You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@kyuubi.apache.org by "pan3793 (via GitHub)" <gi...@apache.org> on 2023/04/06 07:42:14 UTC

[GitHub] [kyuubi] pan3793 commented on a diff in pull request #4152: Enhance LDAP authentication

pan3793 commented on code in PR #4152:
URL: https://github.com/apache/kyuubi/pull/4152#discussion_r1159404539


##########
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala:
##########
@@ -41,47 +49,72 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf) extends PasswdAuthenticat
    * @throws AuthenticationException When a user is found to be invalid by the implementation
    */
   override def authenticate(user: String, password: String): Unit = {
+
+    val (usedBind, bindUser, bindPassword) = (
+      conf.get(KyuubiConf.AUTHENTICATION_LDAP_BIND_USER),
+      conf.get(KyuubiConf.AUTHENTICATION_LDAP_BIND_PASSWORD)) match {
+      case (Some(_bindUser), Some(_bindPw)) => (true, _bindUser, _bindPw)
+      case _ =>
+        // If no bind user or bind password was specified,
+        // we assume the user we are authenticating has the ability to search
+        // the LDAP tree, so we use it as the "binding" account.
+        // This is the way it worked before bind users were allowed in the LDAP authenticator,
+        // so we keep existing systems working.
+        (false, user, password)
+    }
+
+    var search: DirSearch = null
+    try {
+      search = createDirSearch(bindUser, bindPassword)
+      applyFilter(search, user)
+      if (usedBind) {
+        // If we used the bind user, then we need to authenticate again,
+        // this time using the full user name we got during the bind process.
+        createDirSearch(search.findUserDn(user), password)

Review Comment:
   Sounds make sense to me. The current logic should be same as Apache Hive, would you please check if Hive has same issue? Anyway, go ahead to improve it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org