You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by ni...@apache.org on 2020/05/08 07:38:03 UTC

[kylin] branch master updated: KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users

This is an automated email from the ASF dual-hosted git repository.

nic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kylin.git


The following commit(s) were added to refs/heads/master by this push:
     new dca6b80  KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users
dca6b80 is described below

commit dca6b8055a31ba1f31d188efc2fd57cf710da5e7
Author: andrewcheng <an...@tencent.com>
AuthorDate: Thu May 7 16:27:44 2020 +0800

    KYLIN-4481 Project-level ACL lookups not working for non-admin SAML-federated users
---
 .../apache/kylin/rest/security/SAMLUserDetailsService.java    | 11 +++++++++++
 .../rest/security/saml/SAMLSimpleUserDetailsService.java      |  8 +++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java b/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
index 24f8243..29583ff 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/SAMLUserDetailsService.java
@@ -22,6 +22,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl;
 import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
 import org.springframework.security.saml.SAMLCredential;
 
@@ -46,6 +47,16 @@ public class SAMLUserDetailsService implements org.springframework.security.saml
         UserDetails userDetails = null;
         try {
             userDetails = ldapUserDetailsService.loadUserByUsername(userName);
+            if (userDetails instanceof LdapUserDetailsImpl) {
+                LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence();
+                essence.setDn(((LdapUserDetailsImpl) userDetails).getDn());
+                essence.setUsername(userEmail);
+                essence.setPassword(userDetails.getPassword());
+                essence.setAuthorities(userDetails.getAuthorities());
+                essence.setTimeBeforeExpiration(((LdapUserDetailsImpl) userDetails).getTimeBeforeExpiration());
+                essence.setGraceLoginsRemaining(((LdapUserDetailsImpl) userDetails).getGraceLoginsRemaining());
+                userDetails = essence.createUserDetails();
+            }
         } catch (org.springframework.security.core.userdetails.UsernameNotFoundException e) {
             logger.error("User not found in LDAP, check whether he/she has been added to the groups.", e);
         }
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java b/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java
index e375872..dba968a 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/saml/SAMLSimpleUserDetailsService.java
@@ -50,15 +50,13 @@ public class SAMLSimpleUserDetailsService implements org.springframework.securit
     public Object loadUserBySAML(SAMLCredential samlCredential) throws UsernameNotFoundException {
         final String userEmail = samlCredential.getAttributeAsString("email");
         logger.debug("samlCredential.email:" + userEmail);
-        final String userName = userEmail.substring(0, userEmail.indexOf("@"));
-
         KylinUserManager userManager = KylinUserManager.getInstance(KylinConfig.getInstanceFromEnv());
-        ManagedUser existUser = userManager.get(userName);
+        ManagedUser existUser = userManager.get(userEmail);
         // create if not exists
         if (existUser == null) {
-            ManagedUser user = new ManagedUser(userName, NO_EXISTENCE_PASSWORD, true, defaultAuthorities);
+            ManagedUser user = new ManagedUser(userEmail, NO_EXISTENCE_PASSWORD, true, defaultAuthorities);
             userManager.update(user);
         }
-        return userManager.get(userName);
+        return userManager.get(userEmail);
     }
 }