[ https://issues.apache.org/jira/browse/KNOX-2881?focusedWorklogId=845135&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-845135 ]
ASF GitHub Bot logged work on KNOX-2881: ---------------------------------------- Author: ASF GitHub Bot Created on: 13/Feb/23 13:55 Start Date: 13/Feb/23 13:55 Worklog Time Spent: 10m Work Description: smolnar82 opened a new pull request, #732: URL: https://github.com/apache/knox/pull/732 ## What changes were proposed in this pull request? Added alias service lookup when dealing with LDAP system passwords in a form of `${ALIAS=value}`. ## How was this patch tested? Added new unit test case to cover this improvement, and ran manual testing: Added the following parameters in the KnoxSSO topology: ``` <param> <name>main.ldapRealm.contextFactory.systemUsername</name> <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.contextFactory.systemPassword</name> <value>${ALIAS=ldapsystempassword}</value> </param> ``` Saved `ldapsystempassword`: ``` $ bin/knoxcli.sh create-alias ldapsystempassword --value admin-password --cluster knoxsso ldapsystempassword has been successfully created. ``` Prior to my changes; I got this: ``` $ bin/knoxcli.sh system-user-auth-test --cluster knoxsso org.apache.shiro.authc.AuthenticationException: LDAP authentication failed. [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org] For more information use --d for debug output. ``` After my changes: ``` $ bin/knoxcli.sh system-user-auth-test --cluster knoxsso System password is stored as an alias ldapsystempassword; looking it up... System LDAP Bind successful. ``` Issue Time Tracking ------------------- Worklog Id: (was: 845135) Remaining Estimate: 0h Time Spent: 10m > KnoxCLI doesn’t hande ALIAS in (system)-user-auth-test > ------------------------------------------------------ > > Key: KNOX-2881 > URL: https://issues.apache.org/jira/browse/KNOX-2881 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxCLI > Affects Versions: 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Major > Fix For: 2.1.0 > > Time Spent: 10m > Remaining Estimate: 0h > > When topology has > {noformat} > <param> > <name>main.ldapRealm.contextFactory.systemPassword</name> > <value>${ALIAS=knoxldapsystempassword}</value> > </param> > {noformat} > The validations fail as: > {noformat} > # /bin/knoxcli.sh system-user-auth-test --cluster ldapUsecase1Topo2 > org.apache.shiro.authc.AuthenticationException: LDAP authentication failed. > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: > AcceptSecurityContext error, data 52e, v3839] > For more information use --d for debug output. > Unable to successfully bind to LDAP server with topology credentials. Are > your parameters correct? > # bin/knoxcli.sh user-auth-test --cluster ldapUsecase1Topo2 --u user1 --p > Test123 > org.apache.shiro.config.ConfigurationException: Unable to set property > 'contextFactory.systemPassword' with value [S{ALIAS=knoxldapsystempassword}] > on object of type org.apache.knox.gateway.shirorealm.KnoxLdapRealm. If > 'S{ALIAS=knoxldapsystempassword}' is a reference to another (previously > defined) object, prefix it with '$' to indicate that the referenced object > should be used as the actual value. For example, > $S{ALIAS=knoxldapsystempassword} > org.apache.knox.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject > could not be created with Shiro Config at sections=main,urls > For more information use --d for debug output. > ERR: Unable to authenticate user: user1 > {noformat} > Note: we checked that the keystore has the right password value set: > {noformat} > # ${JAVA} GetValueFromJCEKS ${JCEKSFILE} ${JCEKSPASS} ${PW_ALIAS} > Test123 > {noformat} > > When the topology is configured with a plain password like: > {noformat} > <param> > <name>main.ldapRealm.contextFactory.systemPassword</name> > <value>Test123</value> > </param> > {noformat} > The validations run with no errors: > {noformat} > # bin/knoxcli.sh system-user-auth-test --cluster ldapUsecase1Topo3 > System LDAP Bind successful. > # bin/knoxcli.sh user-auth-test --cluster ldapUsecase1Topo3 --u user1 --p > Test123 > LDAP authentication successful!{noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)