You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2019/11/12 02:29:00 UTC
[jira] [Commented] (KYLIN-4240) use kylin SSO without LDAP
[ https://issues.apache.org/jira/browse/KYLIN-4240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16971998#comment-16971998 ]
ASF GitHub Bot commented on KYLIN-4240:
---------------------------------------
xiacongling commented on pull request #931: KYLIN-4240 use kylin SSO without LDAP
URL: https://github.com/apache/kylin/pull/931
KYLIN-4240 use kylin SSO without LDAP. see: https://issues.apache.org/jira/browse/KYLIN-4240
## add additional profile
first we change `kylin.sh` to support multiple profiles (`spring.profiles.active` can accept a list of profiles)
```
additional_security_profiles=`bash ${dir}/get-properties.sh kylin.security.additional-profiles`
if [[ "x${additional_security_profiles}" != "x" ]]; then
spring_profile="${spring_profile},${additional_security_profiles}"
fi
```
We use `custom` security profile and a additional `authn-cas` profile to enable it.
```
kylin.security.profile=custom
kylin.security.additional-profiles=authn-cas
```
## beans and security settings for CAS
Then we add the CAS security context to the classpath, here we put it in `server/resources/kylin-security-cas-plugin.xml` as a plugin. define the following beans under `authn-cas` profile:
```
<beans profile="authn-cas">
...
<spring-security:http pattern="/cas/**">
...
</spring-security:http>
</beans>
```
in security http settings, the CAS filter only applied on `/cas/**`. see the code for details.
## UI update
In front-end, a button is added to redirect to the CAS server.
![](https://issues.apache.org/jira/secure/attachment/12985571/screenshot.png)
User can now login with either username/password or SSO, and their groups can be managed in the `System` tab.
## Other improvement
- automatically add an admin user if there is none (controlled by `kylin.security.create-admin-when-absent`)
- change to `kylinSecurityProfile()` instead of `spring.profiles.active` to avoid mismatch
- fix ehcache settings for `custom` profile
- SAML without LDAP plugin (see `server/resources/kylin-security-saml-noldap-plugin.xml`)
## Appendix: properties for CAS
```
## Security settings, enable CAS
kylin.security.profile=custom
kylin.security.additional-profiles=authn-cas
## CAS properties
# kylin server url should be set for CAS callback, values should be set properly
kylin.server.url=http://localhost:7070/kylin
# change the cas server
kylin.security.cas.server.prefix=https://cas.example.com/
kylin.security.cas.server.login-url=https://cas.example.com/login
kylin.security.cas.server.logout-url=https://cas.example.com/logout
# optional properties, default values are listed below
#kylin.security.cas.default-groups=ALL_USERS
#kylin.security.cas.service-param=service
#kylin.security.cas.artifact-param=ticket
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> use kylin SSO without LDAP
> --------------------------
>
> Key: KYLIN-4240
> URL: https://issues.apache.org/jira/browse/KYLIN-4240
> Project: Kylin
> Issue Type: Improvement
> Reporter: Congling Xia
> Priority: Major
> Attachments: screenshot.png
>
>
> Recently, we are integrating Kylin with our SSO service based on CAS. In our case, SSO provide only authentication but no authorization. Because our LDAP service is not used for application specific information management, we plan to use the built-in user/group services to manage their authorities (as in testing profile).
> I am doing some work with CAS authentication to make it work along with form login in Kylin. I dont know whether it is a common case that user need to be authenticated by an SSO and will be managed for roles/groups in Kylin itself when LDAP is not available. I'd like to share it for someone in need.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)