subject:"Review Request 45284\: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user"

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-28 Thread Dmitro Lisnichenko


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125619
---


Ship it!




Ship It!

- Dmitro Lisnichenko


On March 27, 2016, 8:42 p.m., Sebastian Toader wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> ---
> 
> (Updated March 27, 2016, 8:42 p.m.)
> 
> 
> Review request for Ambari, Andriy Babiichuk, Andrii Tkach, Dmitro 
> Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku 
> Sako.
> 
> 
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains users may appear in different 
> locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> 
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
> append your domain to your username and try again. Example: username@domain)
> 
> 2. When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by userPrincipalName
> 
> 3. A map of login name (login alias) to ambari user name is stored in the 
> session so as later whenever is needed the login name can be resolved to 
> ambari user name (user name stored in ambari database).
> 
> 4. User related rest API calls includes user name in the URL. There is a 
> filter set up for these resolve the user name in the URL to ambari user name 
> if needed.
> 
> 
> Diffs
> -
> 
>   ambari-server/conf/unix/log4j.properties 2ee32d4 
>   ambari-server/pom.xml 1e44517 
>   
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  bf18325 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  076f850 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
>  20cf2fd 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
>  fc7f73a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
>  ed68c01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  0c675b8 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
>  8eeaf35 
>   ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
>   
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
>  3ecb5aa 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
>  d48be85 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
>  ada5ff5 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java
>  0797239 
>   
>

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-28 Thread Myroslav Papirkovskyy


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125610
---


Ship it!




Ship It!

- Myroslav Papirkovskyy


On Березень 27, 2016, 8:42 після полудня, Sebastian Toader wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> ---
> 
> (Updated Березень 27, 2016, 8:42 після полудня)
> 
> 
> Review request for Ambari, Andriy Babiichuk, Andrii Tkach, Dmitro 
> Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku 
> Sako.
> 
> 
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains users may appear in different 
> locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> 
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
> append your domain to your username and try again. Example: username@domain)
> 
> 2. When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by userPrincipalName
> 
> 3. A map of login name (login alias) to ambari user name is stored in the 
> session so as later whenever is needed the login name can be resolved to 
> ambari user name (user name stored in ambari database).
> 
> 4. User related rest API calls includes user name in the URL. There is a 
> filter set up for these resolve the user name in the URL to ambari user name 
> if needed.
> 
> 
> Diffs
> -
> 
>   ambari-server/conf/unix/log4j.properties 2ee32d4 
>   ambari-server/pom.xml 1e44517 
>   
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  bf18325 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  076f850 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
>  20cf2fd 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
>  fc7f73a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
>  ed68c01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  0c675b8 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
>  8eeaf35 
>   ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
>   
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
>  3ecb5aa 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
>  d48be85 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
>  ada5ff5 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java
>  0797239 
>   
>

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-25 Thread Myroslav Papirkovskyy


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125401
---




ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 (line 466)


Name says this is alternative search filter. But decision whether to use it 
is based on hardcoded UPN format (AmbariLdapUtils).
This is not obvious.

I understand that this is intended to work with AD specifically and it 
will. But we need to document this well and, possibly, create another issue for 
more generic approach.


- Myroslav Papirkovskyy


On Березень 25, 2016, 1:28 до полудня, Sebastian Toader wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> ---
> 
> (Updated Березень 25, 2016, 1:28 до полудня)
> 
> 
> Review request for Ambari, Andriy Babiichuk, Andrii Tkach, Dmitro 
> Lisnichenko, Myroslav Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku 
> Sako.
> 
> 
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains users may appear in different 
> locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> 
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
> append your domain to your username and try again. Example: username@domain)
> 
> 2. When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by userPrincipalName
> 
> 3. A map of login name (login alias) to ambari user name is stored in the 
> session so as later whenever is needed the login name can be resolved to 
> ambari user name (user name stored in ambari database).
> 
> 4. User related rest API calls includes user name in the URL. There is a 
> filter set up for these resolve the user name in the URL to ambari user name 
> if needed.
> 
> 
> Diffs
> -
> 
>   ambari-server/pom.xml 1e44517 
>   
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  bf18325 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  076f850 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
>  20cf2fd 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
>  fc7f73a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
>  ed68c01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  b136182 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
>  8eeaf35 
>   ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
>   
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
>  3ecb5aa 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
>

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-24 Thread Robert Levas



> On March 24, 2016, 12:52 p.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java,
> >  line 39
> > 
> >
> > Is there any chance that this will be `null`? There seem to be a lot of 
> > internal calls that will throw an NPE if this is `null`.
> > 
> > See `getPrincipalOverride()`
> 
> Sebastian Toader wrote:
> if authentication is null than that's a critical error that we can not 
> recover from. The authetication object is created by the spring security 
> framework (Basic authentication). If this is null we should fail fast.

Thanks for the clarification. Dropping the issue.


- Robert


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125279
---


On March 24, 2016, 9:04 a.m., Sebastian Toader wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> ---
> 
> (Updated March 24, 2016, 9:04 a.m.)
> 
> 
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav 
> Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
> 
> 
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains users may appear in different 
> locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> 
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
> append your domain to your username and try again. Example: username@domain)
> 
> 2. When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by userPrincipalName
> 
> 3. A map of login name (login alias) to ambari user name is stored in the 
> session so as later whenever is needed the login name can be resolved to 
> ambari user name (user name stored in ambari database).
> 
> 4. User related rest API calls includes user name in the URL. There is a 
> filter set up for these resolve the user name in the URL to ambari user name 
> if needed.
> 
> 
> Diffs
> -
> 
>   ambari-server/pom.xml 1e44517 
>   
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  bf18325 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  076f850 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
>  20cf2fd 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
>  fc7f73a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
>  ed68c01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  b136182 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
>  8eeaf35 
>   ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
>   
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
>  3ecb5aa 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
>  PRE-CREATION 
>   
>

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-24 Thread Robert Levas


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125279
---


Fix it, then Ship it!





ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
 (line 39)


Is there any chance that this will be `null`? There seem to be a lot of 
internal calls that will throw an NPE if this is `null`.

See `getPrincipalOverride()`



ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
 (lines 193 - 210)


Maybe exit out early if principal is `null`?  Seems like 2 unnecessary 
checks will be done in this case.


- Robert Levas


On March 24, 2016, 9:04 a.m., Sebastian Toader wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> ---
> 
> (Updated March 24, 2016, 9:04 a.m.)
> 
> 
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav 
> Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
> 
> 
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains users may appear in different 
> locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> 
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
> append your domain to your username and try again. Example: username@domain)
> 
> 2. When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by userPrincipalName
> 
> 3. A map of login name (login alias) to ambari user name is stored in the 
> session so as later whenever is needed the login name can be resolved to 
> ambari user name (user name stored in ambari database).
> 
> 4. User related rest API calls includes user name in the URL. There is a 
> filter set up for these resolve the user name in the URL to ambari user name 
> if needed.
> 
> 
> Diffs
> -
> 
>   ambari-server/pom.xml 1e44517 
>   
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  bf18325 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  076f850 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
>  20cf2fd 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
>  fc7f73a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
>  ed68c01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  b136182 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
>  8eeaf35 
>   ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
>   
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
>  3ecb5aa 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
>  PRE-CREATION 
>   
>

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-24 Thread Oliver Szabo


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/#review125248
---




ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 (line 192)


It should be authentication instead of authorization


- Oliver Szabo


On March 24, 2016, 1:04 p.m., Sebastian Toader wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45284/
> ---
> 
> (Updated March 24, 2016, 1:04 p.m.)
> 
> 
> Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav 
> Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.
> 
> 
> Bugs: AMBARI-15554
> https://issues.apache.org/jira/browse/AMBARI-15554
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> Problem:
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains users may appear in different 
> locations in LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> 
> Solution:
> 1.If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
> append your domain to your username and try again. Example: username@domain)
> 
> 2. When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by userPrincipalName
> 
> 3. A map of login name (login alias) to ambari user name is stored in the 
> session so as later whenever is needed the login name can be resolved to 
> ambari user name (user name stored in ambari database).
> 
> 4. User related rest API calls includes user name in the URL. There is a 
> filter set up for these resolve the user name in the URL to ambari user name 
> if needed.
> 
> 
> Diffs
> -
> 
>   ambari-server/pom.xml 1e44517 
>   
> ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  bf18325 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  076f850 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
>  20cf2fd 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
>  fc7f73a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
>  ed68c01 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
>  b136182 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
>  8eeaf35 
>   ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
>   
> ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
>  3ecb5aa 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
>  d48be85 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
>  62f719d 
>   
>

Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

2016-03-24 Thread Sebastian Toader


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45284/
---

Review request for Ambari, Andrii Tkach, Dmitro Lisnichenko, Myroslav 
Papirkovskyy, Oliver Szabo, Robert Levas, and Yusaku Sako.


Bugs: AMBARI-15554
https://issues.apache.org/jira/browse/AMBARI-15554


Repository: ambari


Description
---

Problem:
In case LDAP set up with multiple Domains which are joined into a Forrest with 
trusts between the different Domains users may appear in different locations in 
LDAP.
Since users who wants to access Ambari can be in any domain Ambari has to 
search the whole forrest, and as the users appearing in multiple domains are 
identical Ambari cannot filter out all but one of the user entries.

Solution:
1.If the LDAP search upon login to Ambari leads to multiple match user match 
due to the user appears in multiple domains show an error message to user 
prompting for providing domain as well to log-in. (e.g. Login Failed: Please 
append your domain to your username and try again. Example: username@domain)

2. When user provides domain information at login as well Ambari looks up the 
user in LDAP using different filter which is configurable. If this 
configuration is not set Ambari defaults to filter by userPrincipalName

3. A map of login name (login alias) to ambari user name is stored in the 
session so as later whenever is needed the login name can be resolved to ambari 
user name (user name stored in ambari database).

4. User related rest API calls includes user name in the URL. There is a filter 
set up for these resolve the user name in the URL to ambari user name if needed.


Diffs
-

  ambari-server/pom.xml 1e44517 
  
ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 bf18325 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 076f850 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
 20cf2fd 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
 fc7f73a 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java
 ed68c01 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java
 b136182 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
 8eeaf35 
  ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml 3bbc785 
  
ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
 3ecb5aa 
  
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java
 d48be85 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
 62f719d 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java
 0797239 
  
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
 7c72f4c 
  ambari-server/src/test/resources/users.ldif 3620e63 
  ambari-server/src/test/resources/users_with_duplicate_uid.ldif PRE-CREATION 
  ambari-web/app/controllers/login_controller.js fc64a54 
  ambari-web/app/router.js ccf8cb4 
  ambari-web/test/controllers/login_controller_test.js 90ba06a 

Diff: https://reviews.apache.org/r/45284/diff/


Testing
---

Manual testing using OpenLDAP. Since OpenLDAP does not support 
userPrincipalName attribute in the manual testing used email address (filter 
config in ambari properties:

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Re: Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Review Request 45284: Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

7 matches

Site Navigation

Mail list logo

Footer information