You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "Peng Xing (JIRA)" <ji...@apache.org> on 2018/01/30 09:20:00 UTC
[jira] [Comment Edited] (KYLIN-3199) The login dialog should be
closed when ldap user with no permission login correctly
[ https://issues.apache.org/jira/browse/KYLIN-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344724#comment-16344724 ]
Peng Xing edited comment on KYLIN-3199 at 1/30/18 9:19 AM:
-----------------------------------------------------------
Hi, [~Zhixiong Chen] and [~Aron.tao], I have found out the reason.
After refactor with follow issue.
[KYLIN-2960|https://issues.apache.org/jira/browse/KYLIN-2960]
The 'curUser.userDetails.authorities' contains only one group named '{color:red}xpGroup{color}', which is not configured for '{color:red}kylin.security.acl.admin-role{color}' in kylin.properties, so the user '{color:red}xp{color}' who belongs to '{color:red}xpGroup{color}' has no permission.
Then you login in with user '{color:red}xp{color}', '{color:#205081}roles[authority.authority]{color}' is undefined.
But before refactor, every user has at least two default roles which is configured in kylin.properties as follow.
{code:java}
kylin.security.acl.default-role=ROLE_ANALYST,ROLE_MODELER
{code}
so the user '{color:#d04437}xp{color}' who belongs to 'xpGroup' has two default roles '{color:#d04437}ROLE_ANALYST{color}' and '{color:#d04437}ROLE_MODELER{color}'.
Then you login in with user '{color:#d04437}xp{color}', '{color:#205081}roles[authority.authority]{color}' is '{color:#d04437}/models{color}'.
So I think the real reason is that the return value of background interface has changed.
Before: the user has two default roles 'ROLE_ANALYST' and 'ROLE_MODELER'.
After: the user has no default role.
So [~Zhixiong Chen] and [~Aron.tao], can you give a suggestion? can I modified the web code or backgroud code? thanks!
was (Author: xingpeng1):
Hi, [~Zhixiong Chen] and [~Aron.tao], I have found out the reason.
After refactor with follow issue.
[KYLIN-2960|https://issues.apache.org/jira/browse/KYLIN-2960]
The 'curUser.userDetails.authorities' contains only one group named 'xpGroup', which is not configured for 'kylin.security.acl.admin-role' in kylin.properties, so the user 'xp' who belongs to 'xpGroup' has no permission.
Then you login in with user 'xp', 'roles[authority.authority]' is undefined.
But before refactor, every user has at least two default roles which is configured in kylin.properties as follow.
{code:java}
kylin.security.acl.default-role=ROLE_ANALYST,ROLE_MODELER
{code}
so the user 'xp' who belongs to 'xpGroup' has two default roles 'ROLE_ANALYST' and 'ROLE_MODELER'.
Then you login in with user 'xp', 'roles[authority.authority]' is '/models'.
So I think the real reason is that the return value of background interface has changed.
Before: the user has two default roles 'ROLE_ANALYST' and 'ROLE_MODELER'.
After: the user has no default role.
So [~Zhixiong Chen] and [~Aron.tao], can you give a suggestion? can I modified the web code or backgroud code? thanks!
> The login dialog should be closed when ldap user with no permission login correctly
> -----------------------------------------------------------------------------------
>
> Key: KYLIN-3199
> URL: https://issues.apache.org/jira/browse/KYLIN-3199
> Project: Kylin
> Issue Type: Bug
> Components: Web
> Affects Versions: v2.3.0
> Reporter: Peng Xing
> Assignee: Peng Xing
> Priority: Minor
> Labels: patch
> Attachments: 0001-KYLIN-3199-The-login-dialog-should-be-closed-when-ld.patch, ldap_user_login.png
>
>
> 1. Open ldap authentication, but I do not give the admin permission to group 'xpGroup';
> 2. Create a ldap user 'xp', who belongs to group 'xpGroup', so this user has none permission.
> 3. When user 'xp' login in, the above bar has showed and been enabled, but the login dialog still show.
> 4. Then you can click any button on above bar.
> Please refer to 'ldap_user_login.png'
> I think the login dialog should be closed when you login in correctly, and redirect to the 'Model' page, but this user has no permission.
> I have modified this issue, please review the patch, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)