[GitHub] [spark] srowen commented on a diff in pull request #36784: [SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials'

GitBox Sat, 18 Jun 2022 14:27:03 -0700


srowen commented on code in PR #36784:
URL: https://github.com/apache/spark/pull/36784#discussion_r901017372



##########
sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java:
##########
@@ -58,22 +61,46 @@ public void Authenticate(String user, String password) 
throws AuthenticationExce
     }
 
     // setup the security principal
-    String bindDN;
-    if (baseDN == null) {
-      bindDN = user;
+    List<String> candidatePrincipals = new ArrayList<>();
+    if (StringUtils.isBlank(userDNPattern)) {
+      if (StringUtils.isNotBlank(baseDN)) {
+        String pattern = "uid=" + user + "," + baseDN;
+        candidatePrincipals.add(pattern);
+      }
     } else {
-      bindDN = "uid=" + user + "," + baseDN;
+      String[] patterns = userDNPattern.split(":");
+      for (String pattern : patterns) {
+        if (StringUtils.contains(pattern, ",") && 
StringUtils.contains(pattern, "=")) {
+          candidatePrincipals.add(pattern.replaceAll("%s", user));
+        }
+      }
+    }
+
+    if (candidatePrincipals.isEmpty()) {
+      candidatePrincipals = Collections.singletonList(user);
     }
-    env.put(Context.SECURITY_AUTHENTICATION, "simple");
-    env.put(Context.SECURITY_PRINCIPAL, bindDN);
-    env.put(Context.SECURITY_CREDENTIALS, password);
 
-    try {
-      // Create initial context
-      Context ctx = new InitialDirContext(env);
-      ctx.close();
-    } catch (NamingException e) {
-      throw new AuthenticationException("Error validating LDAP user", e);
+    for (Iterator<String> iterator = candidatePrincipals.iterator(); 
iterator.hasNext();) {
+      String principal = iterator.next();
+
+      Hashtable<String, Object> env = new Hashtable<String, Object>();

Review Comment:
   The API requires Hashtable, not HashMap? OK



##########
sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java:
##########
@@ -58,22 +61,46 @@ public void Authenticate(String user, String password) 
throws AuthenticationExce
     }
 
     // setup the security principal
-    String bindDN;
-    if (baseDN == null) {
-      bindDN = user;
+    List<String> candidatePrincipals = new ArrayList<>();
+    if (StringUtils.isBlank(userDNPattern)) {
+      if (StringUtils.isNotBlank(baseDN)) {
+        String pattern = "uid=" + user + "," + baseDN;
+        candidatePrincipals.add(pattern);
+      }
     } else {
-      bindDN = "uid=" + user + "," + baseDN;
+      String[] patterns = userDNPattern.split(":");
+      for (String pattern : patterns) {
+        if (StringUtils.contains(pattern, ",") && 
StringUtils.contains(pattern, "=")) {
+          candidatePrincipals.add(pattern.replaceAll("%s", user));
+        }
+      }
+    }
+
+    if (candidatePrincipals.isEmpty()) {
+      candidatePrincipals = Collections.singletonList(user);
     }
-    env.put(Context.SECURITY_AUTHENTICATION, "simple");
-    env.put(Context.SECURITY_PRINCIPAL, bindDN);
-    env.put(Context.SECURITY_CREDENTIALS, password);
 
-    try {
-      // Create initial context
-      Context ctx = new InitialDirContext(env);
-      ctx.close();
-    } catch (NamingException e) {
-      throw new AuthenticationException("Error validating LDAP user", e);
+    for (Iterator<String> iterator = candidatePrincipals.iterator(); 
iterator.hasNext();) {
+      String principal = iterator.next();
+
+      Hashtable<String, Object> env = new Hashtable<String, Object>();
+      env.put(Context.INITIAL_CONTEXT_FACTORY, 
"com.sun.jndi.ldap.LdapCtxFactory");
+      env.put(Context.PROVIDER_URL, ldapURL);
+      env.put(Context.SECURITY_AUTHENTICATION, "simple");
+      env.put(Context.SECURITY_PRINCIPAL, principal);
+      env.put(Context.SECURITY_CREDENTIALS, password);
+
+      try {
+
+        // Create initial context
+        Context ctx = new InitialDirContext(env);
+        ctx.close();
+        break;
+      } catch (NamingException e) {
+        if (!iterator.hasNext()) {
+          throw new AuthenticationException("Error validating LDAP user", e);

Review Comment:
   This should just be after the for block



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

[GitHub] [spark] srowen commented on a diff in pull request #36784: [SPARK-39396][SQL] Fix LDAP login exception 'error code 49 - invalid credentials'

Reply via email to