You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2023/04/07 04:08:19 UTC
[kyuubi] branch branch-1.7 updated: [KYUUBI #4669] LDAP authentication allows auth user contains domain when bind.dn/pw enabled
This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch branch-1.7
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/branch-1.7 by this push:
new 85e1a0538 [KYUUBI #4669] LDAP authentication allows auth user contains domain when bind.dn/pw enabled
85e1a0538 is described below
commit 85e1a0538c5bd6883e69ad165582bc595ae3a3fb
Author: pengqli <pe...@cisco.com>
AuthorDate: Fri Apr 7 12:07:47 2023 +0800
[KYUUBI #4669] LDAP authentication allows auth user contains domain when bind.dn/pw enabled
### _Why are the changes needed?_
Now, with binduser and bindpw enabled, the user authentication pass is incompatible with the domain user.
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #4669 from dev-lpq/ldap_auth.
Closes #4669
b4d158718 [pengqli] LDAP authentication allows user contains domain UT
d365bdcb4 [pengqli] support LDAP authentication user has domain
Authored-by: pengqli <pe...@cisco.com>
Signed-off-by: Cheng Pan <ch...@apache.org>
(cherry picked from commit 6760c955cf57461389200ff08c78da7be71627fa)
Signed-off-by: Cheng Pan <ch...@apache.org>
---
.../LdapAuthenticationProviderImpl.scala | 7 +++---
.../service/authentication/ldap/LdapUtils.scala | 15 +++++++++++-
.../LdapAuthenticationProviderImplSuite.scala | 27 ++++++++++++++++++++++
3 files changed, 45 insertions(+), 4 deletions(-)
diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala
index 06d08f3e4..d885da55b 100644
--- a/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala
+++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala
@@ -27,6 +27,7 @@ import org.apache.kyuubi.config.KyuubiConf
import org.apache.kyuubi.service.ServiceUtils
import org.apache.kyuubi.service.authentication.LdapAuthenticationProviderImpl.FILTER_FACTORIES
import org.apache.kyuubi.service.authentication.ldap._
+import org.apache.kyuubi.service.authentication.ldap.LdapUtils.getUserName
class LdapAuthenticationProviderImpl(
conf: KyuubiConf,
@@ -70,7 +71,8 @@ class LdapAuthenticationProviderImpl(
if (usedBind) {
// If we used the bind user, then we need to authenticate again,
// this time using the full user name we got during the bind process.
- createDirSearch(search.findUserDn(user), password)
+ val username = getUserName(user)
+ createDirSearch(search.findUserDn(username), password)
}
} catch {
case e: NamingException =>
@@ -108,8 +110,7 @@ class LdapAuthenticationProviderImpl(
@throws[AuthenticationException]
private def applyFilter(client: DirSearch, user: String): Unit = filterOpt.foreach { filter =>
- val username = if (LdapUtils.hasDomain(user)) LdapUtils.extractUserName(user) else user
- filter.apply(client, username)
+ filter.apply(client, getUserName(user))
}
}
diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/ldap/LdapUtils.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/ldap/LdapUtils.scala
index a48f9f48f..e304e96f7 100644
--- a/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/ldap/LdapUtils.scala
+++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/ldap/LdapUtils.scala
@@ -105,12 +105,25 @@ object LdapUtils extends Logging {
* </pre>
*
* @param userName username
- * @return true if `userName`` contains `@<domain>` part
+ * @return true if `userName` contains `@<domain>` part
*/
def hasDomain(userName: String): Boolean = {
ServiceUtils.indexOfDomainMatch(userName) > 0
}
+ /**
+ * Get the username part in the provided user.
+ * <br>
+ * <b>Example:</b>
+ * <br>
+ * For user "user1@mycorp.com" this method will return "user1"
+ *
+ * @param user user
+ * @return the username part in the provided user
+ */
+ def getUserName(user: String): String =
+ if (LdapUtils.hasDomain(user)) LdapUtils.extractUserName(user) else user
+
/**
* Detects DN names.
* <br>
diff --git a/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImplSuite.scala b/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImplSuite.scala
index 718fc6f6e..d822408b9 100644
--- a/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImplSuite.scala
+++ b/kyuubi-common/src/test/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImplSuite.scala
@@ -27,6 +27,7 @@ import org.scalatestplus.mockito.MockitoSugar.mock
import org.apache.kyuubi.config.KyuubiConf
import org.apache.kyuubi.config.KyuubiConf._
import org.apache.kyuubi.service.authentication.ldap.{DirSearch, DirSearchFactory, LdapSearchFactory}
+import org.apache.kyuubi.service.authentication.ldap.LdapUtils.getUserName
class LdapAuthenticationProviderImplSuite extends WithLdapServer {
@@ -311,6 +312,32 @@ class LdapAuthenticationProviderImplSuite extends WithLdapServer {
verify(search, times(1)).findUserDn(mockEq(authUser))
}
+ test("AuthenticateWithBindDomainUserPasses") {
+ val bindUser = "cn=BindUser,ou=Users,ou=branch1,dc=mycorp,dc=com"
+ val bindPass = "Blah"
+ val authFullUser = "cn=user1,ou=Users,ou=branch1,dc=mycorp,dc=com"
+ val authUser = "user1@mydomain.com"
+ val authPass = "Blah2"
+ conf.set(AUTHENTICATION_LDAP_BIND_USER, bindUser)
+ conf.set(AUTHENTICATION_LDAP_BIND_PASSWORD, bindPass)
+
+ val username = getUserName(authUser)
+ when(search.findUserDn(mockEq(username))).thenReturn(authFullUser)
+
+ auth = new LdapAuthenticationProviderImpl(conf, factory)
+ auth.authenticate(authUser, authPass)
+
+ verify(factory, times(1)).getInstance(
+ isA(classOf[KyuubiConf]),
+ mockEq(bindUser),
+ mockEq(bindPass))
+ verify(factory, times(1)).getInstance(
+ isA(classOf[KyuubiConf]),
+ mockEq(authFullUser),
+ mockEq(authPass))
+ verify(search, times(1)).findUserDn(mockEq(username))
+ }
+
test("AuthenticateWithBindUserFailsOnAuthentication") {
val bindUser = "cn=BindUser,ou=Users,ou=branch1,dc=mycorp,dc=com"
val bindPass = "Blah"