This is an automated email from the ASF dual-hosted git repository.
ngangam pushed a commit to branch branch-3
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/branch-3 by this push:
new 16178fa HIVE-21363: Ldap auth issue: group filter match should be
case insensitive (Naveen Gangam, reviewed by Aihua Xu)
16178fa is described below
commit 16178fa8236a7d40c9bedb4ded492f4dbfe6e575
Author: Naveen Gangam <ngan...@apache.org>
AuthorDate: Fri Mar 1 14:55:24 2019 -0500
HIVE-21363: Ldap auth issue: group filter match should be case insensitive
(Naveen Gangam, reviewed by Aihua Xu)
---
.../hive/service/auth/ldap/GroupFilterFactory.java | 2 +-
.../hive/service/auth/ldap/TestGroupFilter.java | 43 ++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git
a/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
b/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
index a0cb404..9165227 100644
--- a/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/ldap/GroupFilterFactory.java
@@ -86,7 +86,7 @@ public final class GroupFilterFactory implements
FilterFactory {
for (String groupDn : memberOf) {
String shortName = LdapUtils.getShortName(groupDn);
- if (groupFilter.contains(shortName)) {
+ if (groupFilter.stream().anyMatch(shortName::equalsIgnoreCase)) {
LOG.debug("GroupMembershipKeyFilter passes: user '{}' is a member of
'{}' group",
user, groupDn);
LOG.info("Authentication succeeded based on group membership");
diff --git
a/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
b/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
index 36e58c3..9ea5361 100644
--- a/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
+++ b/service/src/test/org/apache/hive/service/auth/ldap/TestGroupFilter.java
@@ -105,6 +105,49 @@ public class TestGroupFilter {
filter.apply(search, "us...@mydomain.com");
}
+ @Test
+ public void testGroupMembershipKeyCaseInsensitiveFilterApplyPositive()
+ throws AuthenticationException, NamingException, IOException {
+ conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER,
"hiveusers,g1");
+
+ when(search.findUserDn(eq("user1")))
+ .thenReturn("cn=user1,ou=People,dc=example,dc=com");
+ when(search.findUserDn(eq("cn=user2,dc=example,dc=com")))
+ .thenReturn("cn=user2,ou=People,dc=example,dc=com");
+ when(search.findUserDn(eq("us...@mydomain.com")))
+ .thenReturn("cn=user3,ou=People,dc=example,dc=com");
+
+ when(search.findGroupsForUser(eq("cn=user1,ou=People,dc=example,dc=com")))
+ .thenReturn(Arrays.asList(
+ "cn=SuperUsers,ou=Groups,dc=example,dc=com",
+ "cn=Office1,ou=Groups,dc=example,dc=com",
+ "cn=HiveUsers,ou=Groups,dc=example,dc=com",
+ "cn=G1,ou=Groups,dc=example,dc=com"));
+ when(search.findGroupsForUser(eq("cn=user2,ou=People,dc=example,dc=com")))
+ .thenReturn(Arrays.asList(
+ "cn=HiveUsers,ou=Groups,dc=example,dc=com"));
+ when(search.findGroupsForUser(eq("cn=user3,ou=People,dc=example,dc=com")))
+ .thenReturn(Arrays.asList(
+ "cn=G1,ou=Groups,dc=example,dc=com",
+ "cn=G2,ou=Groups,dc=example,dc=com"));
+
+ Filter filter = factory.getInstance(conf);
+ filter.apply(search, "user1");
+ filter.apply(search, "cn=user2,dc=example,dc=com");
+ filter.apply(search, "us...@mydomain.com");
+ }
+
+ @Test(expected = AuthenticationException.class)
+ public void testGroupMembershipKeyCaseInsensitiveFilterApplyNegative()
+ throws AuthenticationException, NamingException, IOException {
+ conf.setVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER,
"hiveusers,containsg1");
+
+
when(search.findGroupsForUser(eq("user1"))).thenReturn(Arrays.asList("SuperUsers",
"Office1", "G1", "G2"));
+
+ Filter filter = factory.getInstance(conf);
+ filter.apply(search, "user1");
+ }
+
@Test(expected = AuthenticationException.class)
public void testGroupMembershipKeyFilterApplyNegative()
throws AuthenticationException, NamingException, IOException {
