You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by GitBox <gi...@apache.org> on 2019/11/12 02:28:39 UTC

[GitHub] [kylin] xiacongling opened a new pull request #931: KYLIN-4240 use kylin SSO without LDAP

xiacongling opened a new pull request #931: KYLIN-4240 use kylin SSO without LDAP
URL: https://github.com/apache/kylin/pull/931
 
 
   KYLIN-4240 use kylin SSO without LDAP. see: https://issues.apache.org/jira/browse/KYLIN-4240
   
   ## add additional profile
   first we change `kylin.sh` to support multiple profiles (`spring.profiles.active` can accept a list of profiles)
   ```
   additional_security_profiles=`bash ${dir}/get-properties.sh kylin.security.additional-profiles`
   if [[ "x${additional_security_profiles}" != "x" ]]; then
       spring_profile="${spring_profile},${additional_security_profiles}"
   fi
   ```
   We use `custom` security profile and a additional `authn-cas` profile to enable it.
   ```
   kylin.security.profile=custom
   kylin.security.additional-profiles=authn-cas
   ```
   
   ## beans and security settings for CAS
   Then we add the CAS security context to the classpath, here we put it in `server/resources/kylin-security-cas-plugin.xml` as a plugin. define the following beans under `authn-cas` profile:
   ```
   <beans profile="authn-cas">
    ...
    <spring-security:http pattern="/cas/**">
     ...
    </spring-security:http>
   </beans>
   ```
   in security http settings, the CAS filter only applied on `/cas/**`. see the code for details.
   
   ## UI update
   In front-end, a button is added to redirect to the CAS server.
   
   ![](https://issues.apache.org/jira/secure/attachment/12985571/screenshot.png)
   
   User can now login with either username/password or SSO, and their groups can be managed in the `System` tab.
   
   ## Other improvement
   - automatically add an admin user if there is none (controlled by `kylin.security.create-admin-when-absent`)
   - change to `kylinSecurityProfile()` instead of `spring.profiles.active` to avoid mismatch
   - fix ehcache settings for `custom` profile
   - SAML without LDAP plugin (see `server/resources/kylin-security-saml-noldap-plugin.xml`)
   
   ## Appendix: properties for CAS
   ```
   ## Security settings, enable CAS
   kylin.security.profile=custom
   kylin.security.additional-profiles=authn-cas
   
   ## CAS properties
   # kylin server url should be set for CAS callback, values should be set properly
   kylin.server.url=http://localhost:7070/kylin
   
   # change the cas server 
   kylin.security.cas.server.prefix=https://cas.example.com/
   kylin.security.cas.server.login-url=https://cas.example.com/login
   kylin.security.cas.server.logout-url=https://cas.example.com/logout
   
   # optional properties, default values are listed below
   #kylin.security.cas.default-groups=ALL_USERS
   #kylin.security.cas.service-param=service
   #kylin.security.cas.artifact-param=ticket
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services