You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@activemq.apache.org by cl...@apache.org on 2018/07/12 16:42:06 UTC

[1/2] activemq-artemis git commit: ARTEMIS-1974 document LDAP role expansion

Repository: activemq-artemis
Updated Branches:
  refs/heads/master 1d72faf9e -> e66a42fa7


ARTEMIS-1974 document LDAP role expansion


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/7b4be500
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/7b4be500
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/7b4be500

Branch: refs/heads/master
Commit: 7b4be5008dfaca122d5a277b4010807a176a2992
Parents: 1d72faf
Author: Justin Bertram <jb...@apache.org>
Authored: Mon Jul 9 09:36:33 2018 -0500
Committer: Clebert Suconic <cl...@apache.org>
Committed: Thu Jul 12 12:42:01 2018 -0400

----------------------------------------------------------------------
 .../spi/core/security/jaas/LDAPLoginModule.java        |  6 ++++++
 docs/user-manual/en/security.md                        | 13 +++++++++++++
 2 files changed, 19 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7b4be500/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
index 19194fa..7d58a0b 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@@ -480,6 +480,12 @@ public class LDAPLoginModule implements LoginModule {
          while (!pendingNameExpansion.isEmpty()) {
             String name = pendingNameExpansion.remove();
             final String expandFilter = expandRolesMatchingFormat.format(new String[]{name});
+            if (logger.isDebugEnabled()) {
+               logger.debug("Get 'expanded' user roles.");
+               logger.debug("Looking for the 'expanded' user roles in LDAP with ");
+               logger.debug("  base DN: " + getLDAPPropertyValue(ROLE_BASE));
+               logger.debug("  filter: " + expandFilter);
+            }
             try {
                results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(ROLE_BASE), expandFilter, constraints));
             } catch (PrivilegedActionException e) {

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7b4be500/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 47fb228..63e49a6 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -690,6 +690,19 @@ system. It is implemented by
 - `referral` - specify how to handle referrals; valid values: `ignore`,
   `follow`, `throw`; default is `ignore`.
 
+- `expandRoles` - boolean indicating whether to enable the role expansion
+  functionality or not; default false. If enabled, then roles within roles will
+  be found. For example, role `A` is in role `B`. User `X` is in role `A`,
+  which means user `X` is in role `B` by virtue of being in role `A`.
+
+- `expandRolesMatching` - specifies an LDAP search filter which is applied to
+  the subtree selected by `roleBase`. Before passing to the LDAP search operation,
+  the string value you provide here is subjected to string substitution, as
+  implemented by the `java.text.MessageFormat` class. Essentially, this means that
+  the special string, `{0}`, is substituted by the role name as extracted from the
+  previous role search. This option must always be set to enable role expansion
+  because it has no default value. Example value: `(member={0})`.
+
 - `debug` - boolean flag; if `true`, enable debugging; this is used only for
   testing or debugging; normally, it should be set to `false`, or omitted;
   default is `false`

[2/2] activemq-artemis git commit: This closes #2176

Posted by cl...@apache.org.

This closes #2176


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/e66a42fa
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/e66a42fa
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/e66a42fa

Branch: refs/heads/master
Commit: e66a42fa75d22270461e5541cb15739685cdc3e4
Parents: 1d72faf 7b4be50
Author: Clebert Suconic <cl...@apache.org>
Authored: Thu Jul 12 12:42:02 2018 -0400
Committer: Clebert Suconic <cl...@apache.org>
Committed: Thu Jul 12 12:42:02 2018 -0400

----------------------------------------------------------------------
 .../spi/core/security/jaas/LDAPLoginModule.java        |  6 ++++++
 docs/user-manual/en/security.md                        | 13 +++++++++++++
 2 files changed, 19 insertions(+)
----------------------------------------------------------------------