You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ct...@apache.org on 2016/08/12 15:30:36 UTC
hive git commit: HIVE-14513: Enhance custom query feature in LDAP atn
to support resultset of ldap groups (Naveen Gangam, via Chaoyu Tang)
Repository: hive
Updated Branches:
refs/heads/master b3c5296d7 -> 333fa8763
HIVE-14513: Enhance custom query feature in LDAP atn to support resultset of ldap groups (Naveen Gangam, via Chaoyu Tang)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/333fa876
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/333fa876
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/333fa876
Branch: refs/heads/master
Commit: 333fa87633776fe2eabc37718756e0caaec646d2
Parents: b3c5296
Author: ctang <ct...@cloudera.com>
Authored: Fri Aug 12 11:30:20 2016 -0400
Committer: ctang <ct...@cloudera.com>
Committed: Fri Aug 12 11:30:20 2016 -0400
----------------------------------------------------------------------
.../auth/LdapAuthenticationProviderImpl.java | 17 ++-
.../auth/TestLdapAtnProviderWithMiniDS.java | 111 ++++++++++++++++++-
2 files changed, 120 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/333fa876/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
index 8f64672..efd5393 100644
--- a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
+++ b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -594,7 +594,13 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi
SearchControls searchControls = new SearchControls();
List<String> list = new ArrayList<String>();
- String[] returnAttributes = new String[0]; //empty set
+ String[] returnAttributes;
+ if (groupMembership_attr != null) {
+ // retrieve the attributes that are meant to desginate user DNs
+ returnAttributes = new String[] { groupMembership_attr };
+ } else {
+ returnAttributes = new String[0]; //empty set
+ }
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchControls.setReturningAttributes(returnAttributes);
@@ -604,6 +610,14 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi
SearchResult searchResult = null;
while(results.hasMoreElements()) {
searchResult = results.nextElement();
+ if (groupMembership_attr != null) {
+ Attribute userAttribute = searchResult.getAttributes().get(groupMembership_attr);
+ if (userAttribute != null) {
+ list.add((String)userAttribute.get());
+ continue;
+ }
+ }
+
list.add(searchResult.getNameInNamespace());
LOG.debug("LDAPAtn:executeLDAPQuery()::Return set size " + list.get(list.size() - 1));
}
@@ -632,5 +646,4 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi
}
return null;
}
-
}
http://git-wip-us.apache.org/repos/asf/hive/blob/333fa876/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
----------------------------------------------------------------------
diff --git a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
index 40430c4..089a059 100644
--- a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
+++ b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
@@ -123,8 +123,8 @@ partitions = {
"objectClass: ExtensibleObject",
"givenName: Group2",
"ou: Groups",
- "cn: group1",
- "sn: group1",
+ "cn: group2",
+ "sn: group2",
"member: uid=user2,ou=People,dc=example,dc=com",
"dn: cn=group3,ou=Groups,dc=example,dc=com",
@@ -859,14 +859,14 @@ public class TestLdapAtnProviderWithMiniDS extends AbstractLdapTestUnit {
+ USER1.getUID() + ")(uid=" + USER4.getUID() + ")))");
initLdapAtn(ldapProperties);
- user = USER1.getDN();
+ user = USER1.getDN();
try {
ldapProvider.Authenticate(user, USER1.getPassword());
assertTrue("testCustomQueryPositive: Authentication succeeded for " + user + " as expected", true);
- user = USER1.getUID();
- ldapProvider.Authenticate(user, USER1.getPassword());
- assertTrue("testCustomQueryPositive: Authentication succeeded for " + user + " as expected", true);
+ user = USER1.getUID();
+ ldapProvider.Authenticate(user, USER1.getPassword());
+ assertTrue("testCustomQueryPositive: Authentication succeeded for " + user + " as expected", true);
user = USER4.getDN();
ldapProvider.Authenticate(user, USER4.getPassword());
@@ -903,6 +903,105 @@ public class TestLdapAtnProviderWithMiniDS extends AbstractLdapTestUnit {
}
}
+ /**
+ Test to test the LDAP Atn to use a custom LDAP query that returns
+ a) A set of group DNs
+ b) A combination of group(s) DN and user DN
+ LDAP atn is expected to extract the members of the group using the attribute value for
+ "hive.server2.authentication.ldap.groupMembershipKey"
+ */
+ @Test
+ public void testCustomQueryWithGroupsPositive() throws Exception {
+ String user;
+ Map<String, String> ldapProperties = new HashMap<String, String>();
+ ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+ "(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))");
+ initLdapAtn(ldapProperties);
+
+ user = USER1.getDN();
+ try {
+ ldapProvider.Authenticate(user, USER1.getPassword());
+ assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true);
+
+ user = USER2.getUID();
+ ldapProvider.Authenticate(user, USER2.getPassword());
+ assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed for " + user + ",user expected to pass custom LDAP Query");
+ }
+
+ /* the following test uses a query that returns a group and a user entry.
+ the ldap atn should use the groupMembershipKey to identify the users for the returned group
+ and the authentication should succeed for the users of that group as well as the lone user4 in this case
+ */
+ ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+ // following query should return group1 and user2
+ ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+ "(|(&(objectClass=groupOfNames)(cn=group1))(&(objectClass=person)(sn=user4)))");
+ initLdapAtn(ldapProperties);
+
+ user = USER1.getUID();
+ try {
+ ldapProvider.Authenticate(user, USER1.getPassword());
+ assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true);
+
+ user = USER4.getUID();
+ ldapProvider.Authenticate(user, USER4.getPassword());
+ assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed for " + user + ",user expected to pass custom LDAP Query");
+ }
+
+ ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.groupMembershipKey", "uniqueMember");
+ ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+ "(&(objectClass=groupOfUniqueNames)(cn=group4))");
+ initLdapAtn(ldapProperties);
+
+ user = USER4.getDN();
+ try {
+ ldapProvider.Authenticate(user, USER4.getPassword());
+ assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true);
+
+ user = USER4.getUID();
+ ldapProvider.Authenticate(user, USER4.getPassword());
+ assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed for " + user + ",user expected to pass custom LDAP Query");
+ }
+ }
+
+ @Test
+ public void testCustomQueryWithGroupsNegative() throws Exception {
+ String user;
+ Map<String, String> ldapProperties = new HashMap<String, String>();
+ ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery",
+ "(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))");
+ initLdapAtn(ldapProperties);
+
+ user = USER3.getDN();
+ try {
+ ldapProvider.Authenticate(user, USER3.getPassword());
+ Assert.fail("testCustomQueryNegative: Authentication succeeded for " + user + ",user expected to fail custom LDAP Query");
+ } catch (AuthenticationException e) {
+ assertTrue("testCustomQueryNegative: Authentication failed for " + user + " as expected", true);
+ }
+
+ try {
+ user = USER3.getUID();
+ ldapProvider.Authenticate(user, USER3.getPassword());
+ Assert.fail("testCustomQueryNegative: Authentication succeeded for " + user + ",user expected to fail custom LDAP Query");
+ } catch (AuthenticationException e) {
+ assertTrue("testCustomQueryNegative: Authentication failed for " + user + " as expected", true);
+ }
+ }
+
@Test
public void testGroupFilterPositiveWithCustomGUID() throws Exception {
String user;