This is an automated email from the ASF dual-hosted git repository. xxyu pushed a commit to branch kylin5 in repository https://gitbox.apache.org/repos/asf/kylin.git
commit 6d642e7f051b5e807144b6920af6d4387115b9b2 Author: lixiang <447399...@qq.com> AuthorDate: Thu Dec 8 23:18:23 2022 +0800 KYLIN-5421 fix login user name the same as LDAP user * KYLIN-5421 fix login user name the same as LDAP user --- .../src/main/resources/kylinSecurity.xml | 4 ++ .../src/main/resources/kylinSecurity.xml | 4 ++ .../LdapCaseIgnoreUserDetailsContextMapper.java | 53 ++++++++++++++++++++++ .../kylin/rest/service/LdapUserServiceTest.java | 15 +++--- .../src/test/resources/kylinSecurity.xml | 4 ++ .../src/test/resources/ut_ldap/ldap-server.ldif | 26 ++++++++++- .../src/main/resources/kylinSecurity.xml | 4 ++ .../springframework/conf/kylinSecurity.xml | 4 ++ .../src/main/resources/kylinSecurity.xml | 4 ++ .../src/test/resources/kylinSecurity.xml | 4 ++ 10 files changed, 115 insertions(+), 7 deletions(-) diff --git a/src/common-booter/src/main/resources/kylinSecurity.xml b/src/common-booter/src/main/resources/kylinSecurity.xml index d4050579db..f6fd5b2c8d 100644 --- a/src/common-booter/src/main/resources/kylinSecurity.xml +++ b/src/common-booter/src/main/resources/kylinSecurity.xml @@ -113,9 +113,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -130,6 +133,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean> diff --git a/src/common-server/src/main/resources/kylinSecurity.xml b/src/common-server/src/main/resources/kylinSecurity.xml index f8986f8ed9..82f50d3ee3 100644 --- a/src/common-server/src/main/resources/kylinSecurity.xml +++ b/src/common-server/src/main/resources/kylinSecurity.xml @@ -113,9 +113,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -130,6 +133,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean> diff --git a/src/common-service/src/main/java/org/apache/kylin/rest/security/LdapCaseIgnoreUserDetailsContextMapper.java b/src/common-service/src/main/java/org/apache/kylin/rest/security/LdapCaseIgnoreUserDetailsContextMapper.java new file mode 100644 index 0000000000..f3248d2f3a --- /dev/null +++ b/src/common-service/src/main/java/org/apache/kylin/rest/security/LdapCaseIgnoreUserDetailsContextMapper.java @@ -0,0 +1,53 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kylin.rest.security; + +import java.util.Collection; +import java.util.Map; + +import org.apache.kylin.rest.service.LdapUserService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.ldap.core.DirContextOperations; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper; + +public class LdapCaseIgnoreUserDetailsContextMapper extends LdapUserDetailsMapper { + + private static final Logger logger = LoggerFactory.getLogger(LdapCaseIgnoreUserDetailsContextMapper.class); + + @Autowired + @Qualifier("userService") + private LdapUserService ldapUserService; + + @Override + public UserDetails mapUserFromContext(DirContextOperations ctx, String username, + Collection<? extends GrantedAuthority> authorities) { + String dn = ctx.getNameInNamespace(); + logger.debug("Mapping user details from context with DN {}", dn); + Map<String, String> dnMap = ldapUserService.getDnMapperMap(); + String realName = dnMap.get(dn); + logger.debug("ldap real name is {}", realName); + return super.mapUserFromContext(ctx, realName, authorities); + } + +} diff --git a/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java b/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java index 3414b84996..f897e4735a 100644 --- a/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java +++ b/src/common-service/src/test/java/org/apache/kylin/rest/service/LdapUserServiceTest.java @@ -218,10 +218,10 @@ public class LdapUserServiceTest extends NLocalFileMetadataTestCase { @Test public void testListUsers() throws Exception { Set<String> users = ldapUserService.listUsers().stream().map(x -> x.getUsername()).collect(toSet()); - Assert.assertEquals(4, users.size()); + Assert.assertEquals(6, users.size()); List<ManagedUser> managedUserList = ldapUserService.listUsers(); for (val user : managedUserList) { - Assert.assertTrue(user.getAuthorities().size() > 1); + Assert.assertTrue(user.getAuthorities().size() >= 1); } } @@ -259,14 +259,17 @@ public class LdapUserServiceTest extends NLocalFileMetadataTestCase { @Test public void testOnNewUserAdded() throws Exception { - Assert.assertFalse(ldapUserService.userExists("rick")); - directoryServer.add("dn: cn=rick,ou=People,dc=example,dc=com", "objectClass: inetOrgPerson", - "objectClass: organizationalPerson", "objectClass: person", "objectClass: top", "cn: rick", - "sn: rick gan", "mail: r...@example.io", "ou: Modeler", "userPassword:: ZXhhbXBsZTEyMw=="); + Assert.assertTrue(ldapUserService.userExists("rick")); ldapUserService.onUserAuthenticated("rick"); Assert.assertTrue(ldapUserService.userExists("rick")); } + @Test + public void testOnUserWithoutPassword() throws Exception { + ldapUserService.onUserAuthenticated("ricky"); + Assert.assertTrue(ldapUserService.userExists("ricky")); + } + @Test public void testAddGroup() { thrown.expect(UnsupportedOperationException.class); diff --git a/src/common-service/src/test/resources/kylinSecurity.xml b/src/common-service/src/test/resources/kylinSecurity.xml index cd258740c7..d8c4920319 100644 --- a/src/common-service/src/test/resources/kylinSecurity.xml +++ b/src/common-service/src/test/resources/kylinSecurity.xml @@ -105,9 +105,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -122,6 +125,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean> diff --git a/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif b/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif index 56d7f94c57..1902998ca5 100644 --- a/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif +++ b/src/common-service/src/test/resources/ut_ldap/ldap-server.ldif @@ -124,4 +124,28 @@ objectClass: top dn: cn=empty,ou=Groups,dc=example,dc=com cn: empty objectClass: groupOfNames -objectClass: top \ No newline at end of file +objectClass: top + +# rick, People, example.com +dn: cn=rick,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: person +objectClass: top +cn: rick +sn: rick gan +mail: r...@example.io +ou: Modeler +userPassword:: ZXhhbXBsZTEyMw== + +# oliver, People, example.com +dn: cn=ricky,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: person +objectClass: top +cn: ricky +sn: ricky gan +mail: ri...@example.io +ou: Modeler +userPassword:: \ No newline at end of file diff --git a/src/data-loading-booter/src/main/resources/kylinSecurity.xml b/src/data-loading-booter/src/main/resources/kylinSecurity.xml index dc97c605eb..132a31f58b 100644 --- a/src/data-loading-booter/src/main/resources/kylinSecurity.xml +++ b/src/data-loading-booter/src/main/resources/kylinSecurity.xml @@ -113,9 +113,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -130,6 +133,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean> diff --git a/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml b/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml index 7a1c7d7188..7a011d6506 100644 --- a/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml +++ b/src/kylin-it/src/test/resources/springframework/conf/kylinSecurity.xml @@ -114,9 +114,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -131,6 +134,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean> diff --git a/src/query-booter/src/main/resources/kylinSecurity.xml b/src/query-booter/src/main/resources/kylinSecurity.xml index d4050579db..f6fd5b2c8d 100644 --- a/src/query-booter/src/main/resources/kylinSecurity.xml +++ b/src/query-booter/src/main/resources/kylinSecurity.xml @@ -113,9 +113,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -130,6 +133,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean> diff --git a/src/streaming-service/src/test/resources/kylinSecurity.xml b/src/streaming-service/src/test/resources/kylinSecurity.xml index d4050579db..f6fd5b2c8d 100644 --- a/src/streaming-service/src/test/resources/kylinSecurity.xml +++ b/src/streaming-service/src/test/resources/kylinSecurity.xml @@ -113,9 +113,12 @@ <property name="groupSearchFilter" value="${kylin.security.ldap.user-group-search-filter}"/> </bean> + <bean id="ldapCaseIgnoreUserDetailsContextMapper" class="org.apache.kylin.rest.security.LdapCaseIgnoreUserDetailsContextMapper"/> + <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> <constructor-arg ref="ldapUserSearch"/> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> <bean id="userAuthProvider" @@ -130,6 +133,7 @@ </bean> </constructor-arg> <constructor-arg ref="ldapUserPopulator"/> + <property name="userDetailsContextMapper" ref="ldapCaseIgnoreUserDetailsContextMapper"/> </bean> </constructor-arg> </bean>