[jira] [Work logged] (KNOX-2881) KnoxCLI doesn’t hande ALIAS in (system)-user-auth-test

Mon, 13 Feb 2023 05:56:06 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2881?focusedWorklogId=845135&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-845135
 ]

ASF GitHub Bot logged work on KNOX-2881:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 13/Feb/23 13:55
            Start Date: 13/Feb/23 13:55
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #732:
URL: https://github.com/apache/knox/pull/732

   ## What changes were proposed in this pull request?
   
   Added alias service lookup when dealing with LDAP system passwords in a form 
of `${ALIAS=value}`. 
   
   ## How was this patch tested?
   
   Added new unit test case to cover this improvement, and ran manual testing:
   Added the following parameters in the KnoxSSO topology:
   ```
     <param>
         <name>main.ldapRealm.contextFactory.systemUsername</name>
         <value>uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</value>
     </param>        
       
     <param>
       <name>main.ldapRealm.contextFactory.systemPassword</name>
       <value>${ALIAS=ldapsystempassword}</value>
     </param>
   ```
   Saved `ldapsystempassword`:
   ```
   $ bin/knoxcli.sh create-alias ldapsystempassword --value admin-password 
--cluster knoxsso
   ldapsystempassword has been successfully created.
   ```
   Prior to my changes; I got this:
   ```
   $ bin/knoxcli.sh system-user-auth-test --cluster knoxsso
   org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
   [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot 
authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]
   For more information use --d for debug output.
   ```
   
   After my changes:
   ```
   $ bin/knoxcli.sh system-user-auth-test --cluster knoxsso
   System password is stored as an alias ldapsystempassword; looking it up...
   System LDAP Bind successful.
   ```
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 845135)
    Remaining Estimate: 0h
            Time Spent: 10m

> KnoxCLI doesn’t hande ALIAS in (system)-user-auth-test
> ------------------------------------------------------
>
>                 Key: KNOX-2881
>                 URL: https://issues.apache.org/jira/browse/KNOX-2881
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxCLI
>    Affects Versions: 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When topology has 
> {noformat}
>   <param>
>     <name>main.ldapRealm.contextFactory.systemPassword</name>
>     <value>${ALIAS=knoxldapsystempassword}</value>
>   </param>
> {noformat}
> The validations fail as:
> {noformat}
> # /bin/knoxcli.sh system-user-auth-test --cluster ldapUsecase1Topo2
> org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: 
> AcceptSecurityContext error, data 52e, v3839]
> For more information use --d for debug output.
> Unable to successfully bind to LDAP server with topology credentials. Are 
> your parameters correct?
> # bin/knoxcli.sh user-auth-test --cluster ldapUsecase1Topo2 --u user1 --p 
> Test123
> org.apache.shiro.config.ConfigurationException: Unable to set property 
> 'contextFactory.systemPassword' with value [S{ALIAS=knoxldapsystempassword}] 
> on object of type org.apache.knox.gateway.shirorealm.KnoxLdapRealm.  If 
> 'S{ALIAS=knoxldapsystempassword}' is a reference to another (previously 
> defined) object, prefix it with '$' to indicate that the referenced object 
> should be used as the actual value.  For example, 
> $S{ALIAS=knoxldapsystempassword}
> org.apache.knox.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject 
> could not be created with Shiro Config at sections=main,urls
> For more information use --d for debug output.
> ERR: Unable to authenticate user: user1
> {noformat}
> Note: we checked that the keystore has the right password value set:
> {noformat}
> # ${JAVA} GetValueFromJCEKS ${JCEKSFILE} ${JCEKSPASS} ${PW_ALIAS}
> Test123
> {noformat}
>  
> When the topology is configured with a plain password like:
> {noformat}
>   <param>
>     <name>main.ldapRealm.contextFactory.systemPassword</name>
>     <value>Test123</value>
>   </param>
> {noformat}
> The validations run with no errors:
> {noformat}
> # bin/knoxcli.sh system-user-auth-test --cluster ldapUsecase1Topo3
> System LDAP Bind successful.
> # bin/knoxcli.sh user-auth-test --cluster ldapUsecase1Topo3 --u user1 --p 
> Test123
> LDAP authentication successful!{noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to