You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by wu...@apache.org on 2022/11/14 16:38:29 UTC
[ambari] branch trunk updated: AMBARI-25382: Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters (#3494)
This is an automated email from the ASF dual-hosted git repository.
wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 6f7c4b3958 AMBARI-25382: Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters (#3494)
6f7c4b3958 is described below
commit 6f7c4b3958d8600172bed576d24f69c24f1041cb
Author: Zhiguo Wu <wu...@apache.org>
AuthorDate: Tue Nov 15 00:38:24 2022 +0800
AMBARI-25382: Issues with Views in ambari when User Logs In from KNOX/LDAP and the username has spaces and Camel Case Letters (#3494)
---
.../org/apache/ambari/server/orm/entities/ViewInstanceEntity.java | 3 ++-
.../authentication/jwt/AmbariJwtAuthenticationProvider.java | 7 +++++++
.../server/security/authorization/AmbariLdapBindAuthenticator.java | 7 ++++---
.../ambari/server/security/authorization/AuthorizationHelper.java | 4 +++-
.../authentication/jwt/AmbariJwtAuthenticationFilterTest.java | 1 +
.../security/authorization/AmbariLdapBindAuthenticatorTest.java | 4 ++++
6 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
index 7d458492d0..e7714e9eb1 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ViewInstanceEntity.java
@@ -49,6 +49,7 @@ import org.apache.ambari.server.controller.spi.Resource;
import org.apache.ambari.server.security.SecurityHelper;
import org.apache.ambari.server.security.SecurityHelperImpl;
import org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.view.ViewContextImpl;
import org.apache.ambari.server.view.ViewRegistry;
import org.apache.ambari.server.view.configuration.InstanceConfig;
@@ -811,7 +812,7 @@ public class ViewInstanceEntity implements ViewInstanceDefinition {
* @return the current user name; empty String if user is not known
*/
public String getUsername() {
- return securityHelper.getCurrentUserName();
+ return AuthorizationHelper.resolveLoginAliasToUserName(securityHelper.getCurrentUserName());
}
/**
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
index 076e1b7ba2..a3ea7f9149 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
@@ -29,6 +29,7 @@ import org.apache.ambari.server.security.authentication.AmbariUserDetails;
import org.apache.ambari.server.security.authentication.AmbariUserDetailsImpl;
import org.apache.ambari.server.security.authentication.TooManyLoginFailuresException;
import org.apache.ambari.server.security.authentication.UserNotFoundException;
+import org.apache.ambari.server.security.authorization.AuthorizationHelper;
import org.apache.ambari.server.security.authorization.UserAuthenticationType;
import org.apache.ambari.server.security.authorization.Users;
import org.slf4j.Logger;
@@ -120,6 +121,12 @@ public class AmbariJwtAuthenticationProvider extends AmbariAuthenticationProvide
}
AmbariUserDetails userDetails = new AmbariUserDetailsImpl(users.getUser(userEntity), null, users.getUserAuthorities(userEntity));
+
+ String jwtTokenName = userDetails.getUsername().trim();
+ //If JwtToken Provided Username and authenticatedUsername is different Add it to Alias
+ if(!userName.equals(jwtTokenName)){
+ AuthorizationHelper.addLoginNameAlias(userName,jwtTokenName);
+ }
return new AmbariUserAuthentication(authentication.getCredentials().toString(), userDetails, true);
} else {
// The user was not authenticated, fail
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
index 4adbd2b814..b6c5de397e 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
@@ -85,7 +85,7 @@ public class AmbariLdapBindAuthenticator extends AbstractLdapAuthenticator {
LOG.warn("The user data does not contain a value for {}.", ldapServerProperties.getUsernameAttribute());
} else if (ldapUserName.isEmpty()) {
LOG.warn("The user data contains an empty value for {}.", ldapServerProperties.getUsernameAttribute());
- } else if (!ldapUserName.equals(loginName)) {
+ } else {
// if authenticated user name is different from ldap user name than user has logged in
// with a login name that is different (e.g. user principal name) from the ambari user name stored in
// ambari db. In this case add the user login name as login alias for ambari user name.
@@ -100,8 +100,9 @@ public class AmbariLdapBindAuthenticator extends AbstractLdapAuthenticator {
} else {
processedLdapUserName = ldapUserName;
}
-
- AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName);
+ if (!processedLdapUserName.equals(loginName.toLowerCase())) {
+ AuthorizationHelper.addLoginNameAlias(processedLdapUserName, loginName.toLowerCase());
+ }
}
return user;
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
index d92fc44b65..c5d22fbcfb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
@@ -325,13 +325,15 @@ public class AuthorizationHelper {
* of alias user name to local ambari user name to make possible resolving
* login alias to ambari user name.
* @param ambariUserName ambari user name for which the alias is to be stored in the session
- * @param loginAlias the alias for the ambari user name.
+ * @param loginAlias The Name with which user logged in Ambari UI.
*/
public static void addLoginNameAlias(String ambariUserName, String loginAlias) {
ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
if (attr != null) {
LOG.info("Adding login alias '{}' for user name '{}'", loginAlias, ambariUserName);
attr.setAttribute(loginAlias, ambariUserName, RequestAttributes.SCOPE_SESSION);
+ //save Vice Versa Too
+ attr.setAttribute(ambariUserName, loginAlias, RequestAttributes.SCOPE_SESSION);
}
}
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
index e8687c5521..4e35a5eb61 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationFilterTest.java
@@ -414,6 +414,7 @@ public class AmbariJwtAuthenticationFilterTest extends EasyMockSupport {
Users users = createMock(Users.class);
expect(users.getUserEntity("test-user")).andReturn(userEntity).once();
expect(users.getUser(userEntity)).andReturn(user).once();
+ expect(user.getUserName()).andReturn("test-user").atLeastOnce();
expect(users.getUserAuthorities(userEntity)).andReturn(Collections.emptyList()).once();
users.validateLogin(userEntity, "test-user");
expectLastCall().once();
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
index 335ad70972..3ebb4763ec 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
@@ -179,6 +179,8 @@ public class AmbariLdapBindAuthenticatorTest extends EasyMockSupport {
if (!StringUtils.isEmpty(ldapUsername) && !ambariUsername.equals(ldapUsername)) {
servletRequestAttributes.setAttribute(eq(ambariUsername), eq(forceUsernameToLower ? ldapUsername.toLowerCase() : ldapUsername), eq(RequestAttributes.SCOPE_SESSION));
expectLastCall().once();
+ servletRequestAttributes.setAttribute(eq(forceUsernameToLower ? ldapUsername.toLowerCase() : ldapUsername),eq(ambariUsername), eq(RequestAttributes.SCOPE_SESSION));
+ expectLastCall().once();
}
setupDatabaseConfigurationExpectations(true, forceUsernameToLower);
@@ -186,6 +188,8 @@ public class AmbariLdapBindAuthenticatorTest extends EasyMockSupport {
replayAll();
RequestContextHolder.setRequestAttributes(servletRequestAttributes);
+// servletRequestAttributes.setAttribute(ambariUsername,ldapUsername, RequestAttributes.SCOPE_SESSION);
+// expectLastCall().anyTimes();
AmbariLdapBindAuthenticator bindAuthenticator = new AmbariLdapBindAuthenticator(ldapCtxSource, ldapConfiguration);
bindAuthenticator.setUserSearch(userSearch);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ambari.apache.org
For additional commands, e-mail: commits-help@ambari.apache.org