[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360388#comment-16360388 ]
Peng Xing edited comment on KYLIN-3197 at 2/12/18 7:41 AM: ----------------------------------------------------------- Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#000000#001#000000 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the memberUid format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 10000 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#000000#001#000000 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' was (Author: xingpeng1): Hi [~Aron.tao], I have found out the reason why your environment is useable for case insensitive ldap username, because your linux is SUSE, the member format is userDn just like 'uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com' in group, so when userDn is "uid={color:red}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com", the ldap can use userDn to match the ldap group. I have tested in SUSE environment, it's really ok. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top objectClass: groupOfNames cn: wkhGroup gidNumber: 10015 member: uid=wkh,ou=People,ou=defaultCluster,dc=zdh,dc=com structuralObjectClass: groupOfNames entryUUID: 4bacacf6-a410-1037-996c-b7792c876d2c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180212071549Z entryCSN: 20180212071617.147179Z#000000#001#000000 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180212071617Z {code} But my environment is Redhat, the member format is username or cn just like 'wkh' in group, so when username is "WKH", the ldap can not use "WKH" to match the ldap group. {code:java} dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 10000 structuralObjectClass: posixGroup entryUUID: f99c7e72-9466-1037-8810-e1d7152e775c creatorsName: cn=LdapAdmin,dc=zdh,dc=com createTimestamp: 20180123085558Z memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 entryCSN: 20180124082044.774518Z#000000#001#000000 modifiersName: cn=LdapAdmin,dc=zdh,dc=com modifyTimestamp: 20180124082044Z {code} Then I will answer your two questions. 1. the signature of getAdditionalRoles() seems not the way you use. Because the Redhat linux can not support the case insensitive ldap username, that is to say 'getGroupMembershipRoles(userDn, username)' will return empty Set, so I analyze the spring source code, after 'getGroupMembershipRoles(userDn, username)', there will call 'getAdditionalRoles(user, username)' to get the roles again, then I can get the real username from the DirContextOperations object. 2. In your patch you directly get username and not use the name that getAdditionalRoles(DirContextOperations user, String username) passed in. Because the username passed in is not real one, but the 'WKH', so I find a way to fetch the real one from DirContextOperations object by 'username = user.getStringAttribute("cn");' > When ldap is opened, I use an ignored case user to login, the page does not > respond. > ------------------------------------------------------------------------------------ > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security > Affects Versions: v2.3.0 > Reporter: Peng Xing > Assignee: Peng Xing > Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff0000}wkh{color}' to login in, which is normal. > But when I use '{color:#ff0000}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff0000}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)