You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ma...@apache.org on 2013/08/26 04:12:45 UTC
git commit: AMBARI-3006. Having spaces within
authentication.ldap.baseDn or authentication.ldap.managerDn will not connect
to LDAP server on Active Directory. (Maksim Kononenko via mahadev)
Updated Branches:
refs/heads/trunk c9e842438 -> b0ade11f8
AMBARI-3006. Having spaces within authentication.ldap.baseDn or authentication.ldap.managerDn will not connect to LDAP server on Active Directory. (Maksim Kononenko via mahadev)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/b0ade11f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/b0ade11f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/b0ade11f
Branch: refs/heads/trunk
Commit: b0ade11f8e1bb85cc3d75a67444bd99542ebc8f9
Parents: c9e8424
Author: Mahadev Konar <ma...@apache.org>
Authored: Sun Aug 25 19:12:23 2013 -0700
Committer: Mahadev Konar <ma...@apache.org>
Committed: Sun Aug 25 19:12:23 2013 -0700
----------------------------------------------------------------------
.../AmbariLdapAuthenticationProvider.java | 9 +-
...uthenticationProviderForDNWithSpaceTest.java | 132 +++++++++++++++++++
...thorizationTestModuleForLdapDNWithSpace.java | 47 +++++++
.../test/resources/users_for_dn_with_space.ldif | 51 +++++++
4 files changed, 236 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/b0ade11f/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
index 9ec9a6a..f0e2a5f 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
@@ -18,16 +18,17 @@
package org.apache.ambari.server.security.authorization;
import com.google.inject.Inject;
+import java.util.List;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.security.ClientSecurityType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
@@ -76,8 +77,10 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider
private LdapAuthenticationProvider loadLdapAuthenticationProvider() {
if (reloadLdapServerProperties()) {
log.info("LDAP Properties changed - rebuilding Context");
- DefaultSpringSecurityContextSource springSecurityContextSource =
- new DefaultSpringSecurityContextSource(ldapServerProperties.get().getLdapUrls(), ldapServerProperties.get().getBaseDN());
+ LdapContextSource springSecurityContextSource = new LdapContextSource();
+ List<String> ldapUrls = ldapServerProperties.get().getLdapUrls();
+ springSecurityContextSource.setUrls(ldapUrls.toArray(new String[ldapUrls.size()]));
+ springSecurityContextSource.setBase(ldapServerProperties.get().getBaseDN());
if (!ldapServerProperties.get().isAnonymousBind()) {
springSecurityContextSource.setUserDn(ldapServerProperties.get().getManagerDn());
http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/b0ade11f/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java
new file mode 100644
index 0000000..b94758f
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.GuiceJpaInitializer;
+import org.apache.ambari.server.orm.dao.RoleDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.RoleEntity;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.ClientSecurityType;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.ldap.server.ApacheDSContainer;
+
+import static org.junit.Assert.*;
+
+public class AmbariLdapAuthenticationProviderForDNWithSpaceTest {
+ private static ApacheDSContainer apacheDSContainer;
+ private static Injector injector;
+
+ @Inject
+ private AmbariLdapAuthenticationProvider authenticationProvider;
+ @Inject
+ private UserDAO userDAO;
+ @Inject
+ private RoleDAO roleDAO;
+ @Inject
+ Configuration configuration;
+
+ @BeforeClass
+ public static void beforeClass() throws Exception{
+ injector = Guice.createInjector(new AuthorizationTestModuleForLdapDNWithSpace());
+ injector.getInstance(GuiceJpaInitializer.class);
+
+ apacheDSContainer = new ApacheDSContainer("dc=ambari,dc=the apache,dc=org", "classpath:/users_for_dn_with_space.ldif");
+ apacheDSContainer.setPort(33389);
+ apacheDSContainer.afterPropertiesSet();
+ }
+
+ @Before
+ public void setUp() {
+ injector.injectMembers(this);
+ configuration.setClientSecurityType(ClientSecurityType.LDAP);
+ }
+
+ @Test(expected = BadCredentialsException.class)
+ public void testBadCredential() throws Exception {
+ Authentication authentication = new UsernamePasswordAuthenticationToken("notFound", "wrong");
+ authenticationProvider.authenticate(authentication);
+ }
+
+ @Test
+ public void testAuthenticate() throws Exception {
+ assertNull("User alread exists in DB", userDAO.findLdapUserByName("the allowedUser"));
+ Authentication authentication = new UsernamePasswordAuthenticationToken("the allowedUser", "password");
+ Authentication result = authenticationProvider.authenticate(authentication);
+ assertTrue(result.isAuthenticated());
+ assertNotNull("User was not created", userDAO.findLdapUserByName("the allowedUser"));
+ result = authenticationProvider.authenticate(authentication);
+ assertTrue(result.isAuthenticated());
+ }
+
+ @Test
+ public void testDisabled() throws Exception {
+ configuration.setClientSecurityType(ClientSecurityType.LOCAL);
+ Authentication authentication = new UsernamePasswordAuthenticationToken("the allowedUser", "password");
+ Authentication auth = authenticationProvider.authenticate(authentication);
+ assertTrue(auth == null);
+ }
+
+ @Test
+ public void testLdapAdminGroupToRolesMapping() throws Exception {
+
+ Authentication authentication;
+
+ authentication =
+ new UsernamePasswordAuthenticationToken("allowedAdmin", "password");
+ Authentication result = authenticationProvider.authenticate(authentication);
+ assertTrue(result.isAuthenticated());
+
+ UserEntity allowedAdminEntity = userDAO.findLdapUserByName("allowedAdmin");
+
+ authentication =
+ new UsernamePasswordAuthenticationToken("the allowedUser", "password");
+ authenticationProvider.authenticate(authentication);
+ UserEntity allowedUserEntity = userDAO.findLdapUserByName("the allowedUser");
+
+
+ RoleEntity adminRole = roleDAO.findByName(
+ configuration.getConfigsMap().get(Configuration.ADMIN_ROLE_NAME_KEY));
+ RoleEntity userRole = roleDAO.findByName(
+ configuration.getConfigsMap().get(Configuration.USER_ROLE_NAME_KEY));
+
+
+ assertTrue(allowedAdminEntity.getRoleEntities().contains(userRole));
+ assertTrue(allowedAdminEntity.getRoleEntities().contains(adminRole));
+
+ assertTrue(allowedUserEntity.getRoleEntities().contains(userRole));
+ assertFalse(allowedUserEntity.getRoleEntities().contains(adminRole));
+
+
+ }
+
+ @AfterClass
+ public static void afterClass() {
+ apacheDSContainer.stop();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/b0ade11f/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModuleForLdapDNWithSpace.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModuleForLdapDNWithSpace.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModuleForLdapDNWithSpace.java
new file mode 100644
index 0000000..62c7a1b
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModuleForLdapDNWithSpace.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.AbstractModule;
+import java.util.Properties;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.controller.ControllerModule;
+
+public class AuthorizationTestModuleForLdapDNWithSpace extends AbstractModule {
+ @Override
+ protected void configure() {
+ Properties properties = new Properties();
+ properties.setProperty(Configuration.CLIENT_SECURITY_KEY, "ldap");
+ properties.setProperty(Configuration.SERVER_PERSISTENCE_TYPE_KEY, "in-memory");
+ properties.setProperty(Configuration.METADETA_DIR_PATH,
+ "src/test/resources/stacks");
+ properties.setProperty(Configuration.SERVER_VERSION_FILE,
+ "target/version");
+ properties.setProperty(Configuration.OS_VERSION_KEY,
+ "centos5");
+ //make ambari detect active configuration
+ properties.setProperty(Configuration.LDAP_BASE_DN_KEY, "dc=ambari,dc=the apache,dc=org");
+ properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=the groups,dc=ambari,dc=the apache,dc=org");
+
+ try {
+ install(new ControllerModule(properties));
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/b0ade11f/ambari-server/src/test/resources/users_for_dn_with_space.ldif
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/resources/users_for_dn_with_space.ldif b/ambari-server/src/test/resources/users_for_dn_with_space.ldif
new file mode 100644
index 0000000..5e8f8cf
--- /dev/null
+++ b/ambari-server/src/test/resources/users_for_dn_with_space.ldif
@@ -0,0 +1,51 @@
+dn: ou=the groups,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: the groups
+
+dn: ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: the people
+
+dn: uid=the allowedUser,ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: CraigWalls
+sn: Walls
+uid: the allowedUser
+userPassword:password
+
+dn: uid=deniedUser,ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: JohnSmith
+sn: Smith
+uid: deniedUser
+userPassword:password
+
+dn: cn=admin,ou=the groups,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: admin
+member: uid=the allowedUser,ou=the people,dc=ambari,dc=the apache,dc=org
+
+dn: uid=allowedAdmin,ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: CraigWalls
+sn: Walls
+uid: allowedAdmin
+userPassword:password
+
+dn: cn=Ambari Administrators,ou=the groups,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:group
+cn: Ambari Administrators
+member: uid=allowedAdmin,ou=the people,dc=ambari,dc=the apache,dc=org