[ambari-logsearch] branch master updated: AMBARI-24662. Support non-plain text passwords for LDAP authentication (#46)

Wed, 28 Nov 2018 02:55:28 -0800 

This is an automated email from the ASF dual-hosted git repository.

oleewere pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ambari-logsearch.git


The following commit(s) were added to refs/heads/master by this push:
     new 67128e1  AMBARI-24662. Support non-plain text passwords for LDAP 
authentication (#46)
67128e1 is described below

commit 67128e104a40c4672a6cd4f8f407d00a60df6d62
Author: Olivér Szabó <oleew...@gmail.com>
AuthorDate: Wed Nov 28 11:55:19 2018 +0100

    AMBARI-24662. Support non-plain text passwords for LDAP authentication (#46)
---
 .../logsearch/conf/LogSearchLdapAuthConfig.java    | 18 ++++++++++
 .../ambari/logsearch/conf/SecurityConfig.java      | 39 ++++++++++++++++++++--
 2 files changed, 54 insertions(+), 3 deletions(-)

diff --git 
a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
 
b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
index 5218062..3423826 100644
--- 
a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
+++ 
b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/LogSearchLdapAuthConfig.java
@@ -58,6 +58,16 @@ public class LogSearchLdapAuthConfig {
   )
   private String ldapManagerPassword;
 
+  @Value("${logsearch.auth.ldap.manager.password.file:}")
+  @LogSearchPropertyDescription(
+    name = "logsearch.auth.ldap.manager.password.file",
+    description = "File that contains password of the LDAP manager user.",
+    examples = {"/my/path/passwordfile"},
+    defaultValue = "",
+    sources = {LOGSEARCH_PROPERTIES_FILE}
+  )
+  private String ldapManagerPasswordFile;
+
   @Value("${logsearch.auth.ldap.base.dn:}")
   @LogSearchPropertyDescription(
     name = "logsearch.auth.ldap.base.dn",
@@ -279,4 +289,12 @@ public class LogSearchLdapAuthConfig {
   public void setReferralMethod(String referralMethod) {
     this.referralMethod = referralMethod;
   }
+
+  public String getLdapManagerPasswordFile() {
+    return ldapManagerPasswordFile;
+  }
+
+  public void setLdapManagerPasswordFile(String ldapManagerPasswordFile) {
+    this.ldapManagerPasswordFile = ldapManagerPasswordFile;
+  }
 }
diff --git 
a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
 
b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
index d75c304..22754f7 100644
--- 
a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
+++ 
b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
@@ -21,6 +21,8 @@ package org.apache.ambari.logsearch.conf;
 import static javax.ws.rs.core.Response.Status.SERVICE_UNAVAILABLE;
 import static 
org.apache.ambari.logsearch.common.LogSearchConstants.LOGSEARCH_SESSION_ID;
 
+import java.io.File;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -50,7 +52,10 @@ import 
org.apache.ambari.logsearch.web.filters.LogsearchTrustedProxyFilter;
 import 
org.apache.ambari.logsearch.web.filters.LogsearchUsernamePasswordAuthenticationFilter;
 import 
org.apache.ambari.logsearch.web.security.LogsearchAuthenticationProvider;
 import 
org.apache.ambari.logsearch.web.security.LogsearchLdapAuthenticationProvider;
+import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.ldap.core.support.LdapContextSource;
@@ -66,7 +71,6 @@ import 
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.header.Header;
 import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.header.writers.HstsHeaderWriter;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
@@ -83,6 +87,8 @@ import com.google.common.collect.Lists;
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
+  private static final Logger logger = 
LogManager.getLogger(SecurityConfig.class);
+
   @Inject
   private AuthPropsConfig authPropsConfig;
 
@@ -93,6 +99,9 @@ public class SecurityConfig extends 
WebSecurityConfigurerAdapter {
   private LogSearchHttpConfig logSearchHttpConfig;
 
   @Inject
+  private LogSearchSslConfig logSearchSslConfig;
+
+  @Inject
   private SolrServiceLogPropsConfig solrServiceLogPropsConfig;
 
   @Inject
@@ -178,8 +187,9 @@ public class SecurityConfig extends 
WebSecurityConfigurerAdapter {
       if 
(StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerDn()))
 {
         
ldapContextSource.setUserDn(authPropsConfig.getLdapAuthConfig().getLdapManagerDn());
       }
-      if 
(StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword()))
 {
-        
ldapContextSource.setPassword(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword());
+      char[] ldapPassword = getLdapManagerPassword();
+      if (ldapPassword != null) {
+        ldapContextSource.setPassword(new String(ldapPassword));
       }
       
ldapContextSource.setReferral(authPropsConfig.getLdapAuthConfig().getReferralMethod());
       ldapContextSource.setAnonymousReadOnly(true);
@@ -364,6 +374,29 @@ public class SecurityConfig extends 
WebSecurityConfigurerAdapter {
     return new AntPathRequestMatcher("/api/v1/shipper/input/**");
   }
 
+  private char[] getLdapManagerPassword() {
+    char[] ldapPassword = null;
+    try {
+      String credentialProviderPath = 
logSearchSslConfig.getCredentialStoreProviderPath();
+      String ldapPasswordEnv = "LOGSEARCH_LDAP_MANAGER_PASSWORD";
+      if (StringUtils.isNotBlank(credentialProviderPath)) {
+        org.apache.hadoop.conf.Configuration config = new 
org.apache.hadoop.conf.Configuration();
+        config.set(LogSearchSslConfig.CREDENTIAL_STORE_PROVIDER_PATH, 
credentialProviderPath);
+        ldapPassword = 
config.getPassword("logsearch.auth.ldap.manager.password");
+      } else if 
(StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile())){
+        ldapPassword = FileUtils.readFileToString(new File(
+          authPropsConfig.getLdapAuthConfig().getLdapManagerPasswordFile()), 
Charset.defaultCharset()).toCharArray();
+      } else if (StringUtils.isNotBlank(System.getenv(ldapPasswordEnv))) {
+        ldapPassword = System.getenv(ldapPasswordEnv).toCharArray();
+      } else if 
(StringUtils.isNotBlank(authPropsConfig.getLdapAuthConfig().getLdapManagerPassword()))
 {
+        ldapPassword = 
authPropsConfig.getLdapAuthConfig().getLdapManagerPassword().toCharArray();
+      }
+    } catch (Exception e) {
+      logger.warn("Error during ldap password initialization. LDAP 
authentication probably won't work if a manager password will be required.", e);
+    }
+    return ldapPassword;
+  }
+
   private String[] getCookies() {
     List<String> cookies = new ArrayList<>();
     cookies.add(LOGSEARCH_SESSION_ID);

Reply via email to