You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2018/08/15 01:28:57 UTC

[ambari] branch branch-2.7 updated: [AMBARI-24451] ambari.ldap.advanced.group_mapping_rules does not work, LDAP sync does not add admin roles for configured group(s)

This is an automated email from the ASF dual-hosted git repository.

rlevas pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new 7fad78f  [AMBARI-24451] ambari.ldap.advanced.group_mapping_rules does not work, LDAP sync does not add admin roles for configured group(s)
7fad78f is described below

commit 7fad78f717ef29183bdbabafa226f5bc1ee61272
Author: Robert Levas <rl...@hortonworks.com>
AuthorDate: Fri Aug 10 11:35:59 2018 -0400

    [AMBARI-24451] ambari.ldap.advanced.group_mapping_rules does not work, LDAP sync does not add admin roles for configured group(s)
---
 .../server/security/authorization/Users.java       | 18 ++++-
 .../server/security/authorization/TestUsers.java   | 79 ++++++++++++++++++++--
 2 files changed, 89 insertions(+), 8 deletions(-)

diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index 40d9701..3e750c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -36,6 +36,7 @@ import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.hooks.HookContextFactory;
 import org.apache.ambari.server.hooks.HookService;
 import org.apache.ambari.server.ldap.domain.AmbariLdapConfiguration;
+import org.apache.ambari.server.ldap.service.AmbariLdapConfigurationProvider;
 import org.apache.ambari.server.orm.dao.GroupDAO;
 import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PermissionDAO;
@@ -121,7 +122,7 @@ public class Users {
   private PasswordEncoder passwordEncoder;
 
   @Inject
-  protected AmbariLdapConfiguration ldapConfiguration;
+  protected AmbariLdapConfigurationProvider ldapConfigurationProvider;
 
   @Inject
   protected Configuration configuration;
@@ -896,9 +897,20 @@ public class Users {
 
   private void processLdapAdminGroupMappingRules(Set<MemberEntity> membershipsToCreate) {
 
+    if (membershipsToCreate.isEmpty()) {
+      LOG.debug("There are no new memberships for which to process administrator group mapping rules.");
+      return;
+    }
+
+    AmbariLdapConfiguration ldapConfiguration = ldapConfigurationProvider.get();
+    if (ldapConfiguration == null) {
+      LOG.warn("The LDAP configuration is not available - no administrator group mappings will be processed.");
+      return;
+    }
+
     String adminGroupMappings = ldapConfiguration.groupMappingRules();
-    if (Strings.isNullOrEmpty(adminGroupMappings) || membershipsToCreate.isEmpty()) {
-      LOG.info("Nothing to do. LDAP admin group mappings: {}, Memberships to handle: {}", adminGroupMappings, membershipsToCreate.size());
+    if (Strings.isNullOrEmpty(adminGroupMappings)) {
+      LOG.debug("There are no administrator group mappings to be processed.");
       return;
     }
 
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
index b5a1a17..8b52c9a 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
@@ -17,6 +17,7 @@
  */
 package org.apache.ambari.server.security.authorization;
 
+import static org.apache.ambari.server.configuration.AmbariServerConfigurationKey.GROUP_MAPPING_RULES;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
@@ -26,12 +27,18 @@ import static org.junit.Assert.fail;
 
 import java.sql.SQLException;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.H2DatabaseCleaner;
+import org.apache.ambari.server.configuration.AmbariServerConfigurationCategory;
+import org.apache.ambari.server.events.AmbariConfigurationChangedEvent;
+import org.apache.ambari.server.events.JpaInitializedEvent;
+import org.apache.ambari.server.events.publishers.AmbariEventPublisher;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
 import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.orm.dao.AmbariConfigurationDAO;
 import org.apache.ambari.server.orm.dao.GroupDAO;
 import org.apache.ambari.server.orm.dao.PermissionDAO;
 import org.apache.ambari.server.orm.dao.PrincipalDAO;
@@ -39,6 +46,7 @@ import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
 import org.apache.ambari.server.orm.dao.ResourceDAO;
 import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.AmbariConfigurationEntity;
 import org.apache.ambari.server.orm.entities.PermissionEntity;
 import org.apache.ambari.server.orm.entities.PrincipalEntity;
 import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -46,6 +54,10 @@ import org.apache.ambari.server.orm.entities.ResourceEntity;
 import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
 import org.apache.ambari.server.orm.entities.UserAuthenticationEntity;
 import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.ldap.LdapBatchDto;
+import org.apache.ambari.server.security.ldap.LdapGroupDto;
+import org.apache.ambari.server.security.ldap.LdapUserDto;
+import org.apache.ambari.server.security.ldap.LdapUserGroupMemberDto;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -195,16 +207,14 @@ public class TestUsers {
     try {
       users.modifyAuthentication(foundLocalAuthenticationEntity, "user", null, false);
       fail("Null password should not be allowed");
-    }
-    catch (AmbariException e) {
+    } catch (AmbariException e) {
       assertEquals("The new password does not meet the Ambari password requirements", e.getLocalizedMessage());
     }
 
     try {
       users.modifyAuthentication(foundLocalAuthenticationEntity, "user", "", false);
       fail("Empty password should not be allowed");
-    }
-    catch (AmbariException e) {
+    } catch (AmbariException e) {
       assertEquals("The new password does not meet the Ambari password requirements", e.getLocalizedMessage());
     }
   }
@@ -528,7 +538,66 @@ public class TestUsers {
     assertEquals(3, userEntity2.getAuthenticationEntities().size());
   }
 
-    private UserAuthenticationEntity getAuthenticationEntity(UserEntity userEntity, UserAuthenticationType type) {
+  @Test
+  public void testProcessLdapSync() {
+    // Setup LDAP properties
+    AmbariConfigurationEntity entity = new AmbariConfigurationEntity();
+    entity.setCategoryName(GROUP_MAPPING_RULES.getConfigurationCategory().getCategoryName());
+    entity.setPropertyName(GROUP_MAPPING_RULES.key());
+    entity.setPropertyValue("admins");
+    injector.getInstance(AmbariConfigurationDAO.class).create(entity);
+
+    AmbariEventPublisher eventPublisher = injector.getInstance(AmbariEventPublisher.class);
+    eventPublisher.publish(new JpaInitializedEvent());
+    eventPublisher.publish(new AmbariConfigurationChangedEvent(AmbariServerConfigurationCategory.LDAP_CONFIGURATION.name()));
+
+    LdapBatchDto batchInfo = new LdapBatchDto();
+    LdapUserDto userToBeCreated;
+    LdapGroupDto groupToBeCreated;
+
+    userToBeCreated = new LdapUserDto();
+    userToBeCreated.setDn("dn=user1");
+    userToBeCreated.setUid("user1");
+    userToBeCreated.setUserName("User1");
+    batchInfo.getUsersToBeCreated().add(userToBeCreated);
+
+    userToBeCreated = new LdapUserDto();
+    userToBeCreated.setDn("dn=user2");
+    userToBeCreated.setUid("user2");
+    userToBeCreated.setUserName("User2");
+    batchInfo.getUsersToBeCreated().add(userToBeCreated);
+
+    groupToBeCreated = new LdapGroupDto();
+    groupToBeCreated.setGroupName("admins");
+    groupToBeCreated.setMemberAttributes(Collections.singleton("dn=User1"));
+    batchInfo.getGroupsToBeCreated().add(groupToBeCreated);
+
+    groupToBeCreated = new LdapGroupDto();
+    groupToBeCreated.setGroupName("non-admins");
+    groupToBeCreated.setMemberAttributes(Collections.singleton("dn=User2"));
+    batchInfo.getGroupsToBeCreated().add(groupToBeCreated);
+
+    batchInfo.getMembershipToAdd().add(new LdapUserGroupMemberDto("admins", "user1"));
+    batchInfo.getMembershipToAdd().add(new LdapUserGroupMemberDto("non-admins", "user2"));
+
+    users.processLdapSync(batchInfo);
+
+    assertNotNull(users.getUser("user1"));
+    assertNotNull(users.getUser("user2"));
+
+    Collection<AmbariGrantedAuthority> authorities;
+
+    authorities = users.getUserAuthorities("user1");
+    assertNotNull(authorities);
+    assertEquals(1, authorities.size());
+    assertEquals("AMBARI.ADMINISTRATOR", authorities.iterator().next().getPrivilegeEntity().getPermission().getPermissionName());
+
+    authorities = users.getUserAuthorities("user2");
+    assertNotNull(authorities);
+    assertEquals(0, authorities.size());
+  }
+
+  private UserAuthenticationEntity getAuthenticationEntity(UserEntity userEntity, UserAuthenticationType type) {
     assertNotNull(userEntity);
     Collection<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
     assertNotNull(authenticationEntities);