You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by GitBox <gi...@apache.org> on 2018/11/28 10:55:21 UTC

[GitHub] oleewere closed pull request #46: AMBARI-24662. Support non-plain text passwords for LDAP authentication

oleewere closed pull request #46: AMBARI-24662. Support non-plain text passwords for LDAP authentication
URL: https://github.com/apache/ambari-logsearch/pull/46
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
index 5218062266..34238262d8 100644
--- a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
+++ b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
@@ -58,6 +58,16 @@
   )
   private String ldapManagerPassword;
 
+  @Value("${logsearch.auth.ldap.manager.password.file:}")
+  @LogSearchPropertyDescription(
+    name = "logsearch.auth.ldap.manager.password.file",
+    description = "File that contains password of the LDAP manager user.",
+    examples = {"/my/path/passwordfile"},
+    defaultValue = "",
+    sources = {LOGSEARCH_PROPERTIES_FILE}
+  )
+  private String ldapManagerPasswordFile;
+
   @Value("${logsearch.auth.ldap.base.dn:}")
   @LogSearchPropertyDescription(
     name = "logsearch.auth.ldap.base.dn",
@@ -279,4 +289,12 @@ public String getReferralMethod() {
   public void setReferralMethod(String referralMethod) {
     this.referralMethod = referralMethod;
   }
+
+  public String getLdapManagerPasswordFile() {
+    return ldapManagerPasswordFile;
+  }
+
+  public void setLdapManagerPasswordFile(String ldapManagerPasswordFile) {
+    this.ldapManagerPasswordFile = ldapManagerPasswordFile;
+  }
 }
diff --git a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
index d75c304b27..22754f7292 100644
--- a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
+++ b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
@@ -21,6 +21,8 @@
 import static javax.ws.rs.core.Response.Status.SERVICE_UNAVAILABLE;
 import static org.apache.ambari.logsearch.common.LogSearchConstants.LOGSEARCH_SESSION_ID;
 
+import java.io.File;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -50,7 +52,10 @@
 import org.apache.ambari.logsearch.web.filters.LogsearchUsernamePasswordAuthenticationFilter;
 import org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider;
 import org.apache.ambari.logsearch.web.security.LogsearchLdapAuthenticationProvider;
+import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.ldap.core.support.LdapContextSource;
@@ -66,7 +71,6 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.header.Header;
 import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.header.writers.HstsHeaderWriter;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
@@ -83,6 +87,8 @@
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
+  private static final Logger logger = LogManager.getLogger(SecurityConfig.class);
+
   @Inject
   private AuthPropsConfig authPropsConfig;
 
@@ -92,6 +98,9 @@
   @Inject
   private LogSearchHttpConfig logSearchHttpConfig;
 
+  @Inject
+  private LogSearchSslConfig logSearchSslConfig;
+
   @Inject
   private SolrServiceLogPropsConfig solrServiceLogPropsConfig;
 
@@ -178,8 +187,9 @@ public LdapContextSource ldapContextSource() {
       if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerDn())) {
         ldapContextSource.setUserDn(authPropsConfig.getLdapAuthConfig().getLdapManagerDn());
       }
-      if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword())) {
-        ldapContextSource.setPassword(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword());
+      char[] ldapPassword = getLdapManagerPassword();
+      if (ldapPassword != null) {
+        ldapContextSource.setPassword(new String(ldapPassword));
       }
       ldapContextSource.setReferral(authPropsConfig.getLdapAuthConfig().getReferralMethod());
       ldapContextSource.setAnonymousReadOnly(true);
@@ -364,6 +374,29 @@ public RequestMatcher shipperConfigInputRequestMatcher() {
     return new AntPathRequestMatcher("/api/v1/shipper/input/**");
   }
 
+  private char[] getLdapManagerPassword() {
+    char[] ldapPassword = null;
+    try {
+      String credentialProviderPath = logSearchSslConfig.getCredentialStoreProviderPath();
+      String ldapPasswordEnv = "LOGSEARCH_LDAP_MANAGER_PASSWORD";
+      if (StringUtils.isNotBlank(credentialProviderPath)) {
+        org.apache.hadoop.conf.Configuration config = new org.apache.hadoop.conf.Configuration();
+        config.set(LogSearchSslConfig.CREDENTIAL_STORE_PROVIDER_PATH, credentialProviderPath);
+        ldapPassword = config.getPassword("logsearch.auth.ldap.manager.password");
+      } else if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile())){
+        ldapPassword = FileUtils.readFileToString(new File(
+          authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile()), Charset.defaultCharset()).toCharArray();
+      } else if (StringUtils.isNotBlank(System.getenv(ldapPasswordEnv))) {
+        ldapPassword = System.getenv(ldapPasswordEnv).toCharArray();
+      } else if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword())) {
+        ldapPassword = authPropsConfig.getLdapAuthConfig().getLdapManagerPassword().toCharArray();
+      }
+    } catch (Exception e) {
+      logger.warn("Error during ldap password initialization. LDAP authentication probably won't work if a manager password will be required.", e);
+    }
+    return ldapPassword;
+  }
+
   private String[] getCookies() {
     List<String> cookies = new ArrayList<>();
     cookies.add(LOGSEARCH_SESSION_ID);


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services