You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ng...@apache.org on 2019/03/01 20:14:00 UTC

[hive] branch branch-3 updated: HIVE-21363: Ldap auth issue: group filter match should be case insensitive (Naveen Gangam, reviewed by Aihua Xu)

This is an automated email from the ASF dual-hosted git repository.

ngangam pushed a commit to branch branch-3
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/branch-3 by this push:
     new 16178fa  HIVE-21363: Ldap auth issue: group filter match should be case insensitive (Naveen Gangam, reviewed by Aihua Xu)
16178fa is described below

commit 16178fa8236a7d40c9bedb4ded492f4dbfe6e575
Author: Naveen Gangam <ng...@apache.org>
AuthorDate: Fri Mar 1 14:55:24 2019 -0500

    HIVE-21363: Ldap auth issue: group filter match should be case insensitive (Naveen Gangam, reviewed by Aihua Xu)
---
 .../hive/service/auth/ldap/GroupFilterFactory.java |  2 +-
 .../hive/service/auth/ldap/TestGroupFilter.java    | 43 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java b/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
index a0cb404..9165227 100644
--- a/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
@@ -86,7 +86,7 @@ public final class GroupFilterFactory implements FilterFactory {
 
       for (String groupDn : memberOf) {
         String shortName = LdapUtils.getShortName(groupDn);
-        if (groupFilter.contains(shortName)) {
+        if (groupFilter.stream().anyMatch(shortName::equalsIgnoreCase)) {
           LOG.debug("GroupMembershipKeyFilter passes: user '{}' is a member of '{}' group",
               user, groupDn);
           LOG.info("Authentication succeeded based on group membership");
diff --git a/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java b/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
index 36e58c3..9ea5361 100644
--- a/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
+++ b/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
@@ -105,6 +105,49 @@ public class TestGroupFilter {
     filter.apply(search, "user3@mydomain.com");
   }
 
+  @Test
+  public void testGroupMembershipKeyCaseInsensitiveFilterApplyPositive()
+      throws AuthenticationException, NamingException, IOException {
+    conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "hiveusers,g1");
+
+    when(search.findUserDn(eq("user1")))
+        .thenReturn("cn=user1,ou=People,dc=example,dc=com");
+    when(search.findUserDn(eq("cn=user2,dc=example,dc=com")))
+        .thenReturn("cn=user2,ou=People,dc=example,dc=com");
+    when(search.findUserDn(eq("user3@mydomain.com")))
+        .thenReturn("cn=user3,ou=People,dc=example,dc=com");
+
+    when(search.findGroupsForUser(eq("cn=user1,ou=People,dc=example,dc=com")))
+        .thenReturn(Arrays.asList(
+            "cn=SuperUsers,ou=Groups,dc=example,dc=com",
+            "cn=Office1,ou=Groups,dc=example,dc=com",
+            "cn=HiveUsers,ou=Groups,dc=example,dc=com",
+            "cn=G1,ou=Groups,dc=example,dc=com"));
+    when(search.findGroupsForUser(eq("cn=user2,ou=People,dc=example,dc=com")))
+        .thenReturn(Arrays.asList(
+            "cn=HiveUsers,ou=Groups,dc=example,dc=com"));
+    when(search.findGroupsForUser(eq("cn=user3,ou=People,dc=example,dc=com")))
+        .thenReturn(Arrays.asList(
+            "cn=G1,ou=Groups,dc=example,dc=com",
+            "cn=G2,ou=Groups,dc=example,dc=com"));
+
+    Filter filter = factory.getInstance(conf);
+    filter.apply(search, "user1");
+    filter.apply(search, "cn=user2,dc=example,dc=com");
+    filter.apply(search, "user3@mydomain.com");
+  }
+
+  @Test(expected = AuthenticationException.class)
+  public void testGroupMembershipKeyCaseInsensitiveFilterApplyNegative()
+      throws AuthenticationException, NamingException, IOException {
+    conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER, "hiveusers,containsg1");
+
+    when(search.findGroupsForUser(eq("user1"))).thenReturn(Arrays.asList("SuperUsers", "Office1", "G1", "G2"));
+
+    Filter filter = factory.getInstance(conf);
+    filter.apply(search, "user1");
+  }
+
   @Test(expected = AuthenticationException.class)
   public void testGroupMembershipKeyFilterApplyNegative()
       throws AuthenticationException, NamingException, IOException {