This is an automated email from the ASF dual-hosted git repository. oleewere pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ambari-logsearch.git
The following commit(s) were added to refs/heads/master by this push: new 67128e1 AMBARI-24662. Support non-plain text passwords for LDAP authentication (#46) 67128e1 is described below commit 67128e104a40c4672a6cd4f8f407d00a60df6d62 Author: Olivér Szabó <oleew...@gmail.com> AuthorDate: Wed Nov 28 11:55:19 2018 +0100 AMBARI-24662. Support non-plain text passwords for LDAP authentication (#46) --- .../logsearch/conf/LogSearchLdapAuthConfig.java | 18 ++++++++++ .../ambari/logsearch/conf/SecurityConfig.java | 39 ++++++++++++++++++++-- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java index 5218062..3423826 100644 --- a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java +++ b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java @@ -58,6 +58,16 @@ public class LogSearchLdapAuthConfig { ) private String ldapManagerPassword; + @Value("${logsearch.auth.ldap.manager.password.file:}") + @LogSearchPropertyDescription( + name = "logsearch.auth.ldap.manager.password.file", + description = "File that contains password of the LDAP manager user.", + examples = {"/my/path/passwordfile"}, + defaultValue = "", + sources = {LOGSEARCH_PROPERTIES_FILE} + ) + private String ldapManagerPasswordFile; + @Value("${logsearch.auth.ldap.base.dn:}") @LogSearchPropertyDescription( name = "logsearch.auth.ldap.base.dn", @@ -279,4 +289,12 @@ public class LogSearchLdapAuthConfig { public void setReferralMethod(String referralMethod) { this.referralMethod = referralMethod; } + + public String getLdapManagerPasswordFile() { + return ldapManagerPasswordFile; + } + + public void setLdapManagerPasswordFile(String ldapManagerPasswordFile) { + this.ldapManagerPasswordFile = ldapManagerPasswordFile; + } } diff --git a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java index d75c304..22754f7 100644 --- a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java +++ b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java @@ -21,6 +21,8 @@ package org.apache.ambari.logsearch.conf; import static javax.ws.rs.core.Response.Status.SERVICE_UNAVAILABLE; import static org.apache.ambari.logsearch.common.LogSearchConstants.LOGSEARCH_SESSION_ID; +import java.io.File; +import java.nio.charset.Charset; import java.util.ArrayList; import java.util.List; @@ -50,7 +52,10 @@ import org.apache.ambari.logsearch.web.filters.LogsearchTrustedProxyFilter; import org.apache.ambari.logsearch.web.filters.LogsearchUsernamePasswordAuthenticationFilter; import org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider; import org.apache.ambari.logsearch.web.security.LogsearchLdapAuthenticationProvider; +import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.ldap.core.support.LdapContextSource; @@ -66,7 +71,6 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; -import org.springframework.security.web.header.Header; import org.springframework.security.web.header.HeaderWriter; import org.springframework.security.web.header.writers.HstsHeaderWriter; import org.springframework.security.web.header.writers.StaticHeadersWriter; @@ -83,6 +87,8 @@ import com.google.common.collect.Lists; @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { + private static final Logger logger = LogManager.getLogger(SecurityConfig.class); + @Inject private AuthPropsConfig authPropsConfig; @@ -93,6 +99,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { private LogSearchHttpConfig logSearchHttpConfig; @Inject + private LogSearchSslConfig logSearchSslConfig; + + @Inject private SolrServiceLogPropsConfig solrServiceLogPropsConfig; @Inject @@ -178,8 +187,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerDn())) { ldapContextSource.setUserDn(authPropsConfig.getLdapAuthConfig().getLdapManagerDn()); } - if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword())) { - ldapContextSource.setPassword(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword()); + char[] ldapPassword = getLdapManagerPassword(); + if (ldapPassword != null) { + ldapContextSource.setPassword(new String(ldapPassword)); } ldapContextSource.setReferral(authPropsConfig.getLdapAuthConfig().getReferralMethod()); ldapContextSource.setAnonymousReadOnly(true); @@ -364,6 +374,29 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { return new AntPathRequestMatcher("/api/v1/shipper/input/**"); } + private char[] getLdapManagerPassword() { + char[] ldapPassword = null; + try { + String credentialProviderPath = logSearchSslConfig.getCredentialStoreProviderPath(); + String ldapPasswordEnv = "LOGSEARCH_LDAP_MANAGER_PASSWORD"; + if (StringUtils.isNotBlank(credentialProviderPath)) { + org.apache.hadoop.conf.Configuration config = new org.apache.hadoop.conf.Configuration(); + config.set(LogSearchSslConfig.CREDENTIAL_STORE_PROVIDER_PATH, credentialProviderPath); + ldapPassword = config.getPassword("logsearch.auth.ldap.manager.password"); + } else if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile())){ + ldapPassword = FileUtils.readFileToString(new File( + authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile()), Charset.defaultCharset()).toCharArray(); + } else if (StringUtils.isNotBlank(System.getenv(ldapPasswordEnv))) { + ldapPassword = System.getenv(ldapPasswordEnv).toCharArray(); + } else if (StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword())) { + ldapPassword = authPropsConfig.getLdapAuthConfig().getLdapManagerPassword().toCharArray(); + } + } catch (Exception e) { + logger.warn("Error during ldap password initialization. LDAP authentication probably won't work if a manager password will be required.", e); + } + return ldapPassword; + } + private String[] getCookies() { List<String> cookies = new ArrayList<>(); cookies.add(LOGSEARCH_SESSION_ID);