You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/05/25 15:45:14 UTC
ambari git commit: AMBARI-11362. Kerberos: Creating principals in AD when special characters are involved causes failures (rlevas)

Repository: ambari
Updated Branches:
  refs/heads/trunk e59405796 -> 171f8b8e0


AMBARI-11362. Kerberos: Creating principals in AD when special characters are involved causes failures (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/171f8b8e
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/171f8b8e
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/171f8b8e

Branch: refs/heads/trunk
Commit: 171f8b8e0599c7d65a3857be0333dcdf79b40903
Parents: e594057
Author: Robert Levas <rl...@hortonworks.com>
Authored: Mon May 25 09:44:58 2015 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon May 25 09:45:09 2015 -0400

----------------------------------------------------------------------
 .../kerberos/ADKerberosOperationHandler.java    | 92 +++++---------------
 .../ADKerberosOperationHandlerTest.java         | 15 ----
 2 files changed, 24 insertions(+), 83 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/171f8b8e/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
index 38a7563..7f82cfd 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
@@ -30,8 +30,19 @@ import org.apache.velocity.exception.MethodInvocationException;
 import org.apache.velocity.exception.ParseErrorException;
 import org.apache.velocity.exception.ResourceNotFoundException;
 
-import javax.naming.*;
-import javax.naming.directory.*;
+import javax.naming.AuthenticationException;
+import javax.naming.CommunicationException;
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.BasicAttribute;
+import javax.naming.directory.BasicAttributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.ModificationItem;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
 import javax.naming.ldap.Control;
 import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapContext;
@@ -41,13 +52,9 @@ import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.lang.reflect.Type;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Properties;
-import java.util.Set;
 
 /**
  * Implementation of <code>KerberosOperationHandler</code> to created principal in Active Directory
@@ -59,34 +66,6 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
   private static final String LDAP_CONTEXT_FACTORY_CLASS = "com.sun.jndi.ldap.LdapCtxFactory";
 
   /**
-   * A Set of special characters that need to be escaped if they exist within a value in a
-   * Distinguished Name.
-   *
-   * See http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
-   */
-  private static final Set<Character> SPECIAL_DN_CHARACTERS = Collections.unmodifiableSet(
-      new HashSet<Character>() {
-        {
-          add('/');
-          add(',');
-          add('\\');
-          add('#');
-          add('+');
-          add('<');
-          add('>');
-          add(';');
-          add('"');
-          add('=');
-          add(' ');
-        }
-      });
-
-  /**
-   * The character to use to escape a special character within a value in a Distinguished Name
-   */
-  private static final Character DN_ESCAPE_CHARACTER = '\\';
-
-  /**
    * A String containing the URL for the LDAP interface for the relevant Active Directory
    */
   private String ldapUrl = null;
@@ -302,12 +281,16 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
               attribute.add(object);
             }
           } else {
-            attribute.add(value);
-
             if ("cn".equals(key) && (value != null)) {
               cn = value.toString();
+            } else if ("sAMAccountName".equals(key) && (value != null)) {
+              // Replace the following _illegal_ characters: [ ] : ; | = + * ? < > / , (space) \
+              value = value.toString().replaceAll("\\[|\\]|\\:|\\;|\\||\\=|\\+|\\*|\\?|\\<|\\>|\\/|\\\\|\\,|\\s", "_");
             }
+
+            attribute.add(value);
           }
+
           attributes.put(attribute);
         }
       }
@@ -316,8 +299,11 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     if (cn == null) {
       cn = deconstructedPrincipal.getNormalizedPrincipal();
     }
+
     try {
-      Name name = new CompositeName().add(String.format("cn=%s,%s", cn, principalContainerDn));
+      Rdn rdn = new Rdn("cn", cn);
+      LdapName name = new LdapName(principalContainerDn);
+      name.add(name.size(), rdn);
       ldapContext.createSubcontext(name, attributes);
     } catch (NamingException ne) {
       throw new KerberosOperationException("Can not create principal : " + principal, ne);
@@ -354,7 +340,7 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
 
       if (dn != null) {
         ldapContext.modifyAttributes(
-            escapeDNCharacters(dn),
+            dn,
             new ModificationItem[]{
                 new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", String.format("\"%s\"", password).getBytes("UTF-16LE")))
             }
@@ -581,34 +567,4 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
 
     return dn;
   }
-
-  /**
-   * Iterates through the characters of the given distinguished name to escape special characters
-   *
-   * @param dn the distinguished name to process
-   * @return the distinguished name with escaped characters
-   * @see #escapeCharacters(String, java.util.Set, Character)
-   */
-  protected String escapeDNCharacters(String dn) throws InvalidNameException {
-    if ((dn == null) || dn.isEmpty()) {
-      return dn;
-    } else {
-      LdapName name = new LdapName(dn);
-      List<Rdn> rdns = name.getRdns();
-
-      if ((rdns == null) || rdns.isEmpty()) {
-        throw new InvalidNameException(String.format("One or more RDNs are expected for a DN of %s", dn));
-      }
-
-      StringBuilder builder = new StringBuilder();
-      for (Rdn rdn : rdns) {
-        builder.insert(0,
-            String.format(",%s=%s",
-                rdn.getType(),
-                escapeCharacters((String) rdn.getValue(), SPECIAL_DN_CHARACTERS, DN_ESCAPE_CHARACTER)));
-      }
-
-      return builder.substring(1);
-    }
-  }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/171f8b8e/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
index 48bf473..d7fffb2 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
@@ -441,21 +441,6 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest
 
   }
 
-  @Test
-  public void testEscapeDistinguishedName() throws NoSuchMethodException, InvalidNameException {
-    ADKerberosOperationHandler handler = new ADKerberosOperationHandler();
-
-    try {
-      handler.escapeDNCharacters("nn/c6501.ambari.apache.org");
-      Assert.fail("Expected InvalidNameException");
-    } catch (InvalidNameException e) {
-      // This is expected
-    }
-
-    Assert.assertEquals("CN=nn\\/c6501.ambari.apache.org,OU=HDP,DC=HDP01,DC=LOCAL",
-        handler.escapeDNCharacters("CN=nn/c6501.ambari.apache.org,OU=HDP,DC=HDP01,DC=LOCAL"));
-  }
-
   /**
    * Implementation to illustrate the use of operations on this class
    *