You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2018/07/12 16:42:06 UTC
[1/2] activemq-artemis git commit: ARTEMIS-1974 document LDAP role
expansion
Repository: activemq-artemis
Updated Branches:
refs/heads/master 1d72faf9e -> e66a42fa7
ARTEMIS-1974 document LDAP role expansion
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/7b4be500
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/7b4be500
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/7b4be500
Branch: refs/heads/master
Commit: 7b4be5008dfaca122d5a277b4010807a176a2992
Parents: 1d72faf
Author: Justin Bertram <jb...@apache.org>
Authored: Mon Jul 9 09:36:33 2018 -0500
Committer: Clebert Suconic <cl...@apache.org>
Committed: Thu Jul 12 12:42:01 2018 -0400
----------------------------------------------------------------------
.../spi/core/security/jaas/LDAPLoginModule.java | 6 ++++++
docs/user-manual/en/security.md | 13 +++++++++++++
2 files changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7b4be500/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
index 19194fa..7d58a0b 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@@ -480,6 +480,12 @@ public class LDAPLoginModule implements LoginModule {
while (!pendingNameExpansion.isEmpty()) {
String name = pendingNameExpansion.remove();
final String expandFilter = expandRolesMatchingFormat.format(new String[]{name});
+ if (logger.isDebugEnabled()) {
+ logger.debug("Get 'expanded' user roles.");
+ logger.debug("Looking for the 'expanded' user roles in LDAP with ");
+ logger.debug(" base DN: " + getLDAPPropertyValue(ROLE_BASE));
+ logger.debug(" filter: " + expandFilter);
+ }
try {
results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(ROLE_BASE), expandFilter, constraints));
} catch (PrivilegedActionException e) {
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7b4be500/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 47fb228..63e49a6 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -690,6 +690,19 @@ system. It is implemented by
- `referral` - specify how to handle referrals; valid values: `ignore`,
`follow`, `throw`; default is `ignore`.
+- `expandRoles` - boolean indicating whether to enable the role expansion
+ functionality or not; default false. If enabled, then roles within roles will
+ be found. For example, role `A` is in role `B`. User `X` is in role `A`,
+ which means user `X` is in role `B` by virtue of being in role `A`.
+
+- `expandRolesMatching` - specifies an LDAP search filter which is applied to
+ the subtree selected by `roleBase`. Before passing to the LDAP search operation,
+ the string value you provide here is subjected to string substitution, as
+ implemented by the `java.text.MessageFormat` class. Essentially, this means that
+ the special string, `{0}`, is substituted by the role name as extracted from the
+ previous role search. This option must always be set to enable role expansion
+ because it has no default value. Example value: `(member={0})`.
+
- `debug` - boolean flag; if `true`, enable debugging; this is used only for
testing or debugging; normally, it should be set to `false`, or omitted;
default is `false`
[2/2] activemq-artemis git commit: This closes #2176
Posted by cl...@apache.org.
This closes #2176
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/e66a42fa
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/e66a42fa
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/e66a42fa
Branch: refs/heads/master
Commit: e66a42fa75d22270461e5541cb15739685cdc3e4
Parents: 1d72faf 7b4be50
Author: Clebert Suconic <cl...@apache.org>
Authored: Thu Jul 12 12:42:02 2018 -0400
Committer: Clebert Suconic <cl...@apache.org>
Committed: Thu Jul 12 12:42:02 2018 -0400
----------------------------------------------------------------------
.../spi/core/security/jaas/LDAPLoginModule.java | 6 ++++++
docs/user-manual/en/security.md | 13 +++++++++++++
2 files changed, 19 insertions(+)
----------------------------------------------------------------------