You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by sr...@apache.org on 2022/06/25 19:15:30 UTC
[spark] branch master updated: [SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials'
This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new 7003916bffa [SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials'
7003916bffa is described below
commit 7003916bffa64952daf1b29cfa1eea76a94ed3c0
Author: xiuzhu9527 <14...@qq.com>
AuthorDate: Sat Jun 25 14:15:18 2022 -0500
[SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials'
### What changes were proposed in this pull request?
In the PR, Fixed the problem that the DN is (cn=user,ou=people, dc=example, dc=com) LDAP login failure.
### Why are the changes needed?
The hard coded DN in the org.apache.hive.service.auth.LdapAuthenticationProviderImpl#Authenticate() is (uid=user,ou=people, dc=example, dc=com), resulting in LDAP authentication failure
### Does this PR introduce _any_ user-facing change?
No
### How was this patch tested?
Existing test.
Closes #36784 from xiuzhu9527/fix_thriftserver_ldap.
Authored-by: xiuzhu9527 <14...@qq.com>
Signed-off-by: Sean Owen <sr...@gmail.com>
---
.../auth/LdapAuthenticationProviderImpl.java | 61 ++++++++++++++++------
1 file changed, 44 insertions(+), 17 deletions(-)
diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
index b83b5e1cd11..b74151a42e1 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -16,12 +16,17 @@
*/
package org.apache.hive.service.auth;
+import java.util.ArrayList;
+import java.util.Collections;
import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.List;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.security.sasl.AuthenticationException;
+import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.service.ServiceUtils;
@@ -30,21 +35,19 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi
private final String ldapURL;
private final String baseDN;
private final String ldapDomain;
+ private final String userDNPattern;
LdapAuthenticationProviderImpl() {
HiveConf conf = new HiveConf();
ldapURL = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL);
baseDN = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
ldapDomain = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
+ userDNPattern = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN);
}
@Override
public void Authenticate(String user, String password) throws AuthenticationException {
- Hashtable<String, Object> env = new Hashtable<String, Object>();
- env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
- env.put(Context.PROVIDER_URL, ldapURL);
-
// If the domain is available in the config, then append it unless domain is
// already part of the username. LDAP providers like Active Directory use a
// fully qualified user name like foo@bar.com.
@@ -58,22 +61,46 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi
}
// setup the security principal
- String bindDN;
- if (baseDN == null) {
- bindDN = user;
+ List<String> candidatePrincipals = new ArrayList<>();
+ if (StringUtils.isBlank(userDNPattern)) {
+ if (StringUtils.isNotBlank(baseDN)) {
+ String pattern = "uid=" + user + "," + baseDN;
+ candidatePrincipals.add(pattern);
+ }
} else {
- bindDN = "uid=" + user + "," + baseDN;
+ String[] patterns = userDNPattern.split(":");
+ for (String pattern : patterns) {
+ if (StringUtils.contains(pattern, ",") && StringUtils.contains(pattern, "=")) {
+ candidatePrincipals.add(pattern.replaceAll("%s", user));
+ }
+ }
+ }
+
+ if (candidatePrincipals.isEmpty()) {
+ candidatePrincipals = Collections.singletonList(user);
}
- env.put(Context.SECURITY_AUTHENTICATION, "simple");
- env.put(Context.SECURITY_PRINCIPAL, bindDN);
- env.put(Context.SECURITY_CREDENTIALS, password);
- try {
- // Create initial context
- Context ctx = new InitialDirContext(env);
- ctx.close();
- } catch (NamingException e) {
- throw new AuthenticationException("Error validating LDAP user", e);
+ for (Iterator<String> iterator = candidatePrincipals.iterator(); iterator.hasNext();) {
+ String principal = iterator.next();
+
+ Hashtable<String, Object> env = new Hashtable<String, Object>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, ldapURL);
+ env.put(Context.SECURITY_AUTHENTICATION, "simple");
+ env.put(Context.SECURITY_PRINCIPAL, principal);
+ env.put(Context.SECURITY_CREDENTIALS, password);
+
+ try {
+
+ // Create initial context
+ Context ctx = new InitialDirContext(env);
+ ctx.close();
+ break;
+ } catch (NamingException e) {
+ if (!iterator.hasNext()) {
+ throw new AuthenticationException("Error validating LDAP user", e);
+ }
+ }
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org