You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by lp...@apache.org on 2017/09/05 09:41:32 UTC
[37/50] [abbrv] ambari git commit: AMBARI-21873 support for handling
ldap ambari admin group mappings during ldap sync
AMBARI-21873 support for handling ldap ambari admin group mappings during ldap sync
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/cf264c6c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/cf264c6c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/cf264c6c
Branch: refs/heads/feature-branch-AMBARI-21307
Commit: cf264c6c86e1275c6af8daafb13f1ace862af41d
Parents: c091ebe
Author: lpuskas <lp...@apache.org>
Authored: Mon Sep 4 15:39:39 2017 +0200
Committer: lpuskas <lp...@apache.org>
Committed: Tue Sep 5 11:14:53 2017 +0200
----------------------------------------------------------------------
.../server/security/authorization/Users.java | 62 ++++++++++++++++----
1 file changed, 50 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/cf264c6c/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index 7d8c683..91cefe9 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -61,6 +61,8 @@ import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder;
+import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import com.google.inject.persist.Transactional;
@@ -190,7 +192,7 @@ public class Users {
currentUserEntity = userDAO.findLdapUserByName(currentUserName);
try {
ldapAuthenticationProvider.authenticate(
- new UsernamePasswordAuthenticationToken(currentUserName, currentUserPassword));
+ new UsernamePasswordAuthenticationToken(currentUserName, currentUserPassword));
isLdapUser = true;
} catch (InvalidUsernamePasswordCombinationException ex) {
throw new AmbariException(ex.getMessage());
@@ -213,7 +215,7 @@ public class Users {
}
if ((isLdapUser && isCurrentUserAdmin) || (StringUtils.isNotEmpty(currentUserPassword) &&
- passwordEncoder.matches(currentUserPassword, currentUserEntity.getUserPassword()))) {
+ passwordEncoder.matches(currentUserPassword, currentUserEntity.getUserPassword()))) {
userEntity.setUserPassword(passwordEncoder.encode(newPassword));
userDAO.merge(userEntity);
} else {
@@ -300,7 +302,7 @@ public class Users {
* @throws AmbariException if user already exists
*/
public synchronized void createUser(String userName, String password, UserType userType, Boolean active, Boolean
- admin) throws AmbariException {
+ admin) throws AmbariException {
// if user type is not provided, assume LOCAL since the default
// value of user_type in the users table is LOCAL
if (userType == null) {
@@ -310,7 +312,7 @@ public class Users {
User existingUser = getAnyUser(userName);
if (existingUser != null) {
throw new AmbariException("User " + existingUser.getUserName() + " already exists with type "
- + existingUser.getUserType());
+ + existingUser.getUserType());
}
PrincipalTypeEntity principalTypeEntity = principalTypeDAO.findById(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
@@ -355,7 +357,7 @@ public class Users {
if (userEntity != null) {
if (!isUserCanBeRemoved(userEntity)) {
throw new AmbariException("Could not remove user " + userEntity.getUserName() +
- ". System should have at least one administrator.");
+ ". System should have at least one administrator.");
}
userDAO.remove(userEntity);
} else {
@@ -403,7 +405,7 @@ public class Users {
users.add(new User(memberEntity.getUser()));
} else {
LOG.error("Wrong state, not found user for member '{}' (group: '{}')",
- memberEntity.getMemberId(), memberEntity.getGroup().getGroupName());
+ memberEntity.getMemberId(), memberEntity.getGroup().getGroupName());
}
}
return users;
@@ -512,7 +514,7 @@ public class Users {
ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity();
resourceTypeEntity.setId(resourceType.getId());
resourceTypeEntity.setName(resourceType.name());
- privilege.setPermission(permissionDAO.findPermissionByNameAndType(permissionName,resourceTypeEntity));
+ privilege.setPermission(permissionDAO.findPermissionByNameAndType(permissionName, resourceTypeEntity));
privilege.setPrincipal(group.getPrincipal());
privilege.setResource(resourceDAO.findById(resourceId));
if (!group.getPrincipal().getPrivileges().contains(privilege)) {
@@ -544,7 +546,7 @@ public class Users {
@Transactional
public synchronized void addMemberToGroup(String groupName, String userName)
- throws AmbariException {
+ throws AmbariException {
final GroupEntity groupEntity = groupDAO.findGroupByName(groupName);
if (groupEntity == null) {
@@ -572,7 +574,7 @@ public class Users {
@Transactional
public synchronized void removeMemberFromGroup(String groupName, String userName)
- throws AmbariException {
+ throws AmbariException {
final GroupEntity groupEntity = groupDAO.findGroupByName(groupName);
if (groupEntity == null) {
@@ -651,9 +653,9 @@ public class Users {
}
final PrincipalTypeEntity userPrincipalType = principalTypeDAO
- .ensurePrincipalTypeCreated(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
+ .ensurePrincipalTypeCreated(PrincipalTypeEntity.USER_PRINCIPAL_TYPE);
final PrincipalTypeEntity groupPrincipalType = principalTypeDAO
- .ensurePrincipalTypeCreated(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE);
+ .ensurePrincipalTypeCreated(PrincipalTypeEntity.GROUP_PRINCIPAL_TYPE);
// remove users
final Set<UserEntity> usersToRemove = new HashSet<>();
@@ -755,6 +757,10 @@ public class Users {
groupsToUpdate.add(groupEntity);
membersToCreate.add(memberEntity);
}
+
+ // handle adminGroupMappingRules
+ processLdapAdminGroupMappingRules(membersToCreate);
+
memberDAO.create(membersToCreate);
groupDAO.merge(groupsToUpdate); // needed for Derby DB as it doesn't fetch newly added members automatically
@@ -778,11 +784,43 @@ public class Users {
}
+ private void processLdapAdminGroupMappingRules(Set<MemberEntity> membershipsToCreate) {
+
+ String adminGroupMappings = configuration.getProperty(Configuration.LDAP_ADMIN_GROUP_MAPPING_RULES);
+ if (Strings.isNullOrEmpty(adminGroupMappings) || membershipsToCreate.isEmpty()) {
+ LOG.info("Nothing to do. LDAP admin group mappings: {}, Memberships to handle: {}", adminGroupMappings, membershipsToCreate.size());
+ return;
+ }
+
+ LOG.info("Processing admin group mapping rules [{}]. Membership entry count: [{}]", adminGroupMappings, membershipsToCreate.size());
+
+ // parse the comma separated list of mapping rules
+ Set<String> ldapAdminGroups = Sets.newHashSet(adminGroupMappings.split(","));
+
+ // LDAP users to become ambari administrators
+ Set<UserEntity> ambariAdminProspects = Sets.newHashSet();
+
+ // gathering all the users that need to be ambari admins
+ for (MemberEntity memberEntity : membershipsToCreate) {
+ if (ldapAdminGroups.contains(memberEntity.getGroup().getGroupName())) {
+ LOG.debug("Ambari admin user prospect: [{}] ", memberEntity.getUser().getUserName());
+ ambariAdminProspects.add(memberEntity.getUser());
+ }
+ }
+
+ // granting admin privileges to the admin prospects
+ for (UserEntity userEntity : ambariAdminProspects) {
+ LOG.info("Granting ambari admin roles to the user: {}", userEntity.getUserName());
+ grantAdminPrivilege(userEntity.getUserId());
+ }
+
+ }
+
/**
* Assembles a map where the keys are usernames and values are Lists with groups associated with users.
*
* @param usersToCreate a list with user entities
- * @return the a populated map instance
+ * @return the populated map instance
*/
private Map<String, Set<String>> getUsersToGroupMap(Set<UserEntity> usersToCreate) {
Map<String, Set<String>> usersToGroups = new HashMap<>();