You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by sm...@apache.org on 2018/08/27 17:49:58 UTC
[ambari] branch trunk updated: AMBARI-24533. Let end users disable
endpoint identification during SSL handshake with the LDAP server (#2165)
This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 4487562 AMBARI-24533. Let end users disable endpoint identification during SSL handshake with the LDAP server (#2165)
4487562 is described below
commit 448756230b4679644425af34728a41af6987e4c0
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Mon Aug 27 19:49:54 2018 +0200
AMBARI-24533. Let end users disable endpoint identification during SSL handshake with the LDAP server (#2165)
---
.../configuration/AmbariServerConfigurationKey.java | 1 +
.../server/ldap/domain/AmbariLdapConfiguration.java | 5 +++++
.../security/authorization/LdapServerProperties.java | 9 +++++++++
.../server/security/ldap/AmbariLdapDataPopulator.java | 16 ++++++++++++----
ambari-server/src/main/python/ambari-server.py | 1 +
.../src/main/python/ambari_server/setupSecurity.py | 6 ++++++
ambari-server/src/test/python/TestAmbariServer.py | 1 +
7 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
index 2945c74..ccdb2ab 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
@@ -73,6 +73,7 @@ public enum AmbariServerConfigurationKey {
REFERRAL_HANDLING(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.advanced.referrals", PLAINTEXT, "follow", "Determines whether to follow LDAP referrals to other URLs when the LDAP controller doesn't have the requested object."),
PAGINATION_ENABLED(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.advanced.pagination_enabled", PLAINTEXT, "true", "Determines whether results from LDAP are paginated when requested."),
COLLISION_BEHAVIOR(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.advance.collision_behavior", PLAINTEXT, "convert", "Determines how to handle username collision while updating from LDAP."),
+ DISABLE_ENDPOINT_IDENTIFICATION(AmbariServerConfigurationCategory.LDAP_CONFIGURATION, "ambari.ldap.advanced.disable_endpoint_identification", PLAINTEXT, "false", "Determines whether to disable endpoint identification (hostname verification) during SSL handshake while updating from LDAP."),
/* ********************************************************
* SSO Configuration Keys
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java b/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
index 370ef3d..b8216b1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
@@ -204,6 +204,10 @@ public class AmbariLdapConfiguration {
return configValue(AmbariServerConfigurationKey.REFERRAL_HANDLING);
}
+ public boolean disableEndpointIdentification() {
+ return Boolean.valueOf(configValue(AmbariServerConfigurationKey.DISABLE_ENDPOINT_IDENTIFICATION));
+ }
+
public Map<String, String> toMap() {
return (configurationMap == null) ? Collections.emptyMap() : new HashMap<>(configurationMap);
}
@@ -269,6 +273,7 @@ public class AmbariLdapConfiguration {
ldapServerProperties.setSyncUserMemberFilter(configValue(AmbariServerConfigurationKey.USER_MEMBER_FILTER));
ldapServerProperties.setSyncGroupMemberFilter(configValue(AmbariServerConfigurationKey.GROUP_MEMBER_FILTER));
ldapServerProperties.setPaginationEnabled(parseBoolean(configValue(AmbariServerConfigurationKey.PAGINATION_ENABLED)));
+ ldapServerProperties.setDisableEndpointIdentification(disableEndpointIdentification());
if (hasAnyValueWithKey(AmbariServerConfigurationKey.GROUP_BASE, AmbariServerConfigurationKey.GROUP_OBJECT_CLASS, AmbariServerConfigurationKey.GROUP_MEMBER_ATTRIBUTE,
AmbariServerConfigurationKey.GROUP_NAME_ATTRIBUTE, AmbariServerConfigurationKey.GROUP_MAPPING_RULES, AmbariServerConfigurationKey.GROUP_SEARCH_FILTER)) {
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
index 7937607..6ce3dc1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
@@ -65,6 +65,7 @@ public class LdapServerProperties {
private String syncUserMemberFilter = "";
private String syncGroupMemberFilter = "";
+ private boolean disableEndpointIdentification = false;
//LDAP pagination properties
private boolean paginationEnabled = true;
private String adminGroupMappingMemberAttr = ""; // custom group search filter for admin mappings
@@ -296,6 +297,14 @@ public class LdapServerProperties {
return referralMethod;
}
+ public boolean isDisableEndpointIdentification() {
+ return disableEndpointIdentification;
+ }
+
+ public void setDisableEndpointIdentification(boolean disableEndpointIdentification) {
+ this.disableEndpointIdentification = disableEndpointIdentification;
+ }
+
public boolean isPaginationEnabled() {
return paginationEnabled;
}
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java b/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
index 121e7a6..c4a25ce 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
@@ -95,6 +95,7 @@ public class AmbariLdapDataPopulator {
private static final String UID_ATTRIBUTE = "uid";
private static final String OBJECT_CLASS_ATTRIBUTE = "objectClass";
private static final int USERS_PAGE_SIZE = 500;
+ private static final String SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
// REGEXP to check member attribute starts with "cn=" or "uid=" - case insensitive
private static final String IS_MEMBER_DN_REGEXP = "^(?i)(uid|cn|%s|%s)=.*$";
@@ -760,9 +761,8 @@ public class AmbariLdapDataPopulator {
* @return LdapTemplate instance
*/
protected LdapTemplate loadLdapTemplate() {
- LdapServerProperties ldapServerProperties = getLdapProperties();
final LdapServerProperties properties = getConfiguration().getLdapServerProperties();
- if (ldapTemplate == null || !properties.equals(ldapServerProperties)) {
+ if (ldapTemplate == null || !properties.equals(getLdapProperties())) {
LOG.info("Reloading properties");
ldapServerProperties = properties;
@@ -780,6 +780,16 @@ public class AmbariLdapDataPopulator {
ldapContextSource.setPassword(ldapServerProperties.getManagerPassword());
}
+ if (ldapServerProperties.isUseSsl() && ldapServerProperties.isDisableEndpointIdentification()) {
+ System.setProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION, "true");
+ LOG.info("Disabled endpoint identification");
+ } else {
+ System.clearProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION);
+ LOG.info("Removed endpoint identification disabling");
+ }
+
+ ldapContextSource.setReferral(ldapServerProperties.getReferralMethod());
+
try {
ldapContextSource.afterPropertiesSet();
} catch (Exception e) {
@@ -787,8 +797,6 @@ public class AmbariLdapDataPopulator {
throw new UsernameNotFoundException("LDAP Context Source not loaded", e);
}
- ldapContextSource.setReferral(ldapServerProperties.getReferralMethod());
-
ldapTemplate = createLdapTemplate(ldapContextSource);
ldapTemplate.setIgnorePartialResultException(true);
diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py
index 09019f3..6a05013 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -565,6 +565,7 @@ def init_ldap_setup_parser_options(parser):
parser.add_option('--ldap-referral', default=None, help="Referral method [follow/ignore] for LDAP", dest="ldap_referral")
parser.add_option('--ldap-bind-anonym', default=None, help="Bind anonymously [true/false] for LDAP", dest="ldap_bind_anonym")
parser.add_option('--ldap-sync-username-collisions-behavior', default=None, help="Handling behavior for username collisions [convert/skip] for LDAP sync", dest="ldap_sync_username_collisions_behavior")
+ parser.add_option('--ldap-sync-disable-endpoint-identification', default=None, help="Determines whether to disable endpoint identification (hostname verification) during SSL handshake for LDAP sync. This option takes effect only if --ldap-ssl is set to 'true'", dest="ldap_sync_disable_endpoint_identification")
parser.add_option('--ldap-force-lowercase-usernames', default=None, help="Declares whether to force the ldap user name to be lowercase or leave as-is", dest="ldap_force_lowercase_usernames")
parser.add_option('--ldap-pagination-enabled', default=None, help="Determines whether results from LDAP are paginated when requested", dest="ldap_pagination_enabled")
parser.add_option('--ldap-force-setup', action="store_true", default=False, help="Forces the use of LDAP even if other (i.e. PAM) authentication method is configured already or if there is no authentication method configured at all", dest="ldap_force_setup")
diff --git a/ambari-server/src/main/python/ambari_server/setupSecurity.py b/ambari-server/src/main/python/ambari_server/setupSecurity.py
index ac0c4d4..9eacd1f 100644
--- a/ambari-server/src/main/python/ambari_server/setupSecurity.py
+++ b/ambari-server/src/main/python/ambari_server/setupSecurity.py
@@ -93,6 +93,7 @@ LDAP_MGR_USERNAME_PROPERTY = "ambari.ldap.connectivity.bind_dn"
LDAP_MGR_PASSWORD_FILENAME = "ldap-password.dat"
LDAP_ANONYMOUS_BIND="ambari.ldap.connectivity.anonymous_bind"
LDAP_USE_SSL="ambari.ldap.connectivity.use_ssl"
+LDAP_DISABLE_ENDPOINT_IDENTIFICATION = "ambari.ldap.advanced.disable_endpoint_identification"
NO_AUTH_METHOD_CONFIGURED = "no auth method"
def read_master_key(isReset=False, options = None):
@@ -750,6 +751,7 @@ def setup_ldap(options):
ldap_property_list_opt = [LDAP_MGR_USERNAME_PROPERTY,
LDAP_MGR_PASSWORD_PROPERTY,
+ LDAP_DISABLE_ENDPOINT_IDENTIFICATION,
SSL_TRUSTSTORE_TYPE_PROPERTY,
SSL_TRUSTSTORE_PATH_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
@@ -790,6 +792,10 @@ def setup_ldap(options):
ts_password = None
if ldaps:
+ disable_endpoint_identification = get_validated_string_input("Disable endpoint identification during SSL handshake [true/false] (false): ", "false",
+ REGEX_TRUE_FALSE, "Invalid characters in the input!", False, allowEmpty=True, answer=options.ldap_sync_disable_endpoint_identification)
+ ldap_property_value_map[LDAP_DISABLE_ENDPOINT_IDENTIFICATION] = disable_endpoint_identification
+
truststore_default = "n"
truststore_set = bool(SSL_TRUSTSTORE_PATH_DEFAULT)
if truststore_set:
diff --git a/ambari-server/src/test/python/TestAmbariServer.py b/ambari-server/src/test/python/TestAmbariServer.py
index ca17ea7..6058ca1 100644
--- a/ambari-server/src/test/python/TestAmbariServer.py
+++ b/ambari-server/src/test/python/TestAmbariServer.py
@@ -8711,6 +8711,7 @@ class TestAmbariServer(TestCase):
options.ambari_admin_password = None
options.ldap_sync_admin_name = None
options.ldap_sync_username_collisions_behavior = None
+ options.ldap_sync_disable_endpoint_identification = None
options.ldap_force_lowercase_usernames = None
options.ldap_pagination_enabled = None
options.ldap_sync_admin_password = None