConfig.getGatewayDeploymentDir() );
+ deployDir.mkdirs();
+
+ File descriptor = new File( topoDir, "test-cluster.xml" );
+ FileOutputStream stream = new FileOutputStream( descriptor );
+ createTopology(ldapPort).toStream( stream );
+ stream.close();
+
+ DefaultGatewayServices srvcs = new DefaultGatewayServices();
+ Map<String,String> options = new HashMap<String,String>();
+ options.put( "persist-master", "true" );
+ options.put( "master", "hadoop" );
+
+ try {
+ srvcs.init( testConfig, options );
+ } catch ( ServiceLifecycleException e ) {
+ e.printStackTrace(); // I18N not required.
+ }
+
+ gateway = GatewayServer.startGateway( testConfig, srvcs );
+ MatcherAssert.assertThat( "Failed to start gateway.", gateway, notNullValue() );
+
+ LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() );
+
+ gatewayUrl = "http://localhost:" + gateway.getAddresses()[0].getPort() + "/" + config.getGatewayPath();
+ clusterUrl = gatewayUrl + "/test-cluster";
+
+ GatewayServices services = GatewayServer.getGatewayServices();
+ AliasService aliasService = (AliasService)services.getService(GatewayServices.ALIAS_SERVICE);
+ aliasService.addAliasForCluster("test-cluster", "ldcSystemPassword", "guest-password");
+
+ char[] password1 = aliasService.getPasswordFromAliasForCluster( "test-cluster", "ldcSystemPassword");
+
+ descriptor = new File( topoDir, "test-cluster.xml" );
+ stream = new FileOutputStream( descriptor );
+ createTopology(ldapPort).toStream( stream );
+ stream.close();
+
+ try {
+ Thread.sleep(5000);
+ } catch (Exception e) {
+
+ }
+ }
+
+ private static XMLTag createTopology(int ldapPort) {
+ XMLTag xml = XMLDoc.newDocument( true )
+ .addRoot( "topology" )
+ .addTag( "gateway" )
+
+ .addTag( "provider" )
+ .addTag( "role" ).addText( "authentication" )
+ .addTag( "name" ).addText( "ShiroProvider" )
+ .addTag( "enabled" ).addText( "true" )
+ .addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm" )
+ .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapGroupContextFactory" )
+ .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory" )
+ .addTag( "value" ).addText( "$ldapGroupContextFactory" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory.authenticationMechanism" )
+ .addTag( "value" ).addText( "simple" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory.url" )
+ .addTag( "value" ).addText( "ldap://localhost:" + ldapPort )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.userDnTemplate" )
+ .addTag( "value" ).addText( "uid={0},ou=people,dc=hadoop,dc=apache,dc=org" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.authorizationEnabled" )
+ .addTag( "value" ).addText( "true" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemAuthenticationMechanism" )
+ .addTag( "value" ).addText( "simple" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.searchBase" )
+ .addTag( "value" ).addText( "ou=groups,dc=hadoop,dc=apache,dc=org" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.groupObjectClass" )
+ .addTag( "value" ).addText( "posixGroup" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.memberAttribute" )
+ .addTag( "value" ).addText( "memberUid" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.memberAttributeValueTemplate" )
+ .addTag( "value" ).addText( "uid={0}" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory.clusterName" )
+ .addTag( "value" ).addText( "test-cluster" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemUsername" )
+ .addTag( "value" ).addText( "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemPassword" )
+ .addTag( "value" ).addText( "S{ALIAS=ldcSystemPassword}" )
+ .gotoParent().addTag( "param" )
+ .addTag( "name" ).addText( "urls./**" )
+ .addTag( "value" ).addText( "authcBasic" )
+
+ .gotoParent().gotoParent().addTag( "provider" )
+ .addTag( "role" ).addText( "authorization" )
+ .addTag( "name" ).addText( "AclsAuthz" )
+ .addTag( "enabled" ).addText( "true" )
+ .addTag( "param" )
+ .addTag( "name" ).addText( "test-service-role.acl" )
+ .addTag( "value" ).addText( "*;analyst;*" )
+
+ .gotoParent().gotoParent().addTag( "provider" )
+ .addTag( "role" ).addText( "identity-assertion" )
+ .addTag( "enabled" ).addText( "true" )
+ .addTag( "name" ).addText( "Default" ).gotoParent()
+
+ .gotoRoot()
+ .addTag( "service" )
+ .addTag( "role" ).addText( "test-service-role" )
+ .gotoRoot();
+
+ return xml;
+ }
+
+ private static int findFreePort() throws IOException {
+ ServerSocket socket = new ServerSocket(0);
+ int port = socket.getLocalPort();
+ socket.close();
+ return port;
+ }
+
+ public static InputStream getResourceStream( String resource ) throws IOException {
+ return getResourceUrl( resource ).openStream();
+ }
+
+ public static URL getResourceUrl( String resource ) {
+ URL url = ClassLoader.getSystemResource( getResourceName( resource ) );
+ assertThat( "Failed to find test resource " + resource, url, Matchers.notNullValue() );
+ return url;
+ }
+
+ public static String getResourceName( String resource ) {
+ return getResourceBaseName() + resource;
+ }
+
+ public static String getResourceBaseName() {
+ return RESOURCE_BASE_CLASS.getName().replaceAll( "\\.", "/" ) + "/";
+ }
+
+ @Ignore
+ // @Test
+ public void waitForManualTesting() throws IOException {
+ System.in.read();
+ }
+
+ @Test( timeout = MEDIUM_TIMEOUT )
+ public void testGroupMember() throws ClassNotFoundException, Exception {
+ LOG_ENTER();
+ String username = "sam";
+ String password = "sam-password";
+ String serviceUrl = clusterUrl + "/test-service-path/test-service-resource";
+ given()
+ //.log().all()
+ .auth().preemptive().basic( username, password )
+ .expect()
+ //.log().all()
+ .statusCode( HttpStatus.SC_OK )
+ .contentType( "text/plain" )
+ .body( is( "test-service-response" ) )
+ .when().get( serviceUrl );
+ LOG_EXIT();
+ }
+
+ @Test( timeout = MEDIUM_TIMEOUT )
+ public void testNonGroupMember() throws ClassNotFoundException {
+ LOG_ENTER();
+ String username = "guest";
+ String password = "guest-password";
+ String serviceUrl = clusterUrl + "/test-service-path/test-service-resource";
+ given()
+ //.log().all()
+ .auth().preemptive().basic( username, password )
+ .expect()
+ //.log().all()
+ .statusCode( HttpStatus.SC_FORBIDDEN )
+ .when().get( serviceUrl );
+ LOG_EXIT();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/9619a398/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
new file mode 100644
index 0000000..b7ef6e2
--- /dev/null
+++ b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapPosixGroupFuncTest/users.ldif
@@ -0,0 +1,106 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This ldif file is provided as a template to illustrate
+# use of posix style ldapgroup(s)
+
+version: 1
+
+# Sample root for entries
+dn: dc=hadoop,dc=apache,dc=org
+objectclass: organization
+objectclass: dcObject
+o: Hadoop
+dc: hadoop
+
+# Sample people container
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# Sample user
+dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+objectclass:posixAccount
+cn:Guest
+sn:User
+uid:guest
+uidNumber:1000
+gidNumber:101
+userPassword:guest-password
+homeDirectory:/home/guest
+
+# Sample user sam
+dn:uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+objectclass:posixAccount
+cn:sam
+sn:sam
+uid:sam
+uidNumber:1001
+gidNumber:101
+userPassword:sam-password
+homeDirectory:/home/sam
+
+# Sample user tom
+dn:uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+objectclass:posixAccount
+cn:tom
+sn:tom
+uid:tom
+uidNumber:1002
+gidNumber:100
+userPassword:tom-password
+homeDirectory:/home/tom
+
+# Create groups branch
+dn:ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou:groups
+description:generic groups branch
+
+# Create the analyst group under groups
+dn:cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:posixGroup
+cn:analyst
+gidNumber:100
+description:analyst group
+memberUid:sam
+memberUid:tom
+
+
+# Create the scientist group under groups
+dn:cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:posixGroup
+cn:scientist
+gidNumber:101
+description:scientist group
+memberUid:sam
+