You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by GitBox <gi...@apache.org> on 2019/11/24 03:42:36 UTC

[GitHub] [kylin] xiacongling opened a new pull request #958: KYLIN-4240 Kylin SSO with CAS or SAML without LDAP

xiacongling opened a new pull request #958: KYLIN-4240 Kylin SSO with CAS or SAML without LDAP
URL: https://github.com/apache/kylin/pull/958
 
 
   KYLIN-4240 use kylin SSO without LDAP. see: https://issues.apache.org/jira/browse/KYLIN-4240
   
   ## add additional profile
   first we change `kylin.sh` to support multiple profiles (`spring.profiles.active` can accept a list of profiles)
   ```
   additional_security_profiles=`bash ${dir}/get-properties.sh kylin.security.additional-profiles`
   if [[ "x${additional_security_profiles}" != "x" ]]; then
       spring_profile="${spring_profile},${additional_security_profiles}"
   fi
   ```
   
   ## UI update
   In front-end, a button is added to redirect to the CAS/SAML server.
   
   ![](https://issues.apache.org/jira/secure/attachment/12985571/screenshot.png)
   
   User can now login with either username/password or SSO, and their groups can be managed in the `System` tab.
   
   ## use CAS as an authentication option 
   
   Here we add `server/resources/kylin-security-cas-plugin.xml` to configure Spring Security for CAS, 
   defining the following beans under `authn-cas` profile, and filters only `/cas/**`:
   ```
   <beans profile="authn-cas">
    ...
    <!-- Spring Security Settings -->
    <spring-security:http pattern="/cas/**">
     ...
    </spring-security:http>
   
    <!-- CAS Beans that will be used -->
    ...
   </beans>
   ```
   
   We use `custom` security profile and a additional `authn-cas` profile to enable it.
   ```
   kylin.security.profile=custom
   kylin.security.additional-profiles=authn-cas
   ```
   
   Edit the following configurations to make it work properly.
   ```
   # kylin server url should be set for CAS callback, values should be set properly
   kylin.server.url=http://localhost:7070/kylin
   
   # change the cas server 
   kylin.security.cas.server.prefix=https://cas.example.com/
   kylin.security.cas.server.login-url=https://cas.example.com/login
   kylin.security.cas.server.logout-url=https://cas.example.com/logout
   
   # optional properties, default values are listed below
   #kylin.security.cas.default-groups=ALL_USERS
   #kylin.security.cas.service-param=service
   #kylin.security.cas.artifact-param=ticket
   ```
   Now, when server started, the "CAS Login" button will be shown in login page.
   
   
   ## use SAML (without LDAP) as an authentication option
   
   Similar to CAS, SAML without LDAP is configured under `custom` profile. The security settings in 
   `server/resources/kylin-security-saml-noldap-plugin.xml` are almost the same as those in 
   `server/resources/kylinSecurity.xml` with profile `saml`, except that it filters only `/saml/**` for authentication and LDAP settings are removed.
   
   When we set the profiles as follows
   ```
   kylin.security.profile=custom
   kylin.security.additional-profiles=authn-saml
   ```
   The "SAML Login" button will be shown in login page. If SAML settings are properly configured in 
   `kylin.properties`, it can redirect users to SAML IdP and check their authenticity.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services