Repository: hive Updated Branches: refs/heads/master b3c5296d7 -> 333fa8763
HIVE-14513: Enhance custom query feature in LDAP atn to support resultset of ldap groups (Naveen Gangam, via Chaoyu Tang) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/333fa876 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/333fa876 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/333fa876 Branch: refs/heads/master Commit: 333fa87633776fe2eabc37718756e0caaec646d2 Parents: b3c5296 Author: ctang <ct...@cloudera.com> Authored: Fri Aug 12 11:30:20 2016 -0400 Committer: ctang <ct...@cloudera.com> Committed: Fri Aug 12 11:30:20 2016 -0400 ---------------------------------------------------------------------- .../auth/LdapAuthenticationProviderImpl.java | 17 ++- .../auth/TestLdapAtnProviderWithMiniDS.java | 111 ++++++++++++++++++- 2 files changed, 120 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/333fa876/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java index 8f64672..efd5393 100644 --- a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java +++ b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java @@ -594,7 +594,13 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi SearchControls searchControls = new SearchControls(); List<String> list = new ArrayList<String>(); - String[] returnAttributes = new String[0]; //empty set + String[] returnAttributes; + if (groupMembership_attr != null) { + // retrieve the attributes that are meant to desginate user DNs + returnAttributes = new String[] { groupMembership_attr }; + } else { + returnAttributes = new String[0]; //empty set + } searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); searchControls.setReturningAttributes(returnAttributes); @@ -604,6 +610,14 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi SearchResult searchResult = null; while(results.hasMoreElements()) { searchResult = results.nextElement(); + if (groupMembership_attr != null) { + Attribute userAttribute = searchResult.getAttributes().get(groupMembership_attr); + if (userAttribute != null) { + list.add((String)userAttribute.get()); + continue; + } + } + list.add(searchResult.getNameInNamespace()); LOG.debug("LDAPAtn:executeLDAPQuery()::Return set size " + list.get(list.size() - 1)); } @@ -632,5 +646,4 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi } return null; } - } http://git-wip-us.apache.org/repos/asf/hive/blob/333fa876/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java ---------------------------------------------------------------------- diff --git a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java index 40430c4..089a059 100644 --- a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java +++ b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java @@ -123,8 +123,8 @@ partitions = { "objectClass: ExtensibleObject", "givenName: Group2", "ou: Groups", - "cn: group1", - "sn: group1", + "cn: group2", + "sn: group2", "member: uid=user2,ou=People,dc=example,dc=com", "dn: cn=group3,ou=Groups,dc=example,dc=com", @@ -859,14 +859,14 @@ public class TestLdapAtnProviderWithMiniDS extends AbstractLdapTestUnit { + USER1.getUID() + ")(uid=" + USER4.getUID() + ")))"); initLdapAtn(ldapProperties); - user = USER1.getDN(); + user = USER1.getDN(); try { ldapProvider.Authenticate(user, USER1.getPassword()); assertTrue("testCustomQueryPositive: Authentication succeeded for " + user + " as expected", true); - user = USER1.getUID(); - ldapProvider.Authenticate(user, USER1.getPassword()); - assertTrue("testCustomQueryPositive: Authentication succeeded for " + user + " as expected", true); + user = USER1.getUID(); + ldapProvider.Authenticate(user, USER1.getPassword()); + assertTrue("testCustomQueryPositive: Authentication succeeded for " + user + " as expected", true); user = USER4.getDN(); ldapProvider.Authenticate(user, USER4.getPassword()); @@ -903,6 +903,105 @@ public class TestLdapAtnProviderWithMiniDS extends AbstractLdapTestUnit { } } + /** + Test to test the LDAP Atn to use a custom LDAP query that returns + a) A set of group DNs + b) A combination of group(s) DN and user DN + LDAP atn is expected to extract the members of the group using the attribute value for + "hive.server2.authentication.ldap.groupMembershipKey" + */ + @Test + public void testCustomQueryWithGroupsPositive() throws Exception { + String user; + Map<String, String> ldapProperties = new HashMap<String, String>(); + ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery", + "(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))"); + initLdapAtn(ldapProperties); + + user = USER1.getDN(); + try { + ldapProvider.Authenticate(user, USER1.getPassword()); + assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true); + + user = USER2.getUID(); + ldapProvider.Authenticate(user, USER2.getPassword()); + assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true); + } catch (AuthenticationException e) { + Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed for " + user + ",user expected to pass custom LDAP Query"); + } + + /* the following test uses a query that returns a group and a user entry. + the ldap atn should use the groupMembershipKey to identify the users for the returned group + and the authentication should succeed for the users of that group as well as the lone user4 in this case + */ + ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com"); + // following query should return group1 and user2 + ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery", + "(|(&(objectClass=groupOfNames)(cn=group1))(&(objectClass=person)(sn=user4)))"); + initLdapAtn(ldapProperties); + + user = USER1.getUID(); + try { + ldapProvider.Authenticate(user, USER1.getPassword()); + assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true); + + user = USER4.getUID(); + ldapProvider.Authenticate(user, USER4.getPassword()); + assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true); + } catch (AuthenticationException e) { + Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed for " + user + ",user expected to pass custom LDAP Query"); + } + + ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.groupMembershipKey", "uniqueMember"); + ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery", + "(&(objectClass=groupOfUniqueNames)(cn=group4))"); + initLdapAtn(ldapProperties); + + user = USER4.getDN(); + try { + ldapProvider.Authenticate(user, USER4.getPassword()); + assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true); + + user = USER4.getUID(); + ldapProvider.Authenticate(user, USER4.getPassword()); + assertTrue("testCustomQueryWithGroupsPositive: Authentication succeeded for " + user + " as expected", true); + } catch (AuthenticationException e) { + Assert.fail("testCustomQueryWithGroupsPositive: Authentication failed for " + user + ",user expected to pass custom LDAP Query"); + } + } + + @Test + public void testCustomQueryWithGroupsNegative() throws Exception { + String user; + Map<String, String> ldapProperties = new HashMap<String, String>(); + ldapProperties.put("hive.server2.authentication.ldap.baseDN", "dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "cn=%s,ou=People,dc=example,dc=com:uid=%s,ou=People,dc=example,dc=com"); + ldapProperties.put("hive.server2.authentication.ldap.customLDAPQuery", + "(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))"); + initLdapAtn(ldapProperties); + + user = USER3.getDN(); + try { + ldapProvider.Authenticate(user, USER3.getPassword()); + Assert.fail("testCustomQueryNegative: Authentication succeeded for " + user + ",user expected to fail custom LDAP Query"); + } catch (AuthenticationException e) { + assertTrue("testCustomQueryNegative: Authentication failed for " + user + " as expected", true); + } + + try { + user = USER3.getUID(); + ldapProvider.Authenticate(user, USER3.getPassword()); + Assert.fail("testCustomQueryNegative: Authentication succeeded for " + user + ",user expected to fail custom LDAP Query"); + } catch (AuthenticationException e) { + assertTrue("testCustomQueryNegative: Authentication failed for " + user + " as expected", true); + } + } + @Test public void testGroupFilterPositiveWithCustomGUID() throws Exception { String user;
