You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2018/08/14 21:57:52 UTC
[ambari] branch trunk updated: [AMBARI-24451]
ambari.ldap.advanced.group_mapping_rules does not work,
LDAP sync does not add admin roles for configured group(s)
This is an automated email from the ASF dual-hosted git repository.
rlevas pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 271e63b [AMBARI-24451] ambari.ldap.advanced.group_mapping_rules does not work, LDAP sync does not add admin roles for configured group(s)
271e63b is described below
commit 271e63ba2da27dc8ea6bfdeab4562e6d63f59e48
Author: Robert Levas <rl...@hortonworks.com>
AuthorDate: Fri Aug 10 11:35:59 2018 -0400
[AMBARI-24451] ambari.ldap.advanced.group_mapping_rules does not work, LDAP sync does not add admin roles for configured group(s)
---
.../server/security/authorization/Users.java | 18 ++++-
.../server/security/authorization/TestUsers.java | 79 ++++++++++++++++++++--
2 files changed, 89 insertions(+), 8 deletions(-)
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index 40d9701..3e750c6 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -36,6 +36,7 @@ import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.hooks.HookContextFactory;
import org.apache.ambari.server.hooks.HookService;
import org.apache.ambari.server.ldap.domain.AmbariLdapConfiguration;
+import org.apache.ambari.server.ldap.service.AmbariLdapConfigurationProvider;
import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.MemberDAO;
import org.apache.ambari.server.orm.dao.PermissionDAO;
@@ -121,7 +122,7 @@ public class Users {
private PasswordEncoder passwordEncoder;
@Inject
- protected AmbariLdapConfiguration ldapConfiguration;
+ protected AmbariLdapConfigurationProvider ldapConfigurationProvider;
@Inject
protected Configuration configuration;
@@ -896,9 +897,20 @@ public class Users {
private void processLdapAdminGroupMappingRules(Set<MemberEntity> membershipsToCreate) {
+ if (membershipsToCreate.isEmpty()) {
+ LOG.debug("There are no new memberships for which to process administrator group mapping rules.");
+ return;
+ }
+
+ AmbariLdapConfiguration ldapConfiguration = ldapConfigurationProvider.get();
+ if (ldapConfiguration == null) {
+ LOG.warn("The LDAP configuration is not available - no administrator group mappings will be processed.");
+ return;
+ }
+
String adminGroupMappings = ldapConfiguration.groupMappingRules();
- if (Strings.isNullOrEmpty(adminGroupMappings) || membershipsToCreate.isEmpty()) {
- LOG.info("Nothing to do. LDAP admin group mappings: {}, Memberships to handle: {}", adminGroupMappings, membershipsToCreate.size());
+ if (Strings.isNullOrEmpty(adminGroupMappings)) {
+ LOG.debug("There are no administrator group mappings to be processed.");
return;
}
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
index b5a1a17..8b52c9a 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
@@ -17,6 +17,7 @@
*/
package org.apache.ambari.server.security.authorization;
+import static org.apache.ambari.server.configuration.AmbariServerConfigurationKey.GROUP_MAPPING_RULES;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNotSame;
@@ -26,12 +27,18 @@ import static org.junit.Assert.fail;
import java.sql.SQLException;
import java.util.Collection;
+import java.util.Collections;
import java.util.List;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.H2DatabaseCleaner;
+import org.apache.ambari.server.configuration.AmbariServerConfigurationCategory;
+import org.apache.ambari.server.events.AmbariConfigurationChangedEvent;
+import org.apache.ambari.server.events.JpaInitializedEvent;
+import org.apache.ambari.server.events.publishers.AmbariEventPublisher;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.InMemoryDefaultTestModule;
+import org.apache.ambari.server.orm.dao.AmbariConfigurationDAO;
import org.apache.ambari.server.orm.dao.GroupDAO;
import org.apache.ambari.server.orm.dao.PermissionDAO;
import org.apache.ambari.server.orm.dao.PrincipalDAO;
@@ -39,6 +46,7 @@ import org.apache.ambari.server.orm.dao.PrincipalTypeDAO;
import org.apache.ambari.server.orm.dao.ResourceDAO;
import org.apache.ambari.server.orm.dao.ResourceTypeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.AmbariConfigurationEntity;
import org.apache.ambari.server.orm.entities.PermissionEntity;
import org.apache.ambari.server.orm.entities.PrincipalEntity;
import org.apache.ambari.server.orm.entities.PrincipalTypeEntity;
@@ -46,6 +54,10 @@ import org.apache.ambari.server.orm.entities.ResourceEntity;
import org.apache.ambari.server.orm.entities.ResourceTypeEntity;
import org.apache.ambari.server.orm.entities.UserAuthenticationEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.ldap.LdapBatchDto;
+import org.apache.ambari.server.security.ldap.LdapGroupDto;
+import org.apache.ambari.server.security.ldap.LdapUserDto;
+import org.apache.ambari.server.security.ldap.LdapUserGroupMemberDto;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -195,16 +207,14 @@ public class TestUsers {
try {
users.modifyAuthentication(foundLocalAuthenticationEntity, "user", null, false);
fail("Null password should not be allowed");
- }
- catch (AmbariException e) {
+ } catch (AmbariException e) {
assertEquals("The new password does not meet the Ambari password requirements", e.getLocalizedMessage());
}
try {
users.modifyAuthentication(foundLocalAuthenticationEntity, "user", "", false);
fail("Empty password should not be allowed");
- }
- catch (AmbariException e) {
+ } catch (AmbariException e) {
assertEquals("The new password does not meet the Ambari password requirements", e.getLocalizedMessage());
}
}
@@ -528,7 +538,66 @@ public class TestUsers {
assertEquals(3, userEntity2.getAuthenticationEntities().size());
}
- private UserAuthenticationEntity getAuthenticationEntity(UserEntity userEntity, UserAuthenticationType type) {
+ @Test
+ public void testProcessLdapSync() {
+ // Setup LDAP properties
+ AmbariConfigurationEntity entity = new AmbariConfigurationEntity();
+ entity.setCategoryName(GROUP_MAPPING_RULES.getConfigurationCategory().getCategoryName());
+ entity.setPropertyName(GROUP_MAPPING_RULES.key());
+ entity.setPropertyValue("admins");
+ injector.getInstance(AmbariConfigurationDAO.class).create(entity);
+
+ AmbariEventPublisher eventPublisher = injector.getInstance(AmbariEventPublisher.class);
+ eventPublisher.publish(new JpaInitializedEvent());
+ eventPublisher.publish(new AmbariConfigurationChangedEvent(AmbariServerConfigurationCategory.LDAP_CONFIGURATION.name()));
+
+ LdapBatchDto batchInfo = new LdapBatchDto();
+ LdapUserDto userToBeCreated;
+ LdapGroupDto groupToBeCreated;
+
+ userToBeCreated = new LdapUserDto();
+ userToBeCreated.setDn("dn=user1");
+ userToBeCreated.setUid("user1");
+ userToBeCreated.setUserName("User1");
+ batchInfo.getUsersToBeCreated().add(userToBeCreated);
+
+ userToBeCreated = new LdapUserDto();
+ userToBeCreated.setDn("dn=user2");
+ userToBeCreated.setUid("user2");
+ userToBeCreated.setUserName("User2");
+ batchInfo.getUsersToBeCreated().add(userToBeCreated);
+
+ groupToBeCreated = new LdapGroupDto();
+ groupToBeCreated.setGroupName("admins");
+ groupToBeCreated.setMemberAttributes(Collections.singleton("dn=User1"));
+ batchInfo.getGroupsToBeCreated().add(groupToBeCreated);
+
+ groupToBeCreated = new LdapGroupDto();
+ groupToBeCreated.setGroupName("non-admins");
+ groupToBeCreated.setMemberAttributes(Collections.singleton("dn=User2"));
+ batchInfo.getGroupsToBeCreated().add(groupToBeCreated);
+
+ batchInfo.getMembershipToAdd().add(new LdapUserGroupMemberDto("admins", "user1"));
+ batchInfo.getMembershipToAdd().add(new LdapUserGroupMemberDto("non-admins", "user2"));
+
+ users.processLdapSync(batchInfo);
+
+ assertNotNull(users.getUser("user1"));
+ assertNotNull(users.getUser("user2"));
+
+ Collection<AmbariGrantedAuthority> authorities;
+
+ authorities = users.getUserAuthorities("user1");
+ assertNotNull(authorities);
+ assertEquals(1, authorities.size());
+ assertEquals("AMBARI.ADMINISTRATOR", authorities.iterator().next().getPrivilegeEntity().getPermission().getPermissionName());
+
+ authorities = users.getUserAuthorities("user2");
+ assertNotNull(authorities);
+ assertEquals(0, authorities.size());
+ }
+
+ private UserAuthenticationEntity getAuthenticationEntity(UserEntity userEntity, UserAuthenticationType type) {
assertNotNull(userEntity);
Collection<UserAuthenticationEntity> authenticationEntities = userEntity.getAuthenticationEntities();
assertNotNull(authenticationEntities);