oleewere closed pull request #46: AMBARI-24662. Support non-plain text passwords for LDAP authentication URL: https://github.com/apache/ambari-logsearch/pull/46
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java index 5218062266..34238262d8 100644 --- a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java +++ b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java @@ -58,6 +58,16 @@ ) private String ldapManagerPassword; + @Value("${logsearch.auth.ldap.manager.password.file:}") + @LogSearchPropertyDescription( + name = "logsearch.auth.ldap.manager.password.file", + description = "File that contains password of the LDAP manager user.", + examples = {"/my/path/passwordfile"}, + defaultValue = "", + sources = {LOGSEARCH_PROPERTIES_FILE} + ) + private String ldapManagerPasswordFile; + @Value("${logsearch.auth.ldap.base.dn:}") @LogSearchPropertyDescription( name = "logsearch.auth.ldap.base.dn", @@ -279,4 +289,12 @@ public String getReferralMethod() { public void setReferralMethod(String referralMethod) { this.referralMethod = referralMethod; } + + public String getLdapManagerPasswordFile() { + return ldapManagerPasswordFile; + } + + public void setLdapManagerPasswordFile(String ldapManagerPasswordFile) { + this.ldapManagerPasswordFile = ldapManagerPasswordFile; + } } diff --git a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java index d75c304b27..22754f7292 100644 --- a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java +++ b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java @@ -21,6 +21,8 @@ import static javax.ws.rs.core.Response.Status.SERVICE_UNAVAILABLE; import static org.apache.ambari.logsearch.common.LogSearchConstants.LOGSEARCH_SESSION_ID; +import java.io.File; +import java.nio.charset.Charset; import java.util.ArrayList; import java.util.List; @@ -50,7 +52,10 @@ import org.apache.ambari.logsearch.web.filters.LogsearchUsernamePasswordAuthenticationFilter; import org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider; import org.apache.ambari.logsearch.web.security.LogsearchLdapAuthenticationProvider; +import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.ldap.core.support.LdapContextSource; @@ -66,7 +71,6 @@ import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; -import org.springframework.security.web.header.Header; import org.springframework.security.web.header.HeaderWriter; import org.springframework.security.web.header.writers.HstsHeaderWriter; import org.springframework.security.web.header.writers.StaticHeadersWriter; @@ -83,6 +87,8 @@ @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { + private static final Logger logger = LogManager.getLogger(SecurityConfig.class); + @Inject private AuthPropsConfig authPropsConfig; @@ -92,6 +98,9 @@ @Inject private LogSearchHttpConfig logSearchHttpConfig; + @Inject + private LogSearchSslConfig logSearchSslConfig; + @Inject private SolrServiceLogPropsConfig solrServiceLogPropsConfig; @@ -178,8 +187,9 @@ public LdapContextSource ldapContextSource() { if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerDn())) { ldapContextSource.setUserDn(authPropsConfig.getLdapAuthConfig().getLdapManagerDn()); } - if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword())) { - ldapContextSource.setPassword(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword()); + char[] ldapPassword = getLdapManagerPassword(); + if (ldapPassword != null) { + ldapContextSource.setPassword(new String(ldapPassword)); } ldapContextSource.setReferral(authPropsConfig.getLdapAuthConfig().getReferralMethod()); ldapContextSource.setAnonymousReadOnly(true); @@ -364,6 +374,29 @@ public RequestMatcher shipperConfigInputRequestMatcher() { return new AntPathRequestMatcher("/api/v1/shipper/input/**"); } + private char[] getLdapManagerPassword() { + char[] ldapPassword = null; + try { + String credentialProviderPath = logSearchSslConfig.getCredentialStoreProviderPath(); + String ldapPasswordEnv = "LOGSEARCH_LDAP_MANAGER_PASSWORD"; + if (StringUtils.isNotBlank(credentialProviderPath)) { + org.apache.hadoop.conf.Configuration config = new org.apache.hadoop.conf.Configuration(); + config.set(LogSearchSslConfig.CREDENTIAL_STORE_PROVIDER_PATH, credentialProviderPath); + ldapPassword = config.getPassword("logsearch.auth.ldap.manager.password"); + } else if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile())){ + ldapPassword = FileUtils.readFileToString(new File( + authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile()), Charset.defaultCharset()).toCharArray(); + } else if (StringUtils.isNotBlank(System.getenv(ldapPasswordEnv))) { + ldapPassword = System.getenv(ldapPasswordEnv).toCharArray(); + } else if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword())) { + ldapPassword = authPropsConfig.getLdapAuthConfig().getLdapManagerPassword().toCharArray(); + } + } catch (Exception e) { + logger.warn("Error during ldap password initialization. LDAP authentication probably won't work if a manager password will be required.", e); + } + return ldapPassword; + } + private String[] getCookies() { List<String> cookies = new ArrayList<>(); cookies.add(LOGSEARCH_SESSION_ID); ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services