Repository: knox Updated Branches: refs/heads/master d7badf47b -> 86a37bbc3
KNOX-391-392: KnoxLdaRealm should use LdapName.equals for groupDn compare Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/86a37bbc Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/86a37bbc Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/86a37bbc Branch: refs/heads/master Commit: 86a37bbc3254a51f140474a8fd41dac3febe8be5 Parents: d7badf4 Author: Dilli Dorai Arumugam <[email protected]> Authored: Fri May 30 14:59:06 2014 -0700 Committer: Dilli Dorai Arumugam <[email protected]> Committed: Fri May 30 14:59:06 2014 -0700 ---------------------------------------------------------------------- .../hadoop/gateway/shirorealm/KnoxLdapRealm.java | 17 +++++++++-------- .../org/apache/hadoop/gateway/GatewayMessages.java | 4 ++++ 2 files changed, 13 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/86a37bbc/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java index a71fb30..79c721d 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java @@ -206,7 +206,7 @@ public class KnoxLdapRealm extends JndiLdapRealm { // save role names and group names in session so that they can be easily looked up outside of this object SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roleNames); SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, groupNames); - + LOG.lookedUpUserRoles(roleNames, userName); return roleNames; } @@ -221,6 +221,7 @@ public class KnoxLdapRealm extends JndiLdapRealm { } else { userDn = getUserDn(userName); } + LdapName userLdapDn = new LdapName(userDn); Attribute attribute = group.getAttributes().get(getGroupIdAttribute()); String groupName = attribute.get().toString(); @@ -235,7 +236,7 @@ public class KnoxLdapRealm extends JndiLdapRealm { while (e.hasMore()) { String attrValue = e.next().toString(); if (memberAttribute.equalsIgnoreCase(MEMBER_URL)) { - boolean dynamicGroupMember = isUserMemberOfDynamicGroup(userDn, + boolean dynamicGroupMember = isUserMemberOfDynamicGroup(userLdapDn, attrValue, // memberUrl value ldapContextFactory); if (dynamicGroupMember) { @@ -248,7 +249,7 @@ public class KnoxLdapRealm extends JndiLdapRealm { } } } else { - if (userDn.equals(attrValue)) { + if (userLdapDn.equals(new LdapName(attrValue))) { groupNames.add(groupName); String roleName = roleNameFor(groupName); @@ -407,7 +408,7 @@ public class KnoxLdapRealm extends JndiLdapRealm { return perms; } - boolean isUserMemberOfDynamicGroup(String userDnString, String memberUrl, + boolean isUserMemberOfDynamicGroup(LdapName userLdapDn, String memberUrl, final LdapContextFactory ldapContextFactory) throws NamingException { // ldap://host:port/dn?attributes?scope?filter?extensions @@ -428,16 +429,16 @@ public class KnoxLdapRealm extends JndiLdapRealm { String searchFilter = tokens[3]; LdapName searchBaseDn = new LdapName(searchBaseString); - LdapName userDn = new LdapName(userDnString); + // do scope test if (searchScope.equalsIgnoreCase("base")) { return false; } - if (!userDn.toString().endsWith(searchBaseDn.toString())) { + if (!userLdapDn.toString().endsWith(searchBaseDn.toString())) { return false; } if (searchScope.equalsIgnoreCase("one") - && (userDn.size() != searchBaseDn.size() - 1)) { + && (userLdapDn.size() != searchBaseDn.size() - 1)) { return false; } // search for the filter, substituting base with userDn @@ -445,7 +446,7 @@ public class KnoxLdapRealm extends JndiLdapRealm { LdapContext systemLdapCtx = null; systemLdapCtx = ldapContextFactory.getSystemLdapContext(); final NamingEnumeration<SearchResult> searchResultEnum = systemLdapCtx - .search(userDn, searchFilter, + .search(userLdapDn, searchFilter, searchScope.equalsIgnoreCase("sub") ? SUBTREE_SCOPE : ONELEVEL_SCOPE); if (searchResultEnum.hasMore()) { http://git-wip-us.apache.org/repos/asf/knox/blob/86a37bbc/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java index 9abc835..02c87bf 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java @@ -29,6 +29,7 @@ import java.io.File; import java.net.URI; import java.util.Date; import java.util.Map; +import java.util.Set; /** * @@ -322,4 +323,7 @@ public interface GatewayMessages { @Message( level = MessageLevel.INFO, text = "Computed userDn: {0} using ldapSearch for principal: {1}" ) void searchedAndFoundUserDn(String userDn, String principal); + @Message( level = MessageLevel.INFO, text = "Computed roles/groups: {0} for principal: {1}" ) + void lookedUpUserRoles(Set<String> roleNames, String userName); + }
