You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by GitBox <gi...@apache.org> on 2019/11/12 02:28:39 UTC
[GitHub] [kylin] xiacongling opened a new pull request #931: KYLIN-4240 use
kylin SSO without LDAP
xiacongling opened a new pull request #931: KYLIN-4240 use kylin SSO without LDAP
URL: https://github.com/apache/kylin/pull/931
KYLIN-4240 use kylin SSO without LDAP. see: https://issues.apache.org/jira/browse/KYLIN-4240
## add additional profile
first we change `kylin.sh` to support multiple profiles (`spring.profiles.active` can accept a list of profiles)
```
additional_security_profiles=`bash ${dir}/get-properties.sh kylin.security.additional-profiles`
if [[ "x${additional_security_profiles}" != "x" ]]; then
spring_profile="${spring_profile},${additional_security_profiles}"
fi
```
We use `custom` security profile and a additional `authn-cas` profile to enable it.
```
kylin.security.profile=custom
kylin.security.additional-profiles=authn-cas
```
## beans and security settings for CAS
Then we add the CAS security context to the classpath, here we put it in `server/resources/kylin-security-cas-plugin.xml` as a plugin. define the following beans under `authn-cas` profile:
```
<beans profile="authn-cas">
...
<spring-security:http pattern="/cas/**">
...
</spring-security:http>
</beans>
```
in security http settings, the CAS filter only applied on `/cas/**`. see the code for details.
## UI update
In front-end, a button is added to redirect to the CAS server.
![](https://issues.apache.org/jira/secure/attachment/12985571/screenshot.png)
User can now login with either username/password or SSO, and their groups can be managed in the `System` tab.
## Other improvement
- automatically add an admin user if there is none (controlled by `kylin.security.create-admin-when-absent`)
- change to `kylinSecurityProfile()` instead of `spring.profiles.active` to avoid mismatch
- fix ehcache settings for `custom` profile
- SAML without LDAP plugin (see `server/resources/kylin-security-saml-noldap-plugin.xml`)
## Appendix: properties for CAS
```
## Security settings, enable CAS
kylin.security.profile=custom
kylin.security.additional-profiles=authn-cas
## CAS properties
# kylin server url should be set for CAS callback, values should be set properly
kylin.server.url=http://localhost:7070/kylin
# change the cas server
kylin.security.cas.server.prefix=https://cas.example.com/
kylin.security.cas.server.login-url=https://cas.example.com/login
kylin.security.cas.server.logout-url=https://cas.example.com/logout
# optional properties, default values are listed below
#kylin.security.cas.default-groups=ALL_USERS
#kylin.security.cas.service-param=service
#kylin.security.cas.artifact-param=ticket
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services