You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by xx...@apache.org on 2023/02/14 05:54:31 UTC
[kylin] 02/33: KYLIN-5421 fix login user name the same as LDAP user
This is an automated email from the ASF dual-hosted git repository.
xxyu pushed a commit to branch kylin5
in repository https://gitbox.apache.org/repos/asf/kylin.git
commit 6d642e7f051b5e807144b6920af6d4387115b9b2
Author: lixiang <44...@qq.com>
AuthorDate: Thu Dec 8 23:18:23 2022 +0800
KYLIN-5421 fix login user name the same as LDAP user
* KYLIN-5421 fix login user name the same as LDAP user
---
.../src/main/resources/kylinSecurity.xml | 4 ++
.../src/main/resources/kylinSecurity.xml | 4 ++
.../LdapCaseIgnoreUserDetailsContextMapper.java | 53 ++++++++++++++++++++++
.../kylin/rest/service/LdapUserServiceTest.java | 15 +++---
.../src/test/resources/kylinSecurity.xml | 4 ++
.../src/test/resources/ut_ldap/ldap-server.ldif | 26 ++++++++++-
.../src/main/resources/kylinSecurity.xml | 4 ++
.../springframework/conf/kylinSecurity.xml | 4 ++
.../src/main/resources/kylinSecurity.xml | 4 ++
.../src/test/resources/kylinSecurity.xml | 4 ++
10 files changed, 115 insertions(+), 7 deletions(-)
diff --git a/src/common-booter/src/main/resources/kylinSecurity.xml b/src/common-booter/src/main/resources/kylinSecurity.xml
index d4050579db..f6fd5b2c8d 100644
--- a/src/common-booter/src/main/resources/kylinSecurity.xml
+++ b/src/common-booter/src/main/resources/kylinSecurity.xml
@@ -113,9 +113,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -130,6 +133,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>
diff --git a/src/common-server/src/main/resources/kylinSecurity.xml b/src/common-server/src/main/resources/kylinSecurity.xml
index f8986f8ed9..82f50d3ee3 100644
--- a/src/common-server/src/main/resources/kylinSecurity.xml
+++ b/src/common-server/src/main/resources/kylinSecurity.xml
@@ -113,9 +113,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -130,6 +133,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>
diff --git a/src/common-service/src/main/java/org/apache/kylin/rest/security/LdapCaseIgnoreUserDetailsContextMapper.java b/src/common-service/src/main/java/org/apache/kylin/rest/security/LdapCaseIgnoreUserDetailsContextMapper.java
new file mode 100644
index 0000000000..f3248d2f3a
--- /dev/null
+++ b/src/common-service/src/main/java/org/apache/kylin/rest/security/LdapCaseIgnoreUserDetailsContextMapper.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kylin.rest.security;
+
+import java.util.Collection;
+import java.util.Map;
+
+import org.apache.kylin.rest.service.LdapUserService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
+
+public class LdapCaseIgnoreUserDetailsContextMapper extends LdapUserDetailsMapper {
+
+ private static final Logger logger = LoggerFactory.getLogger(LdapCaseIgnoreUserDetailsContextMapper.class);
+
+ @Autowired
+ @Qualifier("userService")
+ private LdapUserService ldapUserService;
+
+ @Override
+ public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
+ Collection<? extends GrantedAuthority> authorities) {
+ String dn = ctx.getNameInNamespace();
+ logger.debug("Mapping user details from context with DN {}", dn);
+ Map<String, String> dnMap = ldapUserService.getDnMapperMap();
+ String realName = dnMap.get(dn);
+ logger.debug("ldap real name is {}", realName);
+ return super.mapUserFromContext(ctx, realName, authorities);
+ }
+
+}
diff --git a/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java b/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java
index 3414b84996..f897e4735a 100644
--- a/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java
+++ b/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java
@@ -218,10 +218,10 @@ public class LdapUserServiceTest extends NLocalFileMetadataTestCase {
@Test
public void testListUsers() throws Exception {
Set<String> users = ldapUserService.listUsers().stream().map(x -> x.getUsername()).collect(toSet());
- Assert.assertEquals(4, users.size());
+ Assert.assertEquals(6, users.size());
List<ManagedUser> managedUserList = ldapUserService.listUsers();
for (val user : managedUserList) {
- Assert.assertTrue(user.getAuthorities().size() > 1);
+ Assert.assertTrue(user.getAuthorities().size() >= 1);
}
}
@@ -259,14 +259,17 @@ public class LdapUserServiceTest extends NLocalFileMetadataTestCase {
@Test
public void testOnNewUserAdded() throws Exception {
- Assert.assertFalse(ldapUserService.userExists("rick"));
- directoryServer.add("dn: cn=rick,ou=People,dc=example,dc=com", "objectClass: inetOrgPerson",
- "objectClass: organizationalPerson", "objectClass: person", "objectClass: top", "cn: rick",
- "sn: rick gan", "mail: rick@example.io", "ou: Modeler", "userPassword:: ZXhhbXBsZTEyMw==");
+ Assert.assertTrue(ldapUserService.userExists("rick"));
ldapUserService.onUserAuthenticated("rick");
Assert.assertTrue(ldapUserService.userExists("rick"));
}
+ @Test
+ public void testOnUserWithoutPassword() throws Exception {
+ ldapUserService.onUserAuthenticated("ricky");
+ Assert.assertTrue(ldapUserService.userExists("ricky"));
+ }
+
@Test
public void testAddGroup() {
thrown.expect(UnsupportedOperationException.class);
diff --git a/src/common-service/src/test/resources/kylinSecurity.xml b/src/common-service/src/test/resources/kylinSecurity.xml
index cd258740c7..d8c4920319 100644
--- a/src/common-service/src/test/resources/kylinSecurity.xml
+++ b/src/common-service/src/test/resources/kylinSecurity.xml
@@ -105,9 +105,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -122,6 +125,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>
diff --git a/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif b/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif
index 56d7f94c57..1902998ca5 100644
--- a/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif
+++ b/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif
@@ -124,4 +124,28 @@ objectClass: top
dn: cn=empty,ou=Groups,dc=example,dc=com
cn: empty
objectClass: groupOfNames
-objectClass: top
\ No newline at end of file
+objectClass: top
+
+# rick, People, example.com
+dn: cn=rick,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: rick
+sn: rick gan
+mail: rick@example.io
+ou: Modeler
+userPassword:: ZXhhbXBsZTEyMw==
+
+# oliver, People, example.com
+dn: cn=ricky,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: ricky
+sn: ricky gan
+mail: ricky@example.io
+ou: Modeler
+userPassword::
\ No newline at end of file
diff --git a/src/data-loading-booter/src/main/resources/kylinSecurity.xml b/src/data-loading-booter/src/main/resources/kylinSecurity.xml
index dc97c605eb..132a31f58b 100644
--- a/src/data-loading-booter/src/main/resources/kylinSecurity.xml
+++ b/src/data-loading-booter/src/main/resources/kylinSecurity.xml
@@ -113,9 +113,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -130,6 +133,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>
diff --git a/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml b/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml
index 7a1c7d7188..7a011d6506 100644
--- a/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml
+++ b/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml
@@ -114,9 +114,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -131,6 +134,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>
diff --git a/src/query-booter/src/main/resources/kylinSecurity.xml b/src/query-booter/src/main/resources/kylinSecurity.xml
index d4050579db..f6fd5b2c8d 100644
--- a/src/query-booter/src/main/resources/kylinSecurity.xml
+++ b/src/query-booter/src/main/resources/kylinSecurity.xml
@@ -113,9 +113,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -130,6 +133,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>
diff --git a/src/streaming-service/src/test/resources/kylinSecurity.xml b/src/streaming-service/src/test/resources/kylinSecurity.xml
index d4050579db..f6fd5b2c8d 100644
--- a/src/streaming-service/src/test/resources/kylinSecurity.xml
+++ b/src/streaming-service/src/test/resources/kylinSecurity.xml
@@ -113,9 +113,12 @@
<property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/>
</bean>
+ <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/>
+
<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg ref="ldapUserSearch"/>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
<bean id="userAuthProvider"
@@ -130,6 +133,7 @@
</bean>
</constructor-arg>
<constructor-arg ref="ldapUserPopulator"/>
+ <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/>
</bean>
</constructor-arg>
</bean>