You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by ni...@apache.org on 2020/05/08 07:38:03 UTC
[kylin] branch master updated: KYLIN-4481 Project-level ACL lookups
not working for non-admin SAML-federated users
This is an automated email from the ASF dual-hosted git repository.
nic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/master by this push:
new dca6b80 KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users
dca6b80 is described below
commit dca6b8055a31ba1f31d188efc2fd57cf710da5e7
Author: andrewcheng <an...@tencent.com>
AuthorDate: Thu May 7 16:27:44 2020 +0800
KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users
---
.../apache/kylin/rest/security/SAMLUserDetailsService.java | 11 +++++++++++
.../rest/security/saml/SAMLSimpleUserDetailsService.java | 8 +++-----
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java b/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
index 24f8243..29583ff 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
@@ -22,6 +22,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl;
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
import org.springframework.security.saml.SAMLCredential;
@@ -46,6 +47,16 @@ public class SAMLUserDetailsService implements org.springframework.security.saml
UserDetails userDetails = null;
try {
userDetails = ldapUserDetailsService.loadUserByUsername(userName);
+ if (userDetails instanceof LdapUserDetailsImpl) {
+ LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence();
+ essence.setDn(((LdapUserDetailsImpl) userDetails).getDn());
+ essence.setUsername(userEmail);
+ essence.setPassword(userDetails.getPassword());
+ essence.setAuthorities(userDetails.getAuthorities());
+ essence.setTimeBeforeExpiration(((LdapUserDetailsImpl) userDetails).getTimeBeforeExpiration());
+ essence.setGraceLoginsRemaining(((LdapUserDetailsImpl) userDetails).getGraceLoginsRemaining());
+ userDetails = essence.createUserDetails();
+ }
} catch (org.springframework.security.core.userdetails.UsernameNotFoundException e) {
logger.error("User not found in LDAP, check whether he/she has been added to the groups.", e);
}
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java b/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java
index e375872..dba968a 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java
@@ -50,15 +50,13 @@ public class SAMLSimpleUserDetailsService implements org.springframework.securit
public Object loadUserBySAML(SAMLCredential samlCredential) throws UsernameNotFoundException {
final String userEmail = samlCredential.getAttributeAsString("email");
logger.debug("samlCredential.email:" + userEmail);
- final String userName = userEmail.substring(0, userEmail.indexOf("@"));
-
KylinUserManager userManager = KylinUserManager.getInstance(KylinConfig.getInstanceFromEnv());
- ManagedUser existUser = userManager.get(userName);
+ ManagedUser existUser = userManager.get(userEmail);
// create if not exists
if (existUser == null) {
- ManagedUser user = new ManagedUser(userName, NO_EXISTENCE_PASSWORD, true, defaultAuthorities);
+ ManagedUser user = new ManagedUser(userEmail, NO_EXISTENCE_PASSWORD, true, defaultAuthorities);
userManager.update(user);
}
- return userManager.get(userName);
+ return userManager.get(userEmail);
}
}